Ensurepass

CCIE Routing and Switching Written Exam v5.1

 

QUESTION 411

Refer to the exhibit. If the route to 10.1.1.1 is removed from the R2 routing table, which server becomes the master NTP server?

 

clip_image002

 

A.

R2

B.

The NTP server at 10.3.3.3

C.

The NTP server at 10.4.4.4

D.

The NTP server with the lowest stratum number

 

Correct Answer: D

Explanation:

NTP uses a concept called “stratum” that defines how many NTP hops away a device is from an authoritative time source. For example, a device with stratum 1 is a very accurate device and might have an atomic clock attached to it. Another NTP server that is using this stratum 1 server to sync its own time would be a stratum 2 device because it’s one NTP hop further away from the source. When you configure multiple NTP servers, the client will prefer the NTP server with the lowest stratum value.

Reference: https://networklessons.com/network-services/cisco-network-time-protocol-ntp/

 

 

QUESTION 412

Refer to the exhibit. If the remaining configuration uses default values, what is the expected output of the show mls qos queue-set command?

 

clip_image004

 

A.

clip_image006

B.

clip_image008

C.

clip_image010

D.

clip_image012

 

Correct Answer: A

Explanation:

mls qos queue-set output qset-idthreshold queue-id drop-threshold1 drop-threshold2 reserved- threshold maximum-threshold

Configure the WTD thresholds, guarantee the availability of buffers, and configure the maximum memory allocation for the queue-set (four egress queues per port).

By default, the WTD thresholds for queues 1, 3, and 4 are set to 100 percent. The thresholds for queue 2 are set to 200 percent. The reserved thresholds for queues 1, 2, 3, and 4 are set to 50 percent. The maximum thresholds for all queues are set to 400 percent.

For qset-id , enter the ID of the queue-set specified in Step 2. The range is 1 to 2.

For queue-id , enter the specific queue in the queue-set on which the command is performed. The range is 1 to 4.

For drop-threshold1 drop-threshold2 , specify the two WTD thresholds expressed as a percentage of the queue’s allocated memory. Th e range is 1 to 3200 percent.

For reserved-threshold , enter the amount of memory to be guaranteed (reserved) for the queue expressed as a percentage of the allocated memory. The range is 1 to 100 percent.

For maximum-threshold , enable a queue in the full condition to obtain more buffers than are reserved for it. This is the maximum memory the queue can have before the packets are dropped if the common pool is not empty. The range is 1 to 3200 percent

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swqos.html

 

 

QUESTION 413

Which two fields reside in the initial CHAP challenge packet? (Choose two.)

 

A.

the authentication name of the challenger

B.

a random hash value generated by the device

C.

the hashed packet type ID

D.

the packet type ID in clear text

 

Correct Answer: AD

Explanation:

When a caller A dials in to an access server B, The Access server sends across the link an initial Type 1 authentication packet called a Challenge. This Challenge packet contains a randomly generat
ed number, an ID sequence number to identify the challenge (sent in clear text) and the authentication name of the challenger.

Reference: http://www.rhyshaden.com/ppp.htm

 

 

 

QUESTION 414

Which two Cisco IOS AAA features are available with the local database? (Choose two.)

 

A.

command authorization

B.

network access authorization

C.

network accounting

D.

network access authentication

 

Correct Answer: AD

Explanation:

Configuring the Local Database

This section describes how to manage users in the local database. You can use the local database for CLI access authentication, privileged mode authentication, command authorization, network access authentication, and VPN authentication and authorization. You cannot use the local database for network access authorization. The local database does not support accounting.

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/aaa.html

 

 

QUESTION 415

Which three options are best practices for implementing a DMVPN? (Choose three.)

 

A.

Use IPsec in tunnel mode.

B.

Implement Dead Peer Detection to detect communication loss.

C.

Configure AES for encryption of transported data.

D.

Configure SHA-1 for encryption of transported data.

E.

Deploy IPsec hardware acceleration to minimize router memory overhead.

F.

Configure QoS services only on the head-end router.

 

Correct Answer: ABC

Explanation:

Best Practices Summary for Hub-and-Spoke Deployment Model

This section describes the best practices for a dual DMVPN cloud topology with the hub-and- spoke deployment, supporting IP multicast (IPmc) traffic including routing protocols.

The following are general best practices:

 

clip_image014Use IPsec in transport mode

clip_image014[1]Configure Triple DES (3DES) or AES for encryption of transported data (exports of encryption algorithms to certain countries may be prohibited by law).

clip_image014[2]Implement Dead Peer Detection (DPD) on the spokes to detect loss of communication between peers.

clip_image014[3]Deploy hardware-acceleration of IPsec to minimize router CPU overhead, to support traffic with low latency and jitter requirements, and for the highest performance for cost.

clip_image014[4]Keep IPsec packet fragmentation to a minimum on the customer network by setting MTU size or using Path MTU Discovery (PMTUD).

clip_image014[5]Use Digital Certificates/Public Key Infrastructure (PKI) for scalable tunnel authentication.

clip_image014[6]Configure a routing protocol (for example, EIGRP, BGP or OSPF) with route summarization for dynamic routing.

 

Set up QoS service policies as appropriate on headend and branch router interfaces to help alleviate interface congestion issues and to attempt to keep higher priority traffic from being dropped during times of congestion.

Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG/DMVPN_1.html

 

 

QUESTION 416

What are the three primary components of NetFlow? (Choose three.)

 

A.

Flow caching

B.

A flow collector

C.

The data analyzer

D.

Flow sequence numbers

E.

Cisco Express Forwarding

F.

Multicast

 

Correct Answer: ABC

Explanation:

NetFlow includes three key components that perform the following capabilities:

Flow caching analyzes and collects IP data flows entering router or switch interfaces and prepares data for export. It enables the accumulation of data on flows with unique characteristics, such as IP addresses, application, and CoS.

FlowCollector and Data Analysis captures exported data from multiple routers and filters and aggregates the data according to customer policies, and then stores this summarized or aggregated data. Users can leverage Cisco NetFlow collector as a flow collector, or they can opt for a variety of third-party partner products. A Graphical user interface displays and analyzes NetFlow data collected from FlowCollector files. This allows users to complete near-real-time visualization or trending analysis of recorded and aggregated flow data. Users can specify the router and aggregation scheme and desired time interval.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/product_data_sheet0900aecd80173f71.html

 

 

QUESTION 417

Which option is the result if two adjacent routers are configured for OSPF with different process IDs?

 

A.

The routers are unable to establish an adjacency.

B.

The routers establish an adjacency, but route exchange fails.

C.

The routers establish an adjacency and exchange routes, but the routes are unreachable.

D.

The routers establish an adjacency and exchange routes, and the routes are reachable.

 

Correct Answer: D

 

 

QUESTION 418

Refer to the exhibit. Which two options are possible states for the interface configured with the given OSPFv3 authentication? (Choose two.)

 

clip_image016

 

A.

GOING UP

B.

DOWN

C.

UNCONFIGURED

D.

GOING DOWN

 

Correct Answer: AB

Explanation:

To configure IPsec, you configure a security policy, which is a combination of the security policy index (SPI) and the key (the key is used to create and validate the hash value). IPsec for OSPFv3 can be configured on an interface or on an OSPFv3 area. For higher security, you should configure a different policy on each interface configured with IPsec. If you configure IPsec for an OSPFv3 area, the policy is applied to all of the interfaces in that area, except for the interfaces that have IPsec configured directly. Once IPsec is configured for OSPFv3, IPsec is invisible to you. The secure socket API is used by applications to secure traffic. The API needs to allow the application to open, listen, and close secure sockets. The binding between the application and the secure socket layer also allows the secure socket layer to inform the application of changes to the socket, such as connection open and close events. The secure socket API is able to identify the socket; that is, it can identify the local and remote addresses, masks, ports, and protocol that carry the traffic requiring security.

Each interface has a secure socket state, which can be one of the following:

NULL: Do not create a secure socket for the interface if authentication is configured for the area.

DOWN: IPsec has been configured for the interface (or the area that contains the interface), but OSPFv3 either has not requested IPsec to create a secure socket for this interface, or there is an error condition.

GOING UP: OSPFv3 has requested a secure socket from IPsec and is waiting for a CRYPTO_SS_SOCKET_UP message from IPsec.

UP: OSPFv3 has received a CRYPTO_SS_SOCKET_UP message from IPsec.

CLOSING: The secure socket for the interface has been closed. A new socket may be opened for the interface, in which case the current secure socket makes the transition to the DOWN state. Otherwise, the interface will become UNCONFIGURED.

UNCONFIGURED. Authentication is not configured on the interface.

OSPFv3 will not send or accept packets while in the DOWN state.

 

Referene: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-auth-ipsec.html

 

 

QUESTION 419

Which two statements about BGP best-path selection are true? (Choose two.)

 

A.

The route with the highest local preference is preferred.

B.

The weight attribute is advertised to peers.

C.

The route with the lowest MED is preferred.

D.

A route that originates from iBGP peers is preferred.

E.

A route that originates from a router with a higher BGP router ID is preferred.

F.

The lowest weight advertised is preferred.

 

Correct Answer: AC

 

 

QUESTION 420

Which two advantages does CoPP have over receive path ACLs? (Choose two.)

 

A.

Only CoPP applies to IP packets and non-IP packets.

B.

Only CoPP applies to receive destination IP packets.

C.

A single instance of CoPP can be applied to all packets to the router, while rACLs require multiple instances.

D.

Only CoPP can rate-limit packets.

 

Correct Answer: AD

Explanation:

Control Plane Policing – CoPP is the Cisco IOS-wide route processor protection mechanism. As illustrated in Figure 2, and similar to rACLs, CoPP is deployed once to the punt path of the router.

However, unlike rACLs that only apply to receive destination IP packets, CoPP applies to all packets that punt to the route processor for handling. CoPP therefore covers not only receive destination IP packets, it also exceptions IP packets and non-IP packets. In addition, CoPP is implemented using the Modular QoS CLI (MQC) framework for policy construction. In this way, in addition to simply permit and deny functions, specific packets may be permitted but rate-limited. This behavior substantially improves the ability to define an effective CoPP policy. (Note: that

“Control Plane Policing” is something of a misnomer because CoPP generally protects the punt path to the route processor and not solely the control plane.)

Reference: http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

 

Free VCE & PDF File for Cisco 400-101 Practice Test

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …