25 February, 2020

CCIE Security Written Exam 400-251 Item Pool

we provide 100% Correct Cisco 400-251 download which are the best for clearing 400-251 test, and to get certified by Cisco CCIE Security Written Exam. The 400-251 Questions & Answers covers all the knowledge points of the real 400-251 exam. Crack your Cisco 400-251 Exam with latest dumps, guaranteed!

Free 400-251 Demo Online For Cisco Certifitcation:

Page: 1 / 37

Total 448 questions Full Exam Access

Question 1

- (Exam Topic 3)
In a large organization, with thousands of employees scattered across the globe, it is difficult to provision and onboard new employee device with the correct profiles and certificates. With ISE, it is possible to do that with client provided device. Which four conditions must be met? (Choose four.)

Endpoint operating system should be supported

Client provisioning is enabled on ISE

The pxGrid controller should be enabled on ISE

Device MAC addresses are added to the Endpoint Identity Group

Profiling is enabled on ISE

SCEP Proxy is enabled on ISE

Microsoft windows server is configured with certificate services

ISE should be configured as SXP listener to push SGT-to-IP mapping to network access devices

Network access device and ISE should have the PAC provisioning for CTS environment authentication

Question 2

- (Exam Topic 2)
Which command on Cisco ASA you can enter to send debug messages to a syslog server?

logging debug-trace

logging host

logging traps

logging syslog

Question 3

- (Exam Topic 3)
Refer to the exhibit. Which two effects of this configuration are true? (Choose two.) Case Study Title (Case Study):
authentication priority dot1x mab authentication order dot1x mab authentication event fail action next-method authentication event server dead action reinitialize vlan 50 authentication host-mode multi-auth
authentication violation restrict

If the TACACS+ server is unreachable, the switch places hosts on critical ports in VLAN 50

The device allows multiple authenticated sessions for a single MAC address in the voice domain

If multiple hosts have authenticated to the sameport, each can bein their own assigned VLAN

If the authentication priority is changed the order in which authentication is performed also changes

The switch periodically sends an EAP-Identity-Request to the endpoint supplicant

The port attempts 802.1x authentication first, and then falls back to MAC authentication bypass

Question 4

- (Exam Topic 2)
Which statement about Health Monitoring on the Firepower System is true?

When you delete a health policy that is applied to a device, the device reverts to the default health policy.

If you apply a policy without active modules to a device, the previous health policy remains in effect unless you delete it.

Health events are generated even when the health monitoring status is disabled.

Descendant domains in a multi-domain deployment can view, edit, and apply policies from ancestor domains.

The administrator of a descendant domain is unable to edit or delete blacklists applied by the administrator of an ancestor domain.

The default health policy is automatically applied to all managed devices.

Question 5

- (Exam Topic 2)
Which three statements about VXLAN are true? (Choose three.)

It can converge topology without STP.

It enables up to 24 million VXLAN segments to coexist in the same administrative domain.

It uses encrypted TCP/IP packets to transport data over the physical network.

The VTEP encapsulates and de-encapsulates VXLAN traffic by adding or removing several fields, including a 16-bit VXLAN header.

It uses a 24-bit VXLAN network identifier to provide layer 2 isolation between LAN segments.

It can migrate a virtual machine from one Layer 2 domain to another over a Layer 3 network.

Question 6

- (Exam Topic 2)
Which two statements about application protocol detectors in the Cisco Fire? (Choose two)

They can analyze network traffic for specific application fingerprints

Port-based application protocol detectors can be modified for use as custom

Port-based and Firepower-based application protocol detectors can be import

firepower-based application protocol detectors are built in to the Firepower deactivated only by the system

They can be activated by VDB updates, but must be deactivated manually

They can detect web-based application activity in HTTP traffic

Question 7

- (Exam Topic 2)
Which description of configuring the port security feature true?

With regards to setting the maximum number of MACs formaximum number of allowed AMCs for the access and voice

With regards to setting the maximum number of MACs for f maximum number of allowed ACs for the access VLAN only\'

It is not possible to set the maximum number MACs on the ; configured on the same switch port

With regards to setting the maximum number of post secure number of allowed MACs for the voice VLAN only as a phone

Question 8

- (Exam Topic 1)
Which three statements about VRF-Aware Cisco Firewall are true? (Choose three.)

It supports both global and per-VRF commands and DoS parameters.

It enables service providers to deploy firewalls on customer devices.

It can generate syslog messages that are visible only to individual VPNs.

It can support VPN networks with overlapping address ranges without NAT.

It enables service providers to implement firewalls on PE devices.

It can run as more than one instance.

