DUMPS BASE
EXAM DUMPS
CISCO 400-251
28% OFF Automatically For You CCIE Security Written Exam (v5.0)
1.Refer to the exhibit.
Which reason for the Dot1x session failure is true? A. Issue with identity source B. Incorrect authentication rule C. Incorrect user group D. Incorrect user string E. Incorrect authorization condition F. Incorrect authorization permission G. Identity source has the user present but not enabled Answer: A
2.What is the best description of a docker file? A. Text document used to build an image
B. Message Daemon files C. Software used to manage containers D. Repository for docker images Answer: A
3.Which of the following is used by WSA to extract session information from ISE and use that in access policies? A. RPC B. Dx Grid C. SXP D. Proprietary protocol over TCP/8302 E. EAP F. RADIUS Answer: B
4.When an organization is choosing a cloud computing model to adopt, many considerations are studied to determine the most suitable model. To which model is cloud interdependency mainly attributed? A. Hybrid cloud B. Public cloud C. Community cloud D. Private cloud Answer: A
5.How does a Cisco ISE server determine whether a client supports EAP chaining? A. It sends an identity-type TLV to the client and analyzes the response B. It analyzes the options field in the TCP header of the first packet it receives from the client C. It analyzes the X509 certificate it receives from the client through the TLS tunnel D. It sends an MDS challenge to the client and analyzes the response E. It analyzes the EAPoL message the client sends during the initial handshake Answer: A
6.Which three statements about EAP-Chaining are true? (Choose three) A. It is enabled on Cisco Any Connect NAM automatically when EAP-FAST user and machine authentication is enabled B. The EAP-FAST PAC provisioning phase is responsible to establish SSH tunnel between supplicant and ISE to perform EAP-Chaining
C. It is enabled on NAM automatically when EAP-TLS user and machine authentication is enabled D. It allows user and machine authentication with one RADIUS/EAP session E. It is supported on the windows 802.1x supplicant F. k can use only EAP-FAST. and it requires the use of Cisco Any Connect NAM G. EAP-FAST does not allow multiple authentication binding, and this limitation is used for mutual authentication in EAP-Chaining Answer: A, D, F
7.Which of the following four traffic should be allowed during an unknown posture state? (Choose four) A. Traffic from Any Connect client, with posture module, to AS B. Traffic to Fire AMP cloud for AMP for endpoint scan results C. Traffic to public search engines D. Traffic to remediation servers, if needed E. DHCP traffic F. DNS traffic G. SSH traffic for network device administration H. Traffic to ISE PSNs to which client Provisioning Protocol FQDN points Answer: D, E, F, H
8.What would describe Cisco Virtual Topology System? A. Package that contains an entire runtime environment B. An agent that resides on physical devices C. Web server hosting for NX-OS D. Overlay provisioning and management solution Answer: D
9.Drag LDAP queries used by ESA to query LDAP server on the left to its functionality on the right
Answer:
10.Your environment has a large number of network devices that are configured to use AAA for authentication. Additionally, your security policy requires use of two Factor Authentication or Multi-Factor Authentication for all device administrators, which you have integrated with ACS. To simplify device management your organization has purchased Prime Infrastructure. What is the best way to get Prime Infrastructure to authenticate to all your network of devices?
A. Create a user on ISE with a complex password for Prime Infrastructure, along with an authorization policy that uses the ISE local identity store for that user. B. Create a user on ISE with a complex password for Prime Infrastructure, along with an authentication policy that uses the ISE local identity store for that user C. Configure a local user on each of the network devices along with priority to use the local username and password for Prime infrastructure D. Enable the AAA API on the network devices, generate an API token, and configure Prime Infrastructure to use that token when authenticating to the network devices E. Enable Multi-Factor authentication on Cisco Prime Infrastructure Answer: B
11.Drag the network scan type on the left to its definition on the right
Answer:
12.In your ISE design, there are two TACACS profiles that are created for a device administration: lOS_HelpDesk_Profile, and IOS_Admin_Profile. The HelpDesk profile should login the user with privilege 1, with ability to change privilege level to 15. The Admin profile should login the user with privilege 15 by default. Which two commands must the help Desk enter on the los device to access privilege level 15? (Choose two A. Enable secret B. Enable 15 C. Privilege level 15 D. Enable privilege 15 E. Enable F. Enable los Admin profile G. Enable password Answer: B, E
13.Which statement about the pxGrid connection agent is true? A. It manages the sharing of contextual information between partner platforms B. It can fetch user information from Active Directory on behalf of a WSA or Cisco ISE
C. It enables communication from the partner platform to the px Grid controller D. It supports an agentless solution for Cisco ISE E. It leverages Cisco ISE control functions to manage connections and share information between partner F. It fetches user information from Active Directory and transmits it to the px Grid controller Answer: C
14.Which criteria does ASA use for packet classification if multiple contexts share an ingress interface MAC address? A. ASA ingress interface IP address B. policy-based routing on ASA C. destination IP address D. destination MAC address E. ASA ingress interface MAC address F. ASA NAT configuration G. ASA egress interface IP address Answer: F
15.Refer to the exhibit.
