Ensurepass

 

QUESTION 381

What is the new designation for the MPLS EXP (experimental) bits?

 

A.

QoS bits

B.

traffic class bits

C.

flow bits

D.

precedence bits

 

Correct Answer: B

Explanation:

To avoid misunderstanding about how this field may be used, it has become increasingly necessary to rename this field. This document changes the name of the EXP field to the “Traffic Class field” (“TC field”). In doing so, it also updates documents that define the current use of the EXP field.

Reference: https://tools.ietf.org/html/rfc5462

 

 

QUESTION 382

Which two options are signaling protocols that are used in MPLS? (Choose two.)

 

A.

LDP

B.

RSVP

C.

BFD

D.

LISP

E.

CLNS

F.

CDP

 

Correct Answer: AB

Explanation:

* Signaling is the means by which LSRs all along the path know that they are a part of a given LSP. It is a signaling function by which the LSR knows that the internal transit path for the LSP depicted goes from Interface 2 to Interface 4.

* Label distribution is the means by which an LSR tells an upstream LSR what label value to use for a particular LSP.

There are four protocols that can perform the label distribution function:

* Label Distribution Protocol (LDP)

* Resource Reservation Protocol with Traffic Engineering Extensions (RSVP-TE)

* Constraint-Based Routed LDP (CR-LDP)

* Multiprotocol BGP

LDP and RSVP-TE are the two most commonly used label distribution protocols

Reference: http://www.networkworld.com/article/2237487/cisco-subnet/understanding-mpls-label-distribution.html

 

 

QUESTION 383

Which option is an incorrect design consideration when deploying OSPF areas?

 

A.

area 1 – area 0 – MPLS VPN backbone – area 0 – area 2

B.

area 1 – MPLS VPN backbone – area 2

C.

area 1 – MPLS VPN backbone – area 1

D.

area 2 – area 0 – MPLS VPN backbone – area 1

E.

area 0 – area 2 – MPLS VPN superbackbone – area 1

 

Correct Answer: E

Explanation:

In the case of MPLS-VPN Backbone as The OSPF superbackbone behaves exactly like Area 0 in regular OSPF, so we cannot have two different area 0’s that are not directly connected to each other. When area 0 connects to the superbackbone, it simply becomes an extension of area 0.

 

 

QUESTION 384

Refer to the exhibit. Which statement about the route target for 192.168.1.0/24 is true?

 

clip_image002

 

A.

Its route target is 64512:100010051.

B.

Its route targets are 64512:100010051, 64512:2002250, and 64512:3002300.

C.

Its route target is 64512:3002300.

D.

Its route targets are 64512:100010051 and 64512:3002300.

E.

Its route targets are 64512:2002250 and 64512:3002300.

 

Correct Answer: C

Explanation:

Here we are using route maps to change the route target for the 192.168.1.0/24 network from the default route target of 64512:100010051 to 64512:3002300.

 

 

QUESTION 385

Which three options are best practices for implementing a DMVPN? (Choose three.)

 

A.

Use IPsec in tunnel mode.

B.

Implement Dead Peer Detection to detect communication loss.

C.

Configure AES for encryption of transported data.

D.

Configure SHA-1 for encryption of transported data.

E.

Deploy IPsec hardware acceleration to minimize router memory overhead.

F.

Configure QoS services only on the head-end router.

 

Correct Answer: ABC

Explanation:

Best Practices Summary for Hub-and-Spoke Deployment Model

This section describes the best practices for a dual DMVPN cloud topology with the hub-and- spoke deployment, supporting IP multicast (IPmc) traffic including routing protocols.

The following are general best practices:

 

clip_image004Use IPsec in transport mode

clip_image004[1]Configure Triple DES (3DES) or AES for encryption of transported data (exports of encryption algorithms to certain countries may be prohibited by law).

clip_image004[2]Implement Dead Peer Detection (DPD) on the spokes to detect loss of communication between peers.

clip_image004[3]Deploy hardware-acceleration of IPsec to minimize router CPU overhead, to support traffic with low latency and jitter requirements, and for the highest performance for cost.

clip_image004[4]Keep IPsec packet fragmentation to a minimum on the customer network by setting MTU size or using Path MTU Discovery (PMTUD).

clip_image004[5]Use Digital Certificates/Public Key Infrastructure (PKI) for scalable tunnel authentication.

clip_image004[6]Configure a routing protocol (for example, EIGRP, BGP or OSPF) with route summarization for dynamic routing.

 

Set up QoS service policies as appropriate on headend and branch router interfaces to help alleviate interface congestion issues and to attempt to keep higher priority traffic from being dropped during times of congestion.

Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG/DMVPN_1.html

 

 

QUESTION 386

Which three components comprise the structure of a pseudowire FEC element? (Choose three.)

 

A.

pseudowire ID

B.

pseudowire type

C.

control word

D.

Layer 3 PDU

E.

header checksum

F.

type of service

 

Correct Answer: ABC

Explanation:

The Pseudowire ID FEC element has the following components:

Reference: http://www.ciscopress.com/articles/article.asp?p=386788&seqNum=2

 

 

QUESTION 387

Which IPv6 tunneling type establishes a permanent link between IPv6 domains over IPv4?

 

A.

IPv4-compatible tunneling

B.

