We provide real 400 101 dumps exam questions and answers braindumps in two formats. Download PDF & Practice Tests. Pass Cisco 400 101 pdf Exam quickly & easily. The 400 101 dumps PDF type is available for reading and printing. You can print more and practice many times. With the help of our Cisco 400 101 dumps dumps pdf and vce product and material, you can easily pass the 400 101 ccie exam.
2026 New 400-101 Exam Dumps with PDF and VCE Free: https://www.2passeasy.com/dumps/400-101/
Q1. Which three statements are true about an EtherChannel? (Choose three.)
A. PAGP and LACP can be configured on the same switch if the switch is not in the same EtherChannel.
B. EtherChannel ports in suspended state can receive BPDUs but cannot send them.
C. An EtherChannel forms between trunks that are using different native VLANs.
D. LACP can operate in both half duplex and full duplex, if the duplex setting is the same on both ends.
E. Ports with different spanning-tree path costs can form an EtherChannel.
Answer: A,B,E
Explanation:
Answer A. EtherChannel groups running PAgP and LACP can coexist on the same switch or on different switches in the stack. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate.
Answer B:
EtherChannel Member Port States
Port States
Description
bundled
The port is part of an EtherChannel and can send and receive BPDUs and data traffic.
suspended
The port is not part of an EtherChannel. The port can receive BPDUs but cannot send them. Data traffic is blocked.
standalone
The port is not bundled in an EtherChannel. The port functions as a standalone data port. The port can send and receive BPDUs and data traffic.
Answer E. Ports with different spanning-tree path costs can form an EtherChannel if they are otherwise compatibly configured. Setting different spanning-tree path costs does not, by itself, make ports incompatible for the formation of an EtherChannel.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/layer2/configuration_guide/b_lay2_152ex_2960-x_cg/b_lay2_152ex_2960-x_cg_chapter_010.html
Q2. Which two statements about device access control are true? (Choose two.)
A. The AUX port is displayed as type tty in the output of the show line command.
B. VTY lines are associated with physical interfaces on a network device.
C. MPP restricts device-management access to interfaces that are configured under the control plane host configuration.
D. The enable password command sets an MD5 one-way encrypted password.
E. The console port supports hardware flow control
Answer: C,E
Q3. Which attribute is not part of the BGP extended community when a PE creates a VPN-IPv4 route while running OSPF between PE-CE?
A. OSPF domain identifier
B. OSPF route type
C. OSPF router ID
D. MED
E. OSPF network type
Answer: E
Explanation:
By process of elimination, from RFC 4577:
For every address prefix that was installed in the VRF by one of its associated OSPF instances, the PE must create a VPN-IPv4 route in BGP. Each such route will have some of the following Extended Communities attributes:
– The OSPF Domain Identifier Extended Communities attribute. If the OSPF instance that installed the route has a non-NULL primary Domain Identifier, this MUST be present; if that OSPF instance has only a NULL Domain Identifier, it MAY be omitted.
– OSPF Route Type Extended Communities Attribute. This attribute MUST be present. It is encoded with a two-byte type field, and its type is 0306.
– OSPF Router ID Extended Communities Attribute. This OPTIONAL attribute specifies the OSPF Router ID of the system that is identified in the BGP Next Hop attribute. More precisely, it specifies the OSPF Router Id of the PE in the OSPF instance that installed the route into the VRF from which this route was exported.
– MED (Multi_EXIT_DISC attribute). By default, this SHOULD be set to the value of the OSPF distance associated with the route, plus 1.
Reference: https://tools.ietf.org/html/rfc4577
Q4. Refer to the exhibit.
What is wrong with the configuration of the tunnel interface of this DMVPN Phase II spoke router?
A. The interface MTU is too high.
B. The tunnel destination is missing.
C. The NHRP NHS IP address is wrong.
D. The tunnel mode is wrong.
Answer: D
Explanation:
By default, tunnel interfaces use GRE as the tunnel mode, but a DMVPN router needs to be configured for GRE multipoint by using the “tunnel mode gre multipoint” interface command.
Q5. Which three options are best practices for implementing a DMVPN? (Choose three.)
