It is more faster and easier to pass the Cisco 400-101 exam by using Top Quality Cisco CCIE Routing and Switching (v5.0) questuins and answers. Immediate access to the Updated 400-101 Exam and find the same core area 400-101 questions with professionally verified answers, then PASS your exam with a high score now.
Q191. Which technology can be used to secure the core of an STP domain?
B. BPDU guard
C. BPDU filter
D. root guard
Since STP does not implement any authentication or encryption to protect the exchange of BPDUs, it is vulnerable to unauthorized participation and attacks. Cisco IOS offers the STP Root Guard feature to enforce the placement of the root bridge and secure the core of the STP domain.
STP root guard forces a port to become a designated port so that no switch on the other end of the link can become a root switch. If a port configured for root guard receives a superior BPDU, the port it is received on is blocked. In this way, STP root guard blocks other devices from trying to become the root bridge.
STP root guard should be enabled on all ports that will never connect to a root bridge, for example, all end user ports. This ensures that a root bridge will never be negotiated on those ports.
Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/secur ebasebook/sec_chap7.html
Q192. Which two mechanisms provide Cisco IOS XE Software with control plane and data plane separation? (Choose two.)
A. Forwarding and Feature Manager
B. Forwarding Engine Driver
C. Forwarding Performance Management
D. Forwarding Information Base
Control Plane and Data Plane Separation
IOS XE introduces an opportunity to enable teams to now build drivers for new Data Plane ASICs outside the IOS instance and have them program to a set of standard APIs which in turn enforces Control Plane and Data Plane processing separation. IOS XE accomplishes Control Plane / Data Plane separation through the introduction of the Forwarding and Feature Manager (FFM) and its standard interface to the Forwarding Engine Driver (FED). FFM provides a set of APIs to Control Plane processes. In turn, the FFM programs the Data Plane via the FED and maintains forwarding state for the system. The FED is the instantiation of the hardware driver for the Data Plane and is provided by the platform.
Q193. Which two mechanisms can be used to eliminate Cisco Express Forwarding polarization? (Choose two.)
A. alternating cost links
B. the unique-ID/universal-ID algorithm
C. Cisco Express Forwarding antipolarization
D. different hashing inputs at each layer of the network
This document describes how Cisco Express Forwarding (CEF) polarization can cause suboptimal use of redundant paths to a destination network. CEF polarization is the effect when a hash algorithm chooses a particular path and the redundant paths remain completely unused.
How to Avoid CEF Polarization
. Alternate between default (SIP and DIP) and full (SIP + DIP + Layer4 ports) hashing inputs configuration at each layer of the network.
. Alternate between an even and odd number of ECMP links at each layer of the network.The CEF load-balancing does not depend on how the protocol routes are inserted in the routing table. Therefore, the OSPF routes exhibit the same behavior as EIGRP. In a hierarchical network where there are several routers that perform load-sharing in a row, they all use same algorithm to load-share.
The hash algorithm load-balances this way by default:
The number before the colon represents the number of equal-cost paths. The number after the colon represents the proportion of traffic which is forwarded per path.
This means that:
For two equal cost paths, load-sharing is 46.666%-53.333%, not 50%-50%.
For three equal cost paths, load-sharing is 33.33%-33.33%-33.33% (as expected).
For four equal cost paths, load-sharing is 20%-20%-20%-40% and not 25%-25%-25%-25%.
This illustrates that, when there is even number of ECMP links, the traffic is not load-balanced.
.Cisco IOS introduced a concept called unique-ID/universal-ID which helps avoid CEF polarization. This algorithm, called the universal algorithm (the default in current Cisco IOS versions), adds a 32-bit router-specific value to the hash function (called the universal ID - this is a randomly generated value at the time of the switch boot up that can can be manually controlled). This seeds the hash function on each router with a unique ID, which ensures that the same source/destination pair hash into a different value on different routers along the path. This process provides a better network-wide load-sharing and circumvents the polarization issue. This unique -ID concept does not work for an even number of equal-cost paths due to a hardware limitation, but it works perfectly for an odd number of equal-cost paths. In order to overcome this problem, Cisco IOS adds one link to the hardware adjacency table when there is an even number of equal-cost paths in order to make the system believe that there is an odd number of equal-cost links.
