Download New Updated (July) Cisco 400-101 Actual Test 321-330

Ensurepass

 

QUESTION 321

Refer to the exhibit. Service provider SP 1 is running the MPLS-VPN service. The MPLS core network has MP-BGP configured with RR-1 as route reflector. What will be the effect on traffic between PE1 and PE2 if router P1 goes down?

 

clip_image002

 

A.

No effect, because all traffic between PE1 and PE2 will be rerouted through P2.

B.

No effect, because P1 was not the only P router in the forwarding path of traffic.

C.

No effect, because RR-1 will find an alternative path for MP-BGP sessions to PE-1 and PE-2.

D.

All traffic will be lost because RR-1 will lose the MP-BGP sessions to PE-1 and PE-2.

 

Correct Answer: D

Explanation:

If the connecti
on to the route reflector goes down, then routes from PE-1 will not get advertised to PE2, and vice versa. Route reflectors are critical in an MPLS VPN such as the one shown, which is why it is a best practice to have multiple route reflectors in this kind of network.

 

 

 

 

 

QUESTION 322

Refer to the exhibit. What is a possible reason for the IPSEC tunnel not establishing?

 

clip_image004

 

A.

The peer is unreachable.

B.

The transform sets do not match.

C.

The proxy IDs are invalid.

D.

The access lists do not match.

 

Correct Answer: D

Explanation:

Proxy Identities Not Supported

This message appears in debugs if the access list for IPsec traffic does not match.

1d00h: IPSec(validate_transform_proposal): proxy identities not supported

1d00h: ISAKMP: IPSec policy invalidated proposal

1d00h: ISAKMP (0:2): SA not acceptable!

The access lists on each peer needs to mirror each other (all entries need to be reversible). This example illustrates this point.

Peer A

access-list 150 permit ip 172.21.113.0 0.0.0.255 172.21.114.0 0.0.0.255

access-list 150 permit ip host 15.15.15.1 host 172.21.114.123

Peer B

access-list 150 permit ip 172.21.114.0 0.0.0.255 172.21.113.0 0.0.0.255

access-list 150 permit ip host 172.21.114.123 host 15.15.15.1

Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#proxy

 

 

QUESTION 323

What is a key advantage of Cisco GET VPN over DMVPN?

 

A.

Cisco GET VPN provides zero-touch deployment of IPSEC VPNs.

B.

Cisco GET VPN supports certificate authentication for tunnel establishment.

C.

Cisco GET VPN has a better anti-replay mechanism.

D.

Cisco GET VPN does not require a secondary overlay routing infrastructure.

 

Correct Answer: D

Explanation:

DMVPN requires overlaying a secondary routing infrastructure through the tunnels, which results in suboptimal routing while the dynamic tunnels are built. The overlay routing topology also reduces the inherent scalability of the underlying IP VPN network topology. Traditional point-to-point IPsec tunneling solutions suffer from multicast replication issues because multicast replication must be performed before tunnel encapsulation and encryption at the IPsec CE (customer edge) router closest to the multicast source. Multicast replication cannot be performed in the provider network because encapsulated multicasts appear to the core network as unicast data.

Cisco’s Group Encrypted Transport VPN (GET VPN) introduces the concept of a trusted group to eliminate point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any other GM. (Note that IPsec CE acts as a GM.) In GET VPN networks, there is no need to negotiate point-to- point IPsec tunnels between the members of a group, because GET VPN is “tunnel-less.”

Reference: Group Encrypted Transport VPN (Get VPN) Design and Implementation Guide PDF

 

 

QUESTION 324

Refer to the exhibit. What is wrong with the configuration of the tunnel interface of this DMVPN Phase II spoke router?

 

clip_image006

 

A.

The interface MTU is too high.

B.

The tunnel destination is missing.

C.

The NHRP NHS IP address is wrong.

D.

The tunnel mode is wrong.

 

Correct Answer: D

Explanation:

By default, tunnel interfaces use GRE as the tunnel mode, but a DMVPN router needs to be configured for GRE multipoint by using the “tunnel mode gre multipoint” interface command.

 

 

QUESTION 325

Which two statements are true about VPLS? (Choose two.)

 

A.

It can work over any transport that can forward IP packets.

B.

It provides integrated mechanisms to maintain First Hop Resiliency Protocols such as HSRP, VRRP, or GLBP.