Question 9

- (Exam Topic 1)
Which two statements about the SeND protocol are true? (Choose two.)

It counters neighbor discovery threats.

It must be enabled before you can configure IPv6 addresses.

It supports numerous custom neighbor discovery messages.

It logs IPv6-related threats to an external log server.

It supports an autoconfiguration mechanism.

It uses IPsec as a baseline mechanism.

Question 10

- (Exam Topic 2)
Which option is a benefit of VRF Selection Using Policy-Based Routing for routing for packets to different VPNs?

It suppprts more than one VPN per interface

It allows bidirectional traffic flow between the service provider and the CEs

It automatically enables fast switching on all directly connected interfaces

It can use global routing tables to forward packets if the destination address matches the VRF configure on the interface

Every PE router in the service provider MPLS cloud can reach every customer network

It inreases the router performance when longer subnet masks are in use

Question 11

- (Exam Topic 3)
In your ISE design, there are two TACACS profiles that are created for device administration: IOS_HelpDesk_Profile, and IOS_Admin_Profile. The HelpDesk profile should login the user with privilege 1, with ability to change privilege level to 15. The Admin profile should login the user with privilege 15 by default. Which two commands must the HelpDesk enter on the IOS device to access privilege level 15? (Choose two)

enable secret

enable 15

privilege level 15

enable privilege 15

enable

enable IOS_Admin_Profile

enable password

Question 12

- (Exam Topic 3)
Refer the exhibit.
***Missing Exhibit***
ASA at 150.1.7.43 is configured to receive IP address to SGT mapping from ISE at 161.1.7.14. Which of the following is true regarding packet capture from wireshark?

SXP keepalive message using TCP originated from ISE

ISE keepalive message for NDAC connection using TCP originated from ASA

TACACS connection keepalive using UDP originated from ASA

RADIUS connection keepalive using TCP originated from ISE

NTP keepalive message using UDP originated from ISE

SXP keepalive message for SXP connection using UDP originated from ASA

Question 13

- (Exam Topic 3)
Transmission control protocol, src port: 649999(64999), Dst Port:49086(49086),Seq:2,Ack:2,Len: Refer to the exhibit.
400-251 dumps exhibit

Refer to the exhibit. The ASA at 150.1.7.43 is configured to receive the IP address to SGT mapping from ISE at 161.1.7.14. Which statement about this packet capture from Wireshark is true?

The TACACS connection keep alive using UDP originated from ASA

The SXP message uses TCP port 64999 for connection termination

The RADIUS connection keep alive using TCP originated from ISE

The SXP message uses MD5 for authentication and integrity check.

The ISE keep alive message for NDAC connection using TCP originated from ASA

The NTP keep alive message using UDP originated from ISE

The SXP keep alive message for SXP connection using UDP originated from ASA

Question 14

- (Exam Topic 2)
What are two characteristics of RPL, used in IoT environments?(Choose two)

It is an Exterior Gateway Protocol

It is a Interior Gateway Protocol

It is a hybrid protocol

It is link-state protocol

It is a distance-vector protocol

Question 15

- (Exam Topic 1)
If an ASA device is configured as a remote access IPsec server with RADIUS authentication and password management enabled, which type of authentication will it use?

RSA

MS-CHAPv2

MS-CHAPv1

NTLM

PAP

Question 16

- (Exam Topic 1)
Which two options are benefits of the Cisco ASA transparent firewall mode? (Choose two)

It can establish routing adjacencies.

It can perform dynamic routing.

It can be added to an existing network without significant reconfiguration.

It supports extended ACLs to allow Layer 3 traffic to pass from higher to lower security interfaces.

It provides SSL VPN support.

Question 17

- (Exam Topic 2)
Which statement about Cisco Firepower Advanced Malware

With dynamic analysis, the system pre classifies suspicious files a them to the AMP Threat Grid for analysis

If the system determines a file inside an archive to be malware, blocking the archive

The SHA-256 value of a file is calculated only if you configure a Lookup action

If the system pre classifies a file potential malware, it automatic; administrator to take further action

When local malware analysis is complete, it produces a threat s details of the analysis

The AMP for Firepower network-based solution supports malware files types than AMP for endpointsThe system can analyze up to two layers of nested files in ZIP are block files with more layers

Question 18

- (Exam Topic 2)
How does a Cisco ISE server determine whether a client supports EAP chaining?

It sends an identity-type TLV to the client and analyzes the response.

It analyzes the options field in the TCP header of the first packet it receives from the client.

It analyzes the X.509 certificate it receives from the client through the TLS tunnel.

It send an MD5 challenge to the client and analyzes the response.

