We provide real passleader 400 101 exam questions and answers braindumps in two formats. Download PDF & Practice Tests. Pass Cisco cisco 400 101 Exam quickly & easily. The ccie 400 101 dumps PDF type is available for reading and printing. You can print more and practice many times. With the help of our Cisco 400 101 ccie dumps pdf and vce product and material, you can easily pass the ccie 400 101 exam.


2026 New 400-101 Exam Dumps with PDF and VCE Free: https://www.2passeasy.com/dumps/400-101/

Q1. Which two BGP attributes are optional, non-transitive attributes? (Choose two.) 

A. AS path 

B. local preference 

C. MED 

D. weight 

E. cluster list 

Answer: C,E 

Q2. Refer to the exhibit. 

The spokes of the DMVPN with the given configuration are having QoS issues. 

Which two actions can you take to resolve the problem? (Choose two.) 

A. Configure qos pre-classify on the tunnel interface. 

B. Configure an NHRP group on the tunnel interface and associate it to a QoS policy. 

C. Modify the configuration of the IPsec policy to accept QoS policies. 

D. Manually configure a QoS policy on the serial interface. 

E. Configure the bandwidth statement on the tunnel interface. 

F. Configure the bandwidth statement on the serial interface. 

Answer: A,B 

Explanation: 

It is possible to classify based on information that is encrypted, which is needed in this example. You can use an access-list, configured to match the private subnet behind the remote spoke. The qos pre-classify command is used on the tunnel interface, and is required because the traffic is classified by a parameter that is encrypted as the traffic leaves the physical outbound interface. L4 information from the IP data packet can also classify traffic destined to the same private subnet. The “nhrp map group group-name service-policy output parent-policy-name” command adds the NHRP group to the QoS policy map on the hub. 

Q3. Which Cisco IOS VPN technology leverages IPsec, mGRE, dynamic routing protocol, NHRP, and 

Cisco Express Forwarding? 

A. FlexVPN 

B. DMVPN 

C. GETVPN 

D. Cisco Easy VPN 

Answer:

Q4. DRAG DROP 

Drag and drop the IGMPv2 timer on the left to its default value on the right. 

Answer:  

Q5. In GETVPN, which key is used to secure the control plane? 

A. Traffic Encryption Key (TEK) 

B. content encryption key (CEK) 

C. message encryption key (MEK) 

D. Key Encryption Key (KEK). 

Answer:

Explanation: 

GDOI introduces two different encryption keys. One key secures the GET VPN control plane; the other key secures the data traffic. The key used to secure the control plane is commonly called the Key Encryption Key (KEK), and the key used to encrypt data traffic is known as Traffic Encryption Key (TEK). 

Reference: Group Encrypted Transport VPN (Get VPN) Design and Implementation Guide PDF 

Q6. Refer to the exhibit. 

What is a reason for the RIB-failure? 

A. CEF is not enabled on this router. 

B. The route 10.100.1.1/32 is in the routing table, but not as a BGP route. 

C. The routing table has yet to be updated with the BGP route. 

D. The BGP route is filtered inbound and hence is not installed in the routing table. 

Answer:

Explanation: 

A rib-failure occurs when BGP tries to install the bestpath prefix into the RIB, but the RIB rejects the BGP route because a route with better administrative distance already exists in the routing table. An inactive Border Gateway Protocol (BGP) route is a route that is not installed in the RIB, but is installed in the BGP table as rib-failure. Example Topology Router 1 (R1) and router 2 (R2) have two parallel links; one links runs BGP AS 65535 and the other link runs Enhanced Interior Gateway Routing Protocol (EIGRP) AS 1. Both BGP and EIGRP are advertising the network 10.1.1.1/32 on R1. 

R2 learns about the 1.1.1.1/32 route through both EIGRP and BGP, but installs only the EIGRP route in the routing table because of the lower administrative distance. Since the BGP route is not installed in the R2 routing table, the route appears as a rib-failure in the R2 BGP table. 

Reference: http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/116146-config-bgp-next-hop-00.html 

Q7. Which two statements about BPDU guard are true? (Choose two.) 

A. The global configuration command spanning-tree portfast bpduguard default shuts down interfaces that are in the PortFast-operational state when a BPDU is received on that port. 

B. The interface configuration command spanning-tree portfast bpduguard enable shuts down only interfaces with PortFast enabled when a BPDU is received. 

C. BPDU guard can be used to prevent an access port from participating in the spanning tree in the service provider environment. 

D. BPDU guard can be used to protect the root port. 

E. BPDU guard can be used to prevent an invalid BPDU from propagating throughout the network. 

Answer: A,C 

Q8. DRAG DROP 

Drag and drop each IPv6 neighbor discovery message type on the left to the corresponding description on the right. 

Answer:  

Q9. What is the destination MAC address of a BPDU frame? 

A. 01-80-C2-00-00-00 

B. 01-00-5E-00-00-00 

C. FF-FF-FF-FF-FF-FF 

D. 01-80-C6-00-00-01 

Answer:

Explanation: 

The root-bridge election process begins by having every switch in the domain believe it is the root and claiming it throughout the network by means of Bridge Protocol Data Units (BPDU). BPDUs are Layer 2 frames multicast to a well-known MAC address in case of IEEE STP (01-80-C2-00-00-00) or vendor-assigned addresses, in other cases. 

Reference: http://www.ciscopress.com/articles/article.asp?p=1016582