What could be the reason of Dot.1x session failure? A. Incorrect identity source referenced B. Incorrect authorization permission C. Incorrect authentication rule D. Identity source has the user present but not enabled E. Incorrect authorization condition F. Incorrect user group G. Incorrect user string Answer: D
16.For your enterprise ISE deployment, you want to use certificate-based authentication for all your Windows machines you have already pushed the machine and user certificates out to all the machines using GPO. By default, certificate-based authentication does not check the certificate against Active Directory or requires credentials from the user. This essentially means that no groups are returned as part of the authentication request.
In which way can the user be authorized based on Active Directory group membership? A. The certificate must be configured with the appropriate attributes that contain appropriate group information, which can be used in Authorization policies B. Configure the Windows supplicant to used saved credentials as well as certificate based authentication C. Enable Change of Authorization on the deployment to perform double authentication D. Configure Network Access Device to bypass certificate-based authentication and push configured user credentials as a proxy to ISE E. Use EAP authorization to retrieve group information from Active Directory F. Use ISE as the Certificate Authority, which allows for automatic group retrieval from Active Directory to perform the required authorization Answer: D
17.Refer to the exhibit. R3 ip vrf mgmt ! crypto keyring CCIE vrf mgmt pre-shared-key address 0.0.0.0 0.0.0.0 key cisco ! crypto isakmp policy 33 encr 3des authentication pre-share group 2 lifetime 600 ! crypto ipsec transform-set site_ab esp-aes-256 esp-sha-hmac mode tunnel ! crypto ipsec profile site_a set security-association lifetime seconds 600 set transform-set site_ab ! crypto gdoi group group_a identity number 100 server local rekey algorithm aes 256 rekey lifetime seconds 300 rekey retransmit 10 number 3 rekey authentication mypubkey rsa cciekey
rekey transport unicast sa ipsec 1 profile site_a match address ipv4 site_a replay counter window-size 64 no tag address ipv4 10.1.20.3 ! interface GigabitEthernet3 ip address 10.1.20.3 255.255.255.0 ! ip access-list extended site_a permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 R3 is the Key Server in GETVPN VR-Aware implementation. The Group Members for the site_ a registers with key server via interface address 10.1.20.3/24 in the management VRF "mgmt.“. The GROUP ID for the site_a is 100 to retrieve group policy and keys from the key server. The traffic to be encrypted by the site- a Group Members is between 192.186.4.0/24 and 192.186.5.0/24. Preshared-key used by the Group members to authenticate with Key servers is "cisco". It has been reported that group Members are unable to perform encryption for the traffic defined in the group policy of site a. what could be the issue? (Choose two) A. Incorrect encryption traffic defined in the group policy B. Incorrect mode configuration in the transform set C. Incorrect password in the keyring configuration D. Incorrect security-association time in the IPsec profile E. Incorrect encryption in ISAKMP policy F. The GDOI group has incorrect local server address G. The registration interface in not part of management VRF "mgmt.� Answer: A, G
18.VARIATION 2 Refer to the exhibit. R3 ip vrf mgmt ! crypto keyring CCIE vrf mgmt pre-shared-key address 0.0.0.0 0.0.0.0 key cisco ! crypto isakmp policy 33 encr 3des