A. Use IPsec in tunnel mode.
B. Implement Dead Peer Detection to detect communication loss.
C. Configure AES for encryption of transported data.
D. Configure SHA-1 for encryption of transported data.
E. Deploy IPsec hardware acceleration to minimize router memory overhead.
F. Configure QoS services only on the head-end router.
Answer: A,B,C
Explanation:
Best Practices Summary for Hub-and-Spoke Deployment Model
This section describes the best practices for a dual DMVPN cloud topology with the hub-and-spoke deployment, supporting IP multicast (IPmc) traffic including routing protocols.
The following are general best practices:
. Use IPsec in transport mode
. Configure Triple DES (3DES) or AES for encryption of transported data (exports of encryption algorithms to certain countries may be prohibited by law).
Implement Dead Peer Detection (DPD) on the spokes to detect loss of communication between peers.
. Deploy hardware-acceleration of IPsec to minimize router CPU overhead, to support traffic with low latency and jitter requirements, and for the highest performance for cost.
. Keep IPsec packet fragmentation to a minimum on the customer network by setting MTU size or using Path MTU Discovery (PMTUD).
. Use Digital Certificates/Public Key Infrastructure (PKI) for scalable tunnel authentication.
. Configure a routing protocol (for example, EIGRP, BGP or OSPF) with route summarization help alleviate interface congestion issues and to attempt to keep higher priority traffic from being dropped during times of congestion.
Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG/DMV PN_1.html
Q6. Refer to the exhibit.
Which part of the joined group addresses list indicates that the interface has joined the EIGRP multicast group address?
A. FF02::1
B. FF02::1:FF00:200
C. FF02::A
D. FF02::2
Answer: C
Explanation:
FF02::A is an IPv6 link-local scope multicast addresses. This address is for all devices on a wire that want to "talk" EIGRP with one another.
Focusing specifically on FF02::A and how routers join it, we can see and say three things:
. Local: FF02::A is local to the wire.
. Join: Each device "joins" FF02::A by just "deciding to listen" to the IPv6 link-local scope multicast address FF02::A. Then, by extension, it listens to the corresponding MAC address for that multicast IPv6 address (33:33:00:00:00:0A).
. Common interest: As we can see, these varying groups have something in common that they would all like to hear about. For FF02::A, the common interest --the "connection" among the devices joining that group – is that they all want to listen to or participate in EIGRP.
Reference: http://www.networkcomputing.com/networking/understanding-ipv6-what-is-solicited-node-multicast/a/d-id/1315703
Q7. Which two statements about private VLANs are true? (Choose two.)
A. Only one isolated VLAN can be mapped to a primary VLAN.
B. Only one community VLAN can be mapped to a primary VLAN.
C. Multiple isolated VLANs can be mapped to a primary VLAN.
D. Multiple community VLANs can be mapped to a primary VLAN.
Answer: A,D
Explanation:
An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports. You can configure only one isolated VLAN in a PVLAN domain. An isolated VLAN can have several isolated ports. The traffic from each isolated port also remains completely separate. Only one isolated VLAN can be mapped under a given primary VLAN. A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port and to other host ports in the same community. You can configure multiple community VLANs in a PVLAN domain. The ports within one community can communicate, but these ports cannot communicate with ports in any other community or isolated VLAN in the private VLAN.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus6000/sw/layer2/6x/b_6k_L ayer2_Config_6x/b_6k_Layer2_Config_602N12_chapter_011.html
Q8. In GETVPN, which key is used to secure the control plane?
A. Traffic Encryption Key (TEK)
B. content encryption key (CEK)
C. message encryption key (MEK)
D. Key Encryption Key (KEK).
Answer: D
Explanation:
GDOI introduces two different encryption keys. One key secures the GET VPN control plane; the other key secures the data traffic. The key used to secure the control plane is commonly called the Key Encryption Key (KEK), and the key used to encrypt data traffic is known as Traffic Encryption Key (TEK).
Reference: Group Encrypted Transport VPN (Get VPN) Design and Implementation Guide PDF
Q9. Refer to the exhibit.
Assume that Cisco Discovery Protocol is supported and enabled only on switches A and C.
Which information is returned when you issue the command show cdp neighbors on switch C?
A. a limited amount of information about switch B
B. neighbor details for switch A
C. neighbor details for switch B
D. neighbor details for switch C
Answer: B
Q10. A network engineer wants to add a new switch to an existing switch stack. Which configuration must be added to the new switch before it can be added to the switch stack?
A. No configuration must be added.
B. stack ID
C. IP address
D. VLAN information
E. VTP information
Answer: A