The Latest 400-251 Exam ☆ Instant Download ☆ Free Update for 180 Days
Vendor: Cisco Exam Code: 400-251 Exam Name: CCIE Security Written Exam v5.1 Version: 13.05 Q & As: 354
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 400-251 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 1 Which two statements about uRPF are true? (Choose two) A. The administrator can configure the allow-default command to force the routing table to use only the default route B. In strict mode, only one routing path can be available to reach network devices on a subnet C. The administrator can use the show cef interface command to determine whether uRPF is enabled D. The administrator can configure the ip verify unicast source reachable-via any command to enable the RPF check to work through HSRP routing groups E. It is not supported on the Cisco ASA security appliance Correct Answer: BC Explanation: Reverse Path Forwarding http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html
QUESTION 2 Within Platform as a Service, which two components are managed by the customer? (Choose two.) A. B. C. D. E.
Data networking middleware applications operating system
Correct Answer: AD
QUESTION 3 Which two options are benefits of the Cisco ASA Identity Firewall? (Choose two.) A. B. C. D. E.
It can identify threats quickly based on their URLs. It can operate completely independently of their services. It can apply security policies on an individual user or user-group basis. It decouples security policies from the network topology. It supports an AD server module to verify identity data.
Correct Answer: CD
QUESTION 4 Which statement regarding the routing functions of the Cisco ASA is true running software version 9.2? A. The translation table cannot override the routing table for new connections. B. Routes to the NuLL0 interface cannot be configured to black-hole traffic. C. In a failover pair of ASAs, the standby firewall establishes a peer relationship with OSPF neighbors. D. The ASA supports policy-based routing with route maps. Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 400-251 Exam ☆ Instant Download ☆ Free Update for 180 Days
Correct Answer: A
QUESTION 5 Which three options are fields in a CoA Request Response code packet? (Choose three.) A. B. C. D. E. F.
Length Acct-session-ID Calling-station-ID Identifier Authenticator State
Correct Answer: BCF
QUESTION 6 Which three statements about VRF-Aware Cisco Firewall are true? (Choose three.) A. B. C. D. E. F.
It supports both global and per-VRF commands and DoS parameters. It enables service providers to deploy firewalls on customer devices. It can generate syslog messages that are visible only to individual VPNs. It can support VPN networks with overlapping address ranges without NAT. It enables service providers to implement firewalls on PE devices. It can run as more than one instance.
Correct Answer: CEF
QUESTION 7 Which two options are unicast address types for IPv6 addressing? (Choose two.) A. B. C. D. E.
static link-local established dynamic global
Correct Answer: BE
QUESTION 8 Which two commands would enable secure logging on a Cisco ASA to a syslog server at 10.0.0.1? (Choose two.) A. B. C. D. E.
logging host inside 10.0.0.1 UDP/500 secure logging host inside 10.0.0.1 TCP/1470 secure logging host inside 10.0.0.1 UDP/447 secure logging host inside 10.0.0.1 UDP/514 secure logging host inside 10.0.0.1 TCP/1500 secure
Correct Answer: BE Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 400-251 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 9 Which effect of the crypto key encrypt write rsa command on a router is true? A. B. C. D. E.
The device locks the encrypted key, but the key is lost when the router is reloaded. The device encrypts and locks the key before authenticating it with an external CA server. The device unlocks the encrypted key, but the key is lost when the router is reloaded. The device locks the encrypted key and saves it to the NVRAM. The device saves the unlocked encrypted key to the NVRAM.
Correct Answer: E
QUESTION 10 Which three statements about Cisco AnyConnect SSL VPN with the ASA are true? (Choose three) A. B. C. D.
DTLS can fall back to TLS without enabling dead peer detection. By default, the VPN connection connects with DTLS. Rea-time application performance improves if DTLS is implemented Cisco AnyConnect connections use IKEv2 by default when it is configure as the primary protocol on the client. E. By default, the ASA uses the Cisco AnyConnect Essentials license. F. The ASA will verify the remote HTTPS certificate. Correct Answer: CDE
QUESTION 11 Which two statements about Cisco URL Filtering on Cisco IOS Software are true? (Choose two) A. B. C. D. E. F.
It supports Websense and N2H2 filtering at the same time, It supports local URL lists and third-party URL filtering servers. By default, it uses ports 80 and 22. It supports HTTP and HTTPS traffic. BY default, it allows all URLs when the connection to the filtering server is down. It requires minimal CPU time.
Correct Answer: BF
QUESTION 12 Which statement about VRF-aware GDOI group members is true? A. B. C. D.