authentication pre-share group 2 lifetime 600 ! crypto ipsec transform-set site_ab esp-aes-256 esp-sha-hmac mode tunnel ! crypto ipsec profile site_a set security-association lifetime seconds 600 set transform-set site_ab ! crypto gdoi group group_a identity number 100 server local rekey algorithm aes 256 rekey lifetime seconds 300 rekey retransmit 10 number 3 rekey authentication mypubkey rsa cciekey rekey transport unicast sa ipsec 1 profile site_a match address ipv4 site_a replay counter window-size 64 no tag address ipv4 10.1.20.3 ! interface GigabitEthernet3 ip address 10.1.20.3 255.255.255.0 ! ip access-list extended site_a permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 R3 is the key server in a GETVPN VRF-Aware implementation. The group members for the site a register with key server via interface address 10.1.20.3/24 in the management VRF "mgmt". The GROUP ID for the site_ a is 100 to retrieve group policy and keys from the key server. The traffic to be encrypted by the site_a group members is between 192.186.4.0/24 and 192.186.5.0/24. The preshared key used by the group members to authenticate with the key server is "cisco". It has been reported that group members cannot perform encryption for the traffic defined in the group policy of site_a. Which two possible issues are true? Choose two
A The registration interface is not part of management VRF "mgmt B. incorrect encryption traffic defined in the group policy C. incorrect encryption in ISAKMP policy D. incorrect password in the keyring configuration E. The GDoi group has an incorrect local server address F. incorrect security-association time in the IPsec profile Answer: A, B
19.Which of the following Cisco products gives ability to interact with malware for its behavior analysis? A. NGIPS B. FMC C. ASA D. DNA E. Threat Grid F. px Grid Answer: E
20.Which of the following is part of DevOps virtuous Cycle? A. Lower Quality B. Increased Latency C. Slower releases D. Improved Scalability Answer: D
21.How would you best describe Jenkins? A. An orchestration tool B Continuous integration and delivery application C. Operations in a client/server model D. Web-based repository hosting service E. A REST client Answer: B
22.Refer to the exhibit. R15 crypto pki trustpoint ccier15 enrollment url http://172.16.100.17:8080 serial-number ip-address 172.16.100.15
subject-name CN=r15 O=cisco.com revocation-check none source interface Loopback0 rsakeypair ccier15 ! crypto isakmp policy 1516 encr aes hash md5 group 2 ! crypto ipsec transform-set ts1516 esp-aes esp-sha-hmac mode tunnel ! crypto map r15r16 1516 ipsec-isakmp set peer 10.1.7.16 set transform-set ts1516 match address 110 ! interface Loopback0 ip address 172.16.100.15 255.255.255.255 ! interface Loopback1 ip address 192.168.15.15 255.255.255.0 ! interface GigabiEthernet1 ip address 20.1.6.15 255.255.255.0 netgotiation auto crypto map r15r16 ! router bgp 6 bgp log-neighbor-changes network 172.16.100.15 mask 255.255.255.255 neighbor 20.1.6.18 remote-as 678 neighbor 20.1.6.18 password cisco ! ip route 192.168.16.0 255.255.255.0 20.1.7.16 access-list 110 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255 ! ntp authentication-key 11 md5 ccie ntp authenticate ntp trusted-key 12 ntp server 150.1.7.131 key 12 !
ip domain name cisco.com R15 is trying to initiate Site-to-Site IPsec certificate based VPN tunnel with the peer at 20.1.7.16. The CA is running at port 80 on address 172.16.100.18. R15 has a BGP peer at 20.1.6.18 doing an authenticated session to establish reachability with the VPN remote site. The VPN tunnel will secure traffic between 192.168.15.0/24 and 192.168.16.0/24 networks. It has been reported that VPN tunnel is not coming up with remote site, what could be the issue? (Choose two) A. Incorrect ACL defined for the traffic encryption B. Incorrect static route C. Incorrect crypto map configuration D. Incorrect ISAKMP policy configuration E. The crypto map is not applied on the correct interface F. Incorrect truspoint configuration G. Incorrect BGP peer Configuration H. Incorrect transform set configuration Answer: F G
23.Refer to the exhibit.