C.

It includes automatic detection of multihoming.

D.

It relies on flooding to propagate MAC address reachability information.

E.

It can carry a single VLAN per VPLS instance.

 

Correct Answer: DE

Explanation:

VPLS relies on flooding to propagate MAC address reachability information. Therefore, flooding cannot be prevented.

VPLS can carry a single VLAN per VPLS instance. To multiplex multiple VLANs on a single instance, VPLS uses IEEE QinQ.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/white_paper_c11-574984.html

 

 

 

 

 

 

 

 

QUESTION 326

Refer to the exhibit. What will be the extended community value of this route?

 

clip_image008

 

A.

RT:200:3000 RT:200:9999

B.

RT:200:9999 RT:200:3000

C.

RT:200:3000

D.

RT:200:9999

 

Correct Answer: D

Explanation:

Here the route map is being used to manually set the extended community RT to 200:9999

 

 

QUESTION 327

Refer to the exhibit. Which statement is true?

 

clip_image009

 

A.

There is an MPLS network that is running 6PE, and the ingress PE router has no mpls ip propagate-ttl.

B.

There is an MPLS network that is running 6VPE, and the ingress PE router has no mpls ip propagate-ttl.

C.

There is an MPLS network that is running 6PE or 6VPE, and the ingress PE router has mpls ip propagate-ttl.

D.

There is an MPLS network that is running 6PE, and the ingress PE router has mpls ip propagate-ttl.

E.

There is an MPLS network that is running 6VPE, and the ingress PE router has mpls ip propagate-ttl.

 

Correct Answer: C

Explanation:

The second hop shows and IPV6 address over MPLS, so we know that there is an MPLS network running 6PE or 6VPE. And because the second and third hops show up in the traceroute. Then TTL is being propagated because if the “no ip propagate-ttl” command was used these devices would be hidden in the traceroute.

 

 

QUESTION 328

Refer to the exhibit. Which statement is true about a VPNv4 prefix that is present in the routing table of vrf one and is advertised from this router?

 

clip_image011

 

A.

The prefix is advertised only with route target 100:1.

B.

The prefix is advertised with route targets 100:1 and 100:2.

C.

The prefix is advertised only with route target 100:3.

D.

The prefix is not advertised.

E.

The prefix is advertised with route targets 100:1, 100:2, and 100:3.

 

Correct Answer: A

Explanation:

The route target used for prefix advertisements to other routers is defined on the route-target export command, which shows 100:1 in this case for VPNv4 routes.

 

 

QUESTION 329

Which is the way to enable the control word in an L2 VPN dynamic pseudowire connection on router R1?

 

A.

R1(config)# pseudowire-class cw-enable

R1(config-pw-class)# encapsulation mpls

R1(config-pw-class)# set control-word

B.

R1(config)# pseudowire-class cw-enable

R1(config-pw-class)# encapsulation mpls

R1(config-pw-class)# enable control-word

C.

R1(config)# pseudowire-class cw-enable

R1(config-pw-class)# encapsulation mpls

R1(config-pw-class)# default control-word

D.

R1(config)# pseudowire-class cw-enable

R1(config-pw-class)# encapsulation mpls

R1(config-pw-class)# control-word

 

Correct Answer: D

Explanation:

The following example shows how to enable the control word in an AToM dynamic pseudowire connection:

 

Device(config)# pseudowire-class cw-enable

Device(config-pw-class)# encapsulation mpls

Device(config-pw-class)# control-word

Device(config-pw-class)# exit

 

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mpls/command/mp-cr-book/mp-a1.html

 

 

QUESTION 330

Where is multicast traffic sent, when it is originated from a spoke site in a DMVPN phase 2 cloud?

 

A.

spoke-spoke

B.

nowhere, because multicast does not work over DMVPN

C.

spoke-spoke and spoke-hub

D.

spoke-hub

 

Correct Answer: D

Explanation:

Spokes map multicasts to the static NBMA IP address of the hub, but hub maps multicast packets to the “dynamic” mappings – that is, the hub replicates multicast packets to all spokes registered via NHRP, so multicast traffic is sent to the hub from a spoke instead of to the other spokes directly.

 

Free VCE & PDF File for Cisco 400-101 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

This entry was posted in 400-101 Real Tests (July) and tagged , , , , , , . Bookmark the permalink.