Q194. Which three statements are true about an EtherChannel? (Choose three.)
A. PAGP and LACP can be configured on the same switch if the switch is not in the same EtherChannel.
B. EtherChannel ports in suspended state can receive BPDUs but cannot send them.
C. An EtherChannel forms between trunks that are using different native VLANs.
D. LACP can operate in both half duplex and full duplex, if the duplex setting is the same on both ends.
E. Ports with different spanning-tree path costs can form an EtherChannel.
Answer A. EtherChannel groups running PAgP and LACP can coexist on the same switch or on different switches in the stack. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate.
EtherChannel Member Port States
The port is part of an EtherChannel and can send and receive BPDUs and data traffic.
The port is not part of an EtherChannel. The port can receive BPDUs but cannot send them. Data traffic is blocked.
The port is not bundled in an EtherChannel. The port functions as a standalone data port. The port can send and receive BPDUs and data traffic.
Answer E. Ports with different spanning-tree path costs can form an EtherChannel if they are otherwise compatibly configured. Setting different spanning-tree path costs does not, by itself, make ports incompatible for the formation of an EtherChannel.
Q195. Which Cisco IOS VPN technology leverages IPsec, mGRE, dynamic routing protocol, NHRP, and
Cisco Express Forwarding?
D. Cisco Easy VPN
Q196. Which two conditions must be met by default to implement the BGP multipath feature? (Choose two.)
A. The next-hop routers must be the same.
B. Route reflectors must be enabled.
C. All attributes must have the same values.
D. MPLS must be enabled.
E. The next-hop routers must be different.
Q197. In the DiffServ model, which class represents the highest priority with the highest drop probability?
AF43 — Assured forwarding, high drop probability, Class 4 DSCP, and Flash-override precedence.
Table of AF Classes and Drop Priority
Q198. Which AS_PATH attribute can you use to prevent loops when implementing BGP confederations?
Q199. Refer to the exhibit.
Which three statements about the output are true? (Choose three.)
A. An mrouter port can be learned by receiving a PIM hello packet from a multicast router.
B. This switch is configured as a multicast router.
C. Gi2/0/1 is a trunk link that connects to a multicast router.
D. An mrouter port is learned when a multicast data stream is received on that port from a multicast router.
E. This switch is not configured as a multicast router. It is configured only for IGMP snooping.
F. IGMP reports are received only on Gi2/0/1 and are never transmitted out Gi2/0/1 for VLANs 10 and 20.
In this example, the switch has been configured as a multicast router since IGMP snooping has been enabled. All mrouters can learn about other mrouters by receiving a PIM hello packet from another multicast router. Also, since two different VLANs are being used by the same port of gi 2/0/1, it must be a trunk link that connects to another multicast router.
Q200. Which two statements about port ACLs are true? (Choose two.)
A. Port ACLs are supported on physical interfaces and are configured on a Layer 2 interface on a switch.
B. Port ACLs support both outbound and inbound traffic filtering.
C. When it is applied to trunk ports, the port ACL filters only native VLAN traffic.
D. When it is applied to a port with voice VLAN, the port ACL filters both voice and data VLAN traffic.
PACLs filter incoming traffic on Layer 2 interfaces, using Layer 3 information, Layer 4 header information, or non-IP Layer 2 information The port ACL (PACL) feature provides the ability to perform access control on specific Layer 2 ports. A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs perform access control on all traffic entering the specified Layer 2 port, including voice and data VLANs that may be configured on the port. Port ACLs are applied only on the ingress traffic.
To know more about the 400-101, click here.