AMP cloud is configured to report AMP Connector scan events from windows machine belong to "Audit" group to FMC but the scanned events are not showing up
in FMC, what could be the possible cause? A. AMP cloud is pointing to incorrect FMC address B. Possible issues with certificate download from AMP cloud for FMC integration C. Incorrect group is selected for the events export in AMP cloud for FMC D. Event should be viewed as "Malware" event in FMC E. DNS address is misconfigured on FMC F. FMC is pointing to incorrect AMP cloud address Answer: D
24.Refer to the exhibit. R1(config)#parameter-map type inspect param-map R1(config-profile)#sessions maximum 10000 R1(config-profile)# R1(config-profile)#class-map type inspect match-any class R1(config-cmap)#match protocol tcp R1(config-cmap)#match protocol udp R1(config-cmap)#match protocol icmp R1(config-cmap)#match protocol ftp R1(config-cmap)# R1(config-cmap)#policy-map type inspect policy R1(config-cmap)#class type inspect class R1(config-cmap-c)#inspect param-map R1(config-cmap-c)# R1(config-cmap-c)#zone security z1 R1(config-sec-zone)#zone security z2 R1(config-sec-zone)# R1(config-sec-zone)#zone-pair security zp source z1 destination z2 R1(config-seczone-pair)#service-policy type inspect policy Which two statements about the given iPv6 ZBF configuration are true? (Choose two) A. It passes TCP, UDP, ICMP, and FTP Traffic in both directions between z1 and z2 B. It provides backward compatibility with legacy IPv4 inspection C. It passes TCP, UDP, ICMP and FTP traffic from z1 and z2 D. It inspects TCP, UDP, ICMP and FTP traffic from z2 and z1. E. It provides backward compatibility with legacy IPv6 inspection F. It inspects TCP, UDP, ICMP, and FTP traffic from z1 and z2 Answer: EF
25.On Nexus 9000, in Python interactive mode, which command is correctly used to disable an interface? A. cli(conf t; interface eth1/1; shutdown") B. cli("conf t"),cli(interface eth1/1"), cli("shutdown")
C. cli("interface eth1/1; shutdown") D. cli(conf t"), cli("interface eth 1/1 shutdown") Answer: A
26.Which statement about SMTP authentication in a Cisco ESA deployment is true? A. Clients can be authenticated with an LDAP bind or by fetching a passphrase as an attribute B. The LDAP servers used by an ESA must share a single SMTP authentication profile. C. If an authenticating user belongs to more than one LDAP group, each with different user roles, AsyncOS grants permissions in accordance with the least restrictive user role. D. When SMTP authentication with forwarding is performed by a second SMTP server, the second server also performs the transfer of queued messages. E. It enables users at remote sites to release email messages from spam quarantine. F. It enables users at remote sites to retrieve their email messages via a secure client Answer: A
27.In FMC the correlation rule could be based on which two elements? (Choose two) A. Authorization rule B. Intrusion event C. CoA (Change of authorization) D. Traffic profile Variation E. NDAC (Network Device Admission Control) F. SGT (Security Group TAG) mapping G. Database type H. Authentication condition Answer: B, D
28.Refer to the exhibit. ASA1 router ospf 12 network 10.1.11.0 255.255.255.0 area 1 area 1 authentication message-digest ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.1.11.1 255.25.255.0 standby 10.1.11.2 ospf message-digest-key 12 md5 cisco
R2 router ospf 12 area 0 authentication message-digest area 1 authentication message-digest network 10.1.11.0 0.0.0.255 area 1 network 10.1.12.0 0.0.0.255 area 0 network 172.16.100.0 0.0.0.255 area 0 ! interface GigabitEthernet2 ip address 10.1.11.22 255.255.255.0 ip ospf message-digest-key 21 md5 cisco Firewall ASA1 and router R2 are running OSPF routing process in area 1 connected via 10.1.11.0/24 subnet in the inside zone. It has been reported that ASA1 is unable to see any OSPF learned routes, what could be the reason? (Choose two) A. On R2 the 10.1.11.0/24 subnet must be in area"0"in OSPF routing process B. ON ASA1, a standby interface must be disabled on Gi0/1 interface. C. On R2, an incorrect subnet defined for the gi2 interface. D. On ASA1 Gi0/1 interface must security level at "0� E. On ASA1, an incorrect subnet mask on Gi0/1 interface F. The R2 has mismatched message-digest key-lDs G. On R2 the 172.16.100.0/24 subnet must not be in the OSPF routing process Answer: CF
29.A user attempts to browse the Internet through a CWS-integrated router and the HTTP 403 forbidden error messages is returned. Which reason for the problem is the most likely? A. The CWS connector is down B. The CWS license has expired C. The connection is time out D. User authentication failed E. The user attempted to access a web site that is blocked by CWS policy F. The user is not lo gged in to CWS. Answer: B