The GM cannot route control traffic through the same VRF as data traffic. Multiple VRFs are used to separate control traffic and data traffic. Registration traffic and rekey traffic must operate on different VRFs. IPsec is used only to secure data traffic.
Correct Answer: B
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 400-251 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 13 Which statement about managing Cisco ISE Guest Services is true? A. Only a Super Admin or System Admin can delete the default Sponsor portal. B. Only ISE administrators from an external identify store can be members of a Sponsor group. C. By default, an ISE administrator can manage only the guest accounts he or she created in the Sponsor portal. D. ISE administrators can view and set a guest's password to a custom value in the Sponsor portal. E. ISE administrators can access the Sponsor portal only if they have valid Sponsor accounts. F. ISE administrators can access the Sponsor portal only from the Guest Access menu. Correct Answer: C
QUESTION 14 What is an example of a stream cipher? A. B. C. D.
RC4 RC5 DES Blowfish
Correct Answer: A
QUESTION 15 Which two options are benefits of global ACLs? (Choose two) A. They save memory because they work without being replicated on each interface. B. They are more efficient because they are processed before interface access rules. C. They are flexible because they match source and destination IP addresses for packets that arrive on any interface. D. They only operate on logical interfaces. E. They can be applied to multiple interfaces. Correct Answer: AC
QUESTION 16 Refer to the exhibit. What is the maximum number of site-to-site VPNs allowed by this configuration?
A. 10 Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 400-251 Exam ☆ Instant Download ☆ Free Update for 180 Days
B. C. D. E. F.
unlimited 5 0 1 15
Correct Answer: F
QUESTION 17 Which three statements about 802.1x multiauthentication mode are true? (Choose three.) A. B. C. D. E. F.
It is recommended for guest VLANs. On non-802.1x devices, it can support only one authentication method on a single port. Each multiauthentication port can support only one voice VLAN. It is recommended for auth-fall VLANs. It requires each connected client to authenticate individually. It can be deployed in conjunction with MDA functionality on voice VLANs.
Correct Answer: CEF
QUESTION 18 Refer to the exhibit. Which two effects of this configuration are true? (Choose two.)
A. B. C. D. E. F.
The BGP neighbor session between R1 and R2 re-establishes after 100 minutes. A warning message is displayed on R2 after it receives 50 prefixes. A warning message is displayed on R2 after it receives 100 prefixes from neighbor 1.1.1.1. The BGP neighbor session between R1 and R2 re-establishes after 50 minutes. The BGP neighbor session tears down after R1 receive 100 prefixes from neighbor 1.1.1.1. The BGP neighbor session tears down after R1 receive 200 prefixes from neighbor 2.2.2.2.
Correct Answer: CF
QUESTION 19 Which three statements about WCCP are true? (Choose three.) A. The minimum WCCP-Fast Timers messages interval is 500 ms B. Is a specific capability is missing from the Capabilities Info component, the router is assumed to support the default capability C. If the packet return method is missing from a packet return method advertisement, the web cache uses the Layer 2 rewrite method Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 400-251 Exam ☆ Instant Download ☆ Free Update for 180 Days
D. The router must receive a valid receive ID before it negotiates capabilities E. The assignment method supports GRE encapsulation for sending traffic F. The web cache transmits its capabilities as soon as it receives a receive ID from router Correct Answer: ACE Explanation: Web Cache Communication Protocol (WCCP) http://www.cisco.com/c/en/us/td/docs/security/asa/special/wccp/guide/asa-wccp.html
QUESTION 20 What are the two different modes in which private AMP cloud can be deployed ? (Choose two) A. B. C. D. E. F.
Air Gap Mode External Mode Internal Mode Public Mode Cloud Mode Cloud Proxy Mode
Correct Answer: AF
QUESTION 21 Which best practice can limit inbound TTL expiry attacks? A. B. C. D.
Setting the TTL value to zero. Setting the TTL value to more than longest path in the network. Setting the TTL value equal to the longest path in the network. Setting the TTL value to less than the longest path in the network.
Correct Answer: B Explanation: In practice, filtering packets whereby TTL value is less than or equal to the value that is needed to traverse the longest path across the network will completely mitigate this attack vector. https://www.cisco.com/c/en/us/about/security-center/ttl-expiry-attack.html
QUESTION 22 Which file extensions are supported on the Firesight Management Center 6.1 file policies that can be analyzed dynamically using the Threat Grid Sandbox integration? A. B. C. D.
MSEXEMSOLE2NEW-OFFICEPDF DOCXWAVXLSTXT TXTMSOLE2WAVPDF DOCMSOLE2XMLPDF
Correct Answer: A
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 400-251 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 23 What IOS feature can header attacks by using packet-header information to classify traffic? A. B. C. D. E.