It analyzes the EAPoL message the client sends during the initial handshake.

Question 19

- (Exam Topic 3)
What is the best description of a docker file?

Text document used to build an image

Message Daemon files

Software used to manage containers

Repository for docker images

Question 20

- (Exam Topic 2)
Which three Cisco attributes for LDAP authorization are supported on the ASA? (Choose three)

Web-VPN-ACL-Filters

IPsec-Default-Domain

IPsec-Client-Firewall-Name

Authorization-Type

L2TP-Encryption

Authenticated-User-idle-Timeout

Question 21

- (Exam Topic 1)
Which two characteristics of DTLS are true? (Choose two.)

It supports long data transfers and connectionless data transfers.

It includes a retransmission method because it uses an unreliable datagram transport.

It includes a congestion control mechanism.

It is used mostly by applications that use application layer object-security protocols.

It completes key negotiation and bulk data transfer over a single channel.

It cannot be used if NAT exists along the path.

Question 22

- (Exam Topic 2)
Which two statements about AMP. The Grid are true? (Choose two)

It can transmit suspected malware to the public AMP I threat Grid cloud for deeper analysis

It provides two separate on premises appliances to support powerful malware analysis and threat intelligence features

It provides dynamic analysis reports and generates threat scores

It supports real time threat and behavioral analysis

It can be installed on individual endpoints to inspect local files for malware

It can act as an anonymized proxy to transport endpoint –vent data to the public AMP I threat Grid cloud for threat detection

Question 23

- (Exam Topic 3)
Which of the following is part of DevOps virtuous cycle?

Lower Quality

Increased Latency

Slower Releases

Improved Scalability

Question 24

- (Exam Topic 3)
For your enterprise ISE deployment, you are looking to use certificate-based authentication for all your Windows machines. You have already gone through the exercise of pushing the machine and user certificates out to all the machines using GPO. Since certificate based authentication, by default, doesn't check the certificate against Active Directory or requires credentials from the user, this essentially means that no groups are returned as a part of the authentication request. What are the possible ways to authorize the user based on Active Directory group membership?

Configure the Windows supplicant to use saved credentials as well as certificate-based authentication

Enable Change of Authorization on the deployment to perform double authentication

Use EAP authorization to retrieve group information from Active Directory

The certificate should be configured with the appropriate attributes which contain appropriate group information, which can be used in Authorization policies

Use ISE as the Certificate Authority, which will then allow automatic group retrieval from Active Directoryto perform the required authorization

Configure Network Access Device (NAD) to bypass certificate-based authentication and push configured user credentials as a proxy to ISE

Question 25

- (Exam Topic 1)
Refer to the exhibit.
400-251 dumps exhibit

Which service of feature must be enabled on 209.165.200.255 to produce the given output?

the Finger service

a BOOTP server

a TCP small server

the PAD service

Question 26

- (Exam Topic 2)
Which statement about encryption headers on the Cisco ESA is true?

The optional Cisco Iron Port Encryption appliance provides extended encryption headers

They can be applied to outgoing messages only to force more secure message handling than is provided by the current encryption settings on the ESA

Content filters can be applied to add encryption headers to outgoing messages only

They can be configured to enable return receipt, expire messages and prevent the recipient form forwarding the message

Question 27

- (Exam Topic 3)
Refer to the exhibit.
R1
ntp authentication-key 12 md5 cisco ntp authenticate
ntp trusted-key 12
ntp source GigabitEthernet ntp master 1
!i
nterface GigabitEthernet1
ip address 171.1.7.21 255.255.255.0 R2
ntp authentication-key 12 md5 cisco ntp authentication-key 102 md5 cisco ntp authenticate
ntp trusted-key 12
ntp trusted-key 102
ntp server 171.1.7.21 key 102
R2# ping 172.1.7.21
Type escape sequence to abort
Sending 5 100-byte ICMP Echos to 171.1.7.21, timeout is 2 seconds
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms R2# sh ntp asso detail
171.1.7.21 configured ipv4, authenticated instance invalid, unsynced, stratum 6 ref ID INIT, time 00000000 0000000 (17:00:00.000 ccie Wed Dec 31, 2017)
R2 is getting time synchronized from NTP server R1. It has been reported that clock on R2 Is not able to associate with the NTP server R1. What could be the possible cause?

R2 has incorrect NTP server address

R1 has incorrect NTP source interface defined

R2 has incorrect trusted key binded with the NTP server

R2 does not support NTP authentication

R2 should not have two trusted keys for the NTP authentication

R2 has connectivity issue with the NTP server

Page: 1 / 37

Total 448 questions Full Exam Access