30.What does NX-APl use as its transport? B. FTP C. SSH D. SFTP E. HTTP/HTTPS Answer: E
31.All your remote users use Any Connect VPN to connect into your corporate network, with an ASA providing the VPN services. Authentication is through ISE using Radius as the protocol ISE uses Active Directory as the identity Source. You want to be able to assign different policies to users depending on their group membership in Active Directory. Which is one possible way of doing that? A. Configure an authorization policy in ISE to send back a RADIUS Class-25 attribute with the name of the ASA Tunnel Group (Connection Profile) B. This is only possible when LDAP authorization is configured directly to Active Directory C. Configure an authentication policy in ISE to send back a RADIUS Class-25 attribute with the name of the ASA Group Policy D. Configure an authentication policy in ISE to send back a RADIUS Class-25 attribute with the name of the ASA tunnel Group (Connection Profile) E. Configure an authorization policy in ISE to send back a RADIUS Class-25 attribute with the name of the ASA Group Policy Answer: E
32.What are the two different modes in which Private AMP cloud can be deployed? (Choose two) A. Hybrid Mode B. Internal Mode C. Air Gap Mode D. External mode E. Cloud-Proxy Mode F. Public mode Answer: CE
33.Refer to the exhibit. aaa authentication login default group radius aaa authentication login NO_AUTH none aaa authentication login vty local aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting update newinfo aaa accounting dot1x default start-stop group radius ! ip dhcp excluded-address 60.1.1.11 ip dhcp excluded-address 60.1.1.2
! ip dhcp pool mabpc-pool network 60.1.1.0 255.255.255.0 default-router 60.1.1.2 ! cts sxp enable cts sxp default source-ip 10.9.31.22 cts sxp default password ccie cts sxp connection peer 10.9.31.1 password default mode peer listener hold-time0 ! dot1x system-auth-control ! interface GigabitEthernet1/0/9 switchport mode access ip device tracking maximum 10 authentication host-mode multi-auth authentication port-control auto mab ! radius-server host 161.1.7.14 key cisco radius-server timeout 60 ! interface VLAN10 ip address 10.9.31.22 255.255.255.0 ! interface Vlan50 no ip address ! interface Vlan60 ip address 60.1.1.2 255.255.255.0 ! interface Vlan150 ip address 150.1.7.2.255.255.255.0 Looking at the configuration what may cause the MAB authentication to fail for a supplicant? A. There is an issue with the DHCP pool configuration. B. The VLAN configuration is missing on the authentication port C. Incorrect CTS configuration on the switch D. AAA authorization is incorrectly configured on the switch E. CoA configuration is missing F. Dot1x should be globally disabled for MAB to work. G. Switch configuration is properly configured and the issue is on the Radius server. Answer: E
34.Which statement describes a pure SDN framework environment? A. The control plane and data plane is pulled from the networking element and put in a SDN controller and SDN agent B. The control plane function is split between a SDN controller and the networking element C. The data plane is pulled from the networking element and put in a SDN controller D. The data plane is controlled by a centralized SDN element E. The Control plane is pulled from the networking element and put in a SDN controller Answer: E
35.Nexus 9000 Platform supports the following configuration management tools? A. Ansible B. Chef C. Jen kin D. Puppet E. Salt Answer: D
36.Refer to the exhibit.
Which two effects of this configuration are true? (Choose two) A. If the TACACS+ server is unreachable, the switch places hosts on critical ports in VLAN 50 B. The device allows multiple authenticated sessions for a single MAC address in the voice domain C. If multiple hosts have authenticated to the same port, each can be in their own assigned VLAN
D. If the authentication priority is changed the order in which authentication is preformed also changes E. The switch periodically sends an EAP-identity-Request to the endpoint supplicant F. The port attempts 802.1x authentication first, and then fall s back to MAC authentication bypass Answer: CF
37.Which three statements about SXP are true? (Choose three) A. To enable an access device to use ip device tracking to learn source device IP addresses, DHCP snooping must be configured B. Each VRF supports only one CTS-SXP connection C. It resides in the control plane, where connections can be initiated from a listener D. Separate VRFs require different CTS-SXP peers, but they can use the same source IP addresses E. The SGA ZBPF uses the SGT to apply forwarding decisions F. Packets can be tagged with SGTs only with hardware support Answer: B, E, F
38.Refer to the exhibit.
Which two effects of this configuration are true? (Choose two) A. Configuration commands on the router are authorized without checking the TACACS+ server B. When a user logs in to privileged EXEC mode, the router will track all user activity C. Requests to establish a reverse AUX connection to the router will be authorized against the TACACS+ D. When a user attempts to authenticate on the device, the TACACS+ server will prompt the user to enter the username stored in the router 's database
E. If a user attempts to log in as a level 15 user the local database will be used for authentication and the TACACS+ will be used for authorization F. It configures the routers local database as the backup authentication method for all TTY, console, and aux logins Answer: AB
39.Refer to the exhibit. Switch-A (config)# cgmp leave-processing Which two effects of this configuration are true? (Choose two) A. It allows the switch to detect IGMPv2 leave group messages B. It optimizes the use of network bandwidth on the LAN segment C. IGMPv2 leave group messages are stored in the switch CAM table for faster processing D. Host send leave group messages to the Solicited-Node Address multicast address FF02::1:FF00:0000/104 E. It improves the processing time of CGMP leave messages F. Hosts send leave group messages to all-router multicast address when they want to stop receiving data for that group Answer: B, F
40.Which three types of addresses can the Botnet Filter feature of the Cisco ASA monitor? (Choose three) A. Known allowed addresses B. Dynamic addresses C. Internal addresses D. Ambiguous addresses E. Known malware addresses F. Listed addresses Answer: ADE
41.Which two statements about 802.lx components are true? (Choose two) A. The certificates that are used in the client-server authentication process are stored on the access switch B. The access layer switch is the policy enforcement point C. The RADIUS server is the policy enforcement point D. The RADIUS server is the policy information point E. An LDAP server can serve as the policy enforcement point Answer: B, D
42.Refer to the exhibit.
Which two effects of this configuration are true? (Choose Two) A. user five can view usernames and password B. user superuser can view the configuration C. User superuser can change usernames and passwords D. User superuser can view usernames and passwords E. User five can execute the show run command F. User cisco can view usernames and passwords Answer: B E
43.In a Cisco ASA multiple-context mode of operation configuration, which three session types are resource-limited by default when their context is a member of the default class? (Choose three) A. RADIUS sessions B. TCP sessions C. SSL VPN sessions D. CTS sessions E. SSH sessions F. TELNET sessions G. ASDM sessions H. IPsec sessions Answer: E, F, H
44.A Network architect has been tasked to migrate a customer’s legacy infrastructure
switches from Nexus 9000 platform. Which peers will help him achieve his milestone? A. Create a container providing separate execution space B. Manage software upgrades via guest shell C. Setup a Web-based interface for configuration management D. Allow guests temporary access to the CLI without logging in Answer: A
45.In your Corporate environment, you have various Active Directory groups based o the organizational structure and would like to ensure that users are only able to access certain resources depending on which groups(s)they belong to This policy should apply across the network. You have ISE, ASA and WSA deployed, and would like to ensure the appropriate policies are present to ensure access is only based on the users group membership. Addionally, you don't want the user to authenticate multiple times to get access. Which two ploicies are used to set this up? (Choose two) A. Deploy Cisco TrustSec Infrastructure, with ASA and WS A integrated with the ISE to transparently identity user based on SGT assignment. when the user authenticates to the network. the SGTs can then be used in acces policies B. Deploy ISE, intergrate it with Active Directory, and based on group membership authirize the user to specific VLANs. These VLANs. These VLANs (with specific subnets) should then be used in access policies on the ASA as well as the WSA. C. Deploy a Single Sign-On Infrastructure such as Ping, and Integrate ISE, ASA and WSA with it. Access policies will be applied based on the user s group membership retrieved from the authentication Infrastructure. D. Configure ISE as an SSO Service Provider, and integrate with ASA and WSA using pxGrid, ASA and WSA will be able to extract the relevant identity information from ISE to apply to the access policies once the user has authenticated to the network. E. Integrate ISE, ASA and WSA with Active Directory. Once user is authenticated to the network through ISE, the ASSA and WSA will automatically extract the identity information from Ad to apply the appropriate access policies F. Configure ISE to relay learned SGTs for the authenticates sessions with the binded destination address using SXP ro SXp speakers that will be used to apply access policies at the trafficingress point for segmentation Answer: AC