TTL CAR FPM TOS LLQ
Correct Answer: C
QUESTION 24 Which two statements about Botnet Traffic Filter snooping are true? (Choose two.) A. It can log and block suspicious connections from previously unknown bad domains and IP addresses. B. It requires the Cisco ASA DNS server to perform DNS lookups. C. It requires DNS packet inspection to be enabled to filter domain names in the dynamic database. D. It checks inbound traffic only. E. It can inspect both IPv4 and IPv6 traffic. F. It checks inbound and outbound traffic. Correct Answer: CF
QUESTION 25 Which two statements about Cisco VSG are true? (Choose two.) A. Because it is deployed at Layer 2, it can be inserted without significant reengineering of the network. B. According to Cisco best practices, the VSG should use the same VLAN for VSM-VEM control traffic and management traffic. C. It uses optional IP-to-virtual machine mappings to simplify management of virtual machines. D. It uses the Cisco VSG user agent to register with the Cisco Prime Network Services Controller. E. It can be integrated with VMWare vCenter to provide transparent provisioning of policies and profiles. F. It has built-in intelligence for redirecting traffic and fast-path offload. Correct Answer: EF
QUESTION 26 Which two statements about SPAN sessions are true? (Choose two.) A. B. C. D. E. F.
A single switch stack can support up to 32 source and RSPAN destination sessions. Source ports and source VLANs can be mixed in the same session They can monitor sent and received packets in the same session. Multiple SPAN sessions can use the same destination port. Local SPAN and RSPAN can be mixed in the same session. They can be configured on ports in the disabled state before enabling the port.
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 400-251 Exam ☆ Instant Download ☆ Free Update for 180 Days
Correct Answer: CF
QUESTION 27 Which two statements about MPP (Management Plane Protection) are true? (Choose two.) A. B. C. D. E. F.
It is supported on both distributed and hardware-swithched platforms. Only out-of-band management interfaces are supported. Only virtual interfaces associated with physical interfaces are supported. It is supported on both active and standby management interfaces. Only in-band management interfaces are supported. Only virtual interfaces associated with sub-interfaces are supported.
Correct Answer: CE
QUESTION 28 In OpenStack, which two statements about the NOVA component are true? (Choose two.) A. B. C. D. E.
It provides the authentication and authorization services. It launches virtual machine instances. It is considered the cloud computing fabric controller. It provides persistent block storage to running instances of virtual machines. It tracks cloud usage statistics for billing purposes.
Correct Answer: BC
QUESTION 29 Which connection mechanism does the eSTREAMER service use to communicate? A. B. C. D. E. F.
IPsec tunnels with 3DES or AES encryption TCP over SSL only SSH EAP-TLS tunnels TCP with optional SSL encryption IPsec tunnels with 3DES encryption only
Correct Answer: B
QUESTION 30 Which four task items need to be performed for an effective nsk assessment and to envaluate network posture? (Choose four.) A. B. C. D. E. F. G.
discovery baselining scanning notification validation escalation mitigation Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 400-251 Exam ☆ Instant Download ☆ Free Update for 180 Days
H. profiling Correct Answer: ACEH
QUESTION 31 Refer to the exhibit. Which effect of this configuration is true?
A. If the RADIUS server is unreachable, SSH users cannot authenticate. B. Users must be in the RADIUS server to access the serial console. C. Users accessing the device via SSH and those accessing enable mode are authenticated against the RADIUS server D. All commands are validated by the RADIUS server before the device executes them. E. Only SSH users are authenticated against the RADIUS server. Correct Answer: C
QUESTION 32 Refer to the exhibit. You applied this VPN cluster configuration to a Cisco ASA and the cluster failed to form. How do you edit the configuration to correct the problem?
A. B. C. D.
Define the maximum allowable number of VPN connections. Define the master/slave relationship. Configure the cluster IP address. Enable load balancing.
Correct Answer: C
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 400-251 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 33 Refer to the exhibit. Which effect of this configuration is true?
A. Users attempting to access the console port are authenticated against the TACACS+ server. B. The device tries to reach the server every 24 hours and falls back to the LOCAL database if it fails. C. If TACACS+ authentication fails, the ASA uses Cisco 123 as its default password. D. The servers in the TACACS+ group are reactivated every 1440 seconds. E. Any VPN user with a session timeout of 24 hours can access the device. Correct Answer: A
QUESTION 34 Which option best describes RPL? A. RPL stands for Routing over low priority links that use link-state LSAs to determine the best route between two root border routers. B. RPL stands for Routing over low priority links that use distance vector DOGAG to determine the best route between two root border routers. C. RPL stands for Routing over Low-power Lossy Networks that use link-state LSAs to determine the best route between leaves and the root border router. D. RPL stands for Routing over Low-power Lossy Networks that use distance vector DOGAG to determine the best route between leaves and the root border router. Correct Answer: D
QUESTION 35 Which three statements about SCEP are true? (Choose three.) A. B. C. D. E. F.