ISATAP tunneling

C.

6to4 tunneling

D.

manual tunneling

 

Correct Answer: D

Explanation:

A manually configured tunnel is equivalent to a permanent link between two IPv6 domains over an IPv4 backbone. The primary use is for stable connections that require regular secure communication between two edge routers or between an end system and an edge router, or for connection to remote IPv6 networks.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/12_4t/ipv6_12_4t_book/ip6-tunnel.html

 

 

QUESTION 388

In which two modes do IPv6-in-IPv4 tunnels operate? (Choose two.)

 

A.

tunnel mode

B.

transport mode

C.

6to4 mode

D.

4to6 mode

E.

ISATAP mode

 

Correct Answer: CE

Explanation:

*There are 5 tunneling solution in IPv6:*

*1. Using the “Tunnel mode ipv6ip”, in this case the tunnel source anddestination are configured with IPv4 addressing and the tunnel interface isconfigured with IPv6. This will use protocol 41.

This is used for IPv6/IPv4.*

 

R1(config)#int tunnel 1

R1(config-if)#ipv6 address 12:1:12::1/64

R1(config-if)#tunnel source 10.1.12.1

R1(config-if)#tunnel destination 10.1.12.2

R1(config-if)#*tunnel mode ipv6ip*

 

*2. Using the “Tunnel mode gre ipv6, in this case the tunnel source anddestination are all configured with IPv6 addressing. This is used forIPv6/IPv6. *

 

BB1(config)#int tunnel 1

BB1(config-if)#ipv6 address 121:1:121::111/64

BB1(config-if)#tunnel source 10:1:111::111

BB1(config-if)#tunnel destination 10:1:112::112

BB1(config-if)#*tunnel mode gre ipv6*

 

*3. In this case, the third type, the tunnel mode is NOT used at all, notethat the tunnel interface is configured with IPv6 and the tunnel source anddestination is configured with IPv4 but no mention of tunnel mode. Thisconfiguration will use protocol 47. This is used for IPv6/IPv4. *

 

R1(config)#int tunnel 13

R1(config-if)#ipv6 address 13:1:13::1/64

R1(config-if)#tunnel source 10.1.13.1

R1(config-if)#tunnel destination 10.1.13.3

 

*4. Note in this case a special addressing is assigned to the tunnelinterface which is a concatenation of a reserved IPv6 address of2002followed by the translatedIPv4 address of a given interface on the router. In this configuration ONLYthe tunnel source address is used and since the tunnel is automatic,the destinationaddress is NOT configured. The tunnel mode is set to “Tunnel mode ipv6ip6to4. Note the IPv4 address of 10.1.1.1 is translated to 0A.01.01.01 andonce concatenated, it will be “2002:0A01:0101: or 2002:A01:101. This is usedfor IPv6/IPv4.*

 

R1(config)#interface Tunnel14

R1(config-if)#ipv6 address 2002:A01:101::/128

R1(config-if)#tunnel source 10.1.1.1

R1(config-if)#*tunnel mode ipv6ip 6to4*

 

*5. ISATAP, ISATAP works like 6to4 tunnels, with one major difference, ituses a special IPv6 address which is formed as follows: *

*In this tunnel mode, the network portion can be any IPv6 address, whereasin 6to4 it had to start with 2002.*

*Note when the IPv6 address is assigned to the tunnel interface, the”eui-64 is used, in this case the host portion of the IPv6 address startswith “0000.5EFE” and then the rest of the host portion is the translatedIPv4 address of the tunnel’s source IPv4 address. This translation isperformed automatically unlike 6to4. This is used for IPv6/IPv4.*

 

R4(config)#int tunnel 46

R4(config-if)#ipv6 address 46:1:46::/64 eui-64

R4(config-if)#tunnel source 10.44.44.44

R4(config-if)#*tunnel mode ipv6ip ISATAP*

 

 

QUESTION 389

Which VPN technology requires the use of an external key server?

 

A.

GETVPN

B.

GDOI

C.

SSL

D.

DMVPN

E.

IPsec

F.

L2TPv3

 

Correct Answer: A

Explanation:

A GETVPN deployment has primarily three components, Key Server (KS), Group Member (GM), and Group Domain of Interpretation (GDOI) protocol. GMs do encrypt/decrypt the traffic and KS distribute the encryption key to all the group members. The KS decides on one single data encryption key for a given life time. Since all GMs use the same key, any GM can decrypt the traffic encrypted by any other GM. GDOI protocol is used between the GM and KS for group key and group SA management. Minimum one KS is required for a GETVPN deployment.

Reference: http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html

 

 

QUESTION 390

Which three roles does a key server perform when used with GETVPN? (Choose three.)

 

A.

It authenticates group members.

B.

It manages security policies.

C.

It creates group keys.

D.

It distributes multicast replication policies.

E.

It distributes multicast replication keys.

F.

It configures and routes the GDOI protocol.

 

Correct Answer: ABC

Explanation:

Key server is responsible for maintaining security policies, authenticating the Group Members and providing the session key for encrypting traffic. KS authenticates the individual GMs at the time of registration. Only after successful registration the GMs can participate in group SA.

Reference: http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html

 

Free VCE & PDF File for Cisco 400-101 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

Comments are closed.