46.Refer to the exhibit. R9 crypto ikev2 keyring ccier10 peer r10
address 20.1.4.11 pre-shared-key local ccier10 pre-shared-key remote ccier10 ! crypto ikev2 profile ccier10 match identity remote address 20.1.4.10 255.255.255.255 authentication local pre-share authentication remote pre-share keyring local ccier10 ! crypto ipsec profile ccier10 set ikev2-profile ccier10 ! interface Loopback1 ip address 192.168.9.9 255.255.255.0 ! interface Tunnel34 ip address 172.16.2.9 255.255.255.0 tunnel source GigabitEthernet1 tunnel destination 20.1.4.10 tunnel protection ipsec profile ccier10 ! interface GigabitEthernet1 ip address 20.1.3.9 255.255.255.0 negotiation auto ! router eigrp 34 network 172.16.2.0 0.0.0.255 network 192.168.9.0 ! router bgp 3 bgp log-neighbor-changes network 20.1.3.0 mask 255.255.255.0 neighbor 20.1.3.12 remote-as 345 neighbor 20.1.3.12 password cisco R9 is running FLEXVPN with peer R10 at 20.1.4.10 using a pre- shared key "ccier10�. The IPsec tunnel is sourced from 172.16.2.0/24 network and is included in EIGRP routing process. BGP nexthop is AS 345 with address 20.1.3.12. It has been reported that FLEXVPN is down. What could be the issue? A. Incorrect IPsec profile configuration B. Incorrect tunnel network address in EIGRP routing process
C. Incorrect tunnel source for the tunnel interface D. Incorrect keyring configuration E. Incorrect IKEv2 profile configuration F. Incorrect local Network address in BGP routing process Answer: D
47.All your employees are required to authenticate their devices to the network, be it company owned or employee owned assets, with ISE as the authentication server. The primary identity store used is Microsoft Active directory, with username and password authentication. To ensure the security of your enterprise, your security policy dictates that only company owned assets should be able to get access to the enterprise network, while personal assets should have restricted access. Which option would allow you to enforce this policy using only ISE and Active Directory? A. Configure an authentication policy that uses the computer credentials in Active Directory to determine whether the device is company owned or personal B. This would require deployment of a Mobile Device Management (MDM)solution, which can be used to register all devices against the MDM server, and use that to assign appropriate access levels C. Configure an authentication policy that checks against the MAC address database of company assets in ISE endpoints identity store to determine the level of access depending on the device. D. Configure an Authorization policy that checks against the mac address database of company assets in ISE endpoint identity store to determine the level of access depending on the device. E. Configure an authorization policy that assigns the device the appropriate profile based on whether the device passes Machine Authentication or not. Answer: D
48.VARIATION 1 Which statement is correct regarding the Sender Base functionality? A, ESA sees a high negative score from Sender Base as very unlikely that sender is sending spam B. Sender Base uses DNS-based blacklist as one of the sources of information to define reputation score of sender’s IP address. C. WSA uses Sender Base information to configure URL filtering policies D. ESA uses destination address reputation information from Sender Base to configure mail policies E. Sender Base uses spam complaints as one of the sources of information of define reputation score of receiver Ip address F. ESA sees a high positive score from Sender Base as very likely that sender is
sending spam Answer: B
49.VARIATION 2 Which statement is correct regarding the Sender Base functionality? A. ESA sees a high negative score from Sender Base as very un likely that sender is sending spam B. Sender Base uses DNS-based blacklist as one of the sources of information to define reputation score of sender’s IP address D. ESA uses destination address reputation information from Sender Base to configure mail policies. receiver IP address F. ESA sees a high positive score from Sender Base as very likely that sender is sending spam. G. ESA uses source address reputation to configure URL filtering policies Answer: B