It supports online certification revocation. Cryptographically signed and encrypted messages are conveyed using PKCS#7 It supports multiple cryptographic algorithms including RSA. The certificate request format uses PKCS#10. CRL retrieval is supported through CDP(Certificate Distribution Point) queries. It supports synchronous granting.
Correct Answer: BDE Explanation: Simple Certificate Enrollment Protocol
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 400-251 Exam ☆ Instant Download ☆ Free Update for 180 Days
http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167technotescep-00.html
QUESTION 36 Which statement about deploying policies with the Firepower Management Center is true? A. B. C. D. E.
All policies are deployed on-demand when the administrator triggers them. Deploy tasks can be scheduled to deploy policies automatically. The leaf domain can deploy changes to all subdomains simultaneously. The global domain can deploy changes to individual subdomains. Policies are deployed automatically when the administrator saves them.
Correct Answer: B
QUESTION 37 What are three features that are enabled by generating Change of Authorization (CoA) requests in a push model? (Choose three.) A. B. C. D. E. F.
session reauthentication session identification host reauthentication MAC identification session termination host termination
Correct Answer: BCE
QUESTION 38 Which two options are benefits of network summarization? (Choose two.) A. It prevents unnecessary routing updates at the summarization boundary if one of the routes in the summary is unstable. B. It can increase the convergence of the network. C. It can summarize discontiguous IP addresses. D. It can easily be added to existing networks. E. It reduces the number of routes. Correct Answer: AE
QUESTION 39 Which three statement about SXP are true? (Choose three) A. B. C. D.
It resides in the control plane, where connections can be initiated from a listener. Packets can be tagged with SGTs only with hardware support. Each VRF support only one CTS-SXP connection. To enable an access device to use IP device tracking to learn source device IP addresses, DHCP snooping must be configured. E. The SGA ZBFW uses the SGT to apply forwarding decisions. Guaranteed Success with EnsurePass VCE Software & PDF File
EnsurePass.com Members Features: 1. 2. 3. 4. 5.
Verified Answers researched by industry experts. Q&As are downloadable in PDF and VCE format. 98% success Guarantee and Money Back Guarantee. Free updates for 180 Days. Instant Access to download the Items
View list of All Exam provided: http://www.ensurepass.com/certfications?index=A To purchase Lifetime Full Access Membership click here: http://www.ensurepass.com/user/register
Valid Discount Code 20% OFF for 2019: MMJ4-IGD8-X3QW To purchase the HOT Exams: Vendors Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco CompTIA CompTIA CompTIA CompTIA CompTIA CompTIA CompTIA CompTIA CompTIA CompTIA CompTIA Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft ISC
Hot Exams 100-105 200-105 200-125 200-310 200-355 300-101 300-115 300-135 300-320 400-101 220-1001 220-1002 220-901 220-902 CAS-003 LX0-103 LX0-104 N10-007 PK0-004 SK0-004 SY0-501 70-410 70-411 70-412 70-740 70-741 70-742 70-761 70-762 CISSP
Download http://www.ensurepass.com/100-105.html http://www.ensurepass.com/200-105.html http://www.ensurepass.com/200-125.html http://www.ensurepass.com/200-310.html http://www.ensurepass.com/200-355.html http://www.ensurepass.com/300-101.html http://www.ensurepass.com/300-115.html http://www.ensurepass.com/300-135.html http://www.ensurepass.com/300-320.html http://www.ensurepass.com/400-101.html http://www.ensurepass.com/220-1001.html http://www.ensurepass.com/220-1002.html http://www.ensurepass.com/220-901.html http://www.ensurepass.com/220-902.html http://www.ensurepass.com/CAS-003.html http://www.ensurepass.com/LX0-103.html http://www.ensurepass.com/LX0-104.html http://www.ensurepass.com/N10-007.html http://www.ensurepass.com/PK0-004.html http://www.ensurepass.com/SK0-004.html http://www.ensurepass.com/SY0-501.html http://www.ensurepass.com/70-410.html http://www.ensurepass.com/70-411.html http://www.ensurepass.com/70-412.html http://www.ensurepass.com/70-740.html http://www.ensurepass.com/70-741.html http://www.ensurepass.com/70-742.html http://www.ensurepass.com/70-761.html http://www.ensurepass.com/70-762.html http://www.ensurepass.com/CISSP.html