50.In your network, you require all guests to authenticate to the network before getting access, However, you don't want to be stuck creating or approving accounts. It is preferred that this is all taken care by the user, as long as their device is registered. Which two mechanisms can be used to provide this functionality? (Choose two) A. Social media login, with device registration B. Guest's own organization authentication service, with device registration C. PAP based authentication, with device registration D. Active Directory, with device registration E. 802.1x based user registration, with device registration F. Self-registration of user, with device registration Answer: A, F
51.You have an ISE deployment with two nodes that are configured as PAN and MnT (Primary and Secondary), and 4 Policy Services Nodes. How many additional PSNs can you add to this deployment? A. 0 B. 1 C. 3 D. 5 E. 4 Answer: B
52.A device on your internal network is hard-coded with two DNS server on the
Internet (1.1.1.53, 2.2.2.53) However, you want to send all requests to your Open DNS server (208.67.222.222) Which set of commands do you run on the ASA to achieve this goal? A. Static (inside, outside) source any 1.1.1.53destination 208.61 222.222 eq domain Static (inside, outside) source any 2.2.2.53 destination 208.67.222.222 eq domain B. Static (inside, outside) source any 208.67.222.222 destination 1.1.1.53 eq domain Static (inside, outside) source any 208.67.222.222 destination 2.2.2.53 eq domain C. Static (inside, outside) source any destination 208.67.222.222 eq domain D. Static (outside, inside) source any 208.67.222 222 destination 1.1.1.56 eq domain Static (outside, inside) source any 208.67.222.222 destination 2.2.2.53 eq domain E. Net (inside, outside) source any 1. 1.1.53 destination 208.67.222 222 eq domain Nat (inside, outside) source any 2.2.2.53 destination 208.67.222 222 eq domain F. Object network OpenDNS Host 208.67.222.222 ! Object network Rogue1-DNS Host 1.1.1.53 Object network Rogue2-DNS Host 2.2.2.53 ! Object-group network Rogue-DNS Network-object object Rogue1-DNS Network-object object Rogue2-DNS ! object service udp-DNS Service udp destination eq domain ! object service tcp-DNS Service tcp destination eq domain ! nat(inside, outside) source static any interface destination static Rogue-DNS OpenDNS service udp-DNS udp-DNS nat(inside, outside) source static any interface destination static Rogue-DNS OpenDNS service tcp-DNS tcp-DNS G. nat (inside, outside) source static any interface destination static Rogue-DNS OpenDNS service udp-DNS udp-DNs nat (inside, outside) source static any interface destination static Rogue-DNS OpenDNS service udp-DNS udp-DNS H. object network OpenDNS host 1.1.1.53 object network Rogue1-DNS host 2.2.2.53 !
Object-group network rogue1-DNS Network-object object Rogue1-DNS Network-object object Rogue2-DNS ! Object service udp-DNS Service udp destination eq domain ! Object service tcp-DNS Service tcp destination eq domain ! Nat (inside, outside) source static any interface destination static OpenDNS RogueDNS service udp-DNS udp-DNS Nat (inside, outside) source static any interface destination static OpenDNS RogueDNS service tcp-DNS tcp-DNS Answer: F
53.The purpose of an authentication proxy is to force the user to authenticate to a network device before users are allowed access through the device. This is primarily used for Http based services but also can be used for other services. In the case of an ASA, what does ISE have to send to enforce this access policy? A. LDAP attribute with ACL B. Group Policy enabled for proxy-auth C. Downloadable ACL D. Not possible on the ASA E. VLAN F. Redirect URL to ISE Answer: C
54.What are the advantages of using LDAP over AD? A. LDAP allows for granular policy control, whereas AD does not B. LDAP provides for faster authentication C. LDAP can be configured to use primary and secondary server, whereas AD cannot D. LDAP does not require ISE to join the AD domain E. The closest LDAP servers are used for Authentication Answer: C
55.In a large organization, with thousands of employees scattered across the globe, it is difficult to provision and onboard new employee devices with the correct profiles and certificates. With ISE, it is possible to do client provided which four conditions are met. (Choose
four) A. Endpoint operating System should be supported B. Client provisioning is enabled on ISE C. The px Grid controller should be enabled on ISE D. Device MAC Addresses are added to the End point Identity Group E. Profiling is enabled on ISE F. SCEP Proxy enabled on ISE G. Microsoft windows Server is configured with certificate services H. ISE should be configured as SXP listener to push SGT-To-IP map ping to network access devices I. Network access devices and ISE should have the PAC provisioning for CTS environment authentication Answer: B, D, E, F
GET FULL VERSION OF 400-251 DUMPS
Powered by TCPDF (www.tcpdf.org)