Cisco 400-251 Online Practice Questions and Exam Preparation

Cisco 400-251 Online Questions & Answers

• Question 121:

  You are considering using RSPAN to capture traffic between several switches. Which two configuration aspects do you need to consider? (Choose two)

  A. All switches need to be running the same IOS version.
  B. All distribution switches need to support RSPAN.
  C. Not all switches need to support RSPAN for it to work.
  D. The RSPAN VLAN need to be blocked on all trunk interfaces leading to the destination RSPAN switch.
  E. The RSPAN VLAN need to be allow on all trunk interfaces leading to the destination RSPAN switch.
  B. All distribution switches need to support RSPAN.
  E. The RSPAN VLAN need to be allow on all trunk interfaces leading to the destination RSPAN switch.

• Question 122:

  

  Refer to the exhibit. Users cannot access web servers 192.168.101.3/24 and 192.168.102.3/24 using Arefox web browser when Initiated from 1721.6.1.0/24 network. Which possible cause is true? (Choose two)

  A. The access policy "allow policy" has Incorrect action set for the custom URL category
  B. The identification profile "allowed Profile" has misconfigured user agent
  C. The access policy "allow policy" Is pointing to Incorrect identification profile
  D. The custom URl category "allowed sites" has an incorrect server address listed
  E. The identification profile "allow Profile" has an Incorrect source network
  F. The identification profile "allow Profile" has an Incorrect protocol
  B. The identification profile "allowed Profile" has misconfigured user agent
  E. The identification profile "allow Profile" has an Incorrect source network

• Question 123:

  Which two statements about a SMURF attack are true? (Choose two)

  A. It is a distributed denial-of-service attack
  B. The attacker uses a spoofed destination address to launch the attack.
  C. It is used by the attackers to check if destination addresses are alive.
  D. It sends ICMP Echo Requests to a spoofed source address of a subnet
  E. To mitigate the attack you must disable IP directed broadcast on the router interface
  F. It exhausts the victim machine resources with large number of ICMP Echo Requests from a subnet
  G. It sends ICMP Echo Replies to known IP addresses in a subnet
  A. It is a distributed denial-of-service attack
  E. To mitigate the attack you must disable IP directed broadcast on the router interface

• Question 124:

  In which two ways does OpenDNS ensure security? (Choose two)

  A. OpenDNS servers run a proprietary version of djbdns, which is a set of DNS applications designed for maximum security
  B. OpenDNS servers can analyze the hash of incoming URL stings to apply configured actions
  C. It supports certificate authenticate for DNS connections
  D. OpenDNS servers can integrate with the Cisco Network Registrar and other similar services to secure DNS traffic
  E. It encrypts all DNS connections with SSL
  F. The 24-hour network operations center guarantees that critical patch from BIND, Microsoft DNS, and hardware vendors are applied within 12 hours of release
  G. It limits caching to efficiently purge spoofed and malicious addresses
  H. It encrypts all DNS connections with DNSCrypt
  B. OpenDNS servers can analyze the hash of incoming URL stings to apply configured actions
  H. It encrypts all DNS connections with DNSCrypt

• Question 125:

  Refer to the exhibit. One of the Windows machines in your network is experiencing a dot1x authentication failure. Windows machines are setup to acquire an IP address from the DHCP server configured on the switch, which is supposed to hand over IP addresses from the 50.1.1.0/24 network, and forward AAA requests to the radius server at 161.1.7.14 using shared key "cisco". Knowing that interface Gi0/2 on switch may receive authentication requests from other devices and looking at the provided switch configuration, what could be the possible cause of this failure?

  aaa new model aaa authentication login default group radius aaa authentication login NO_AUTH none aaa authentication login vty local aaa authentication network default group radius aaa accounting dot1x default start-stop group radius ! username cisco privilege 15 password 0 cisco ! interface GigabitEthernet0/2 switchport mode access ip access-group Pre-Auth in authentication host-mode multi-auth authentication open authentication port-control auto dot1x pae authenticator ! vlan 50 interface Vlan50 ip address 50.1.1.1 255.255.255.0 ! ip dhcp excluded-address 50.1.1.1 ip dhcp pool pc-pool network 50.1.1.0 255.255.255.0 default-router 50.1.1.1 ! ip access-list extended Pre-Auth permit udp any eq bootpc any eq bootps deny ip any any ! radius server ccie address ipv4 161.1.7.14 auth-port 1645 acct-port 1646 key cisco ! line con 0 login authentication NO_AUTH line vty 0 4 login authentication vty

  A. authentication is not enabled on interface gi0/2
  B. aaa login authentication is not configured
  C. an incorrect pre authentication acl is configured
  D. an incorrect radius server address is defined
  E. aaa dot1x authentication is not configured
  F. authentication port-control is not set on interface gi0/2
  G. an incorrect dhcp pool is configured
  E. aaa dot1x authentication is not configured

• Question 126:

  Various methods are available for load-balancing across WSA deployleast. Which method requires the least effort for all types of endpoints (campus and data center) across the enterprise?

  A. Use transparent Layer 4 redirection with multiple WSAs behind a load-balancer
  B. Host a PAC file on the WSA or an intranet web server and point all endpoints to it for auto-configuration
  C. Use WPAD that uses the IP addresses of the WSAs
  D. Configure an SRV DNS Record to point to the WSA for all web service
  E. Push out proxy settings to endpoints through Windoes GPO settings
  A. Use transparent Layer 4 redirection with multiple WSAs behind a load-balancer

• Question 127:

  Which statement about the Cisco ISR with Cloud Web Security Connector true?

  A. It eliminates the need for separate components such as the Zone-Based Policy Firewall and Cisco IOS IPS
  B. It can be managed with ScanCenter, which is an intuitive web interface, and a powerful CLI
  C. It maximizes security by requiring active authentication for all users.
  D. It uses powerful signature-based security solutions and behavior-based analysis to detect and eliminate malware
  E. It integrates with Cisco Outbreak intelligence for zero-day threat protection
  F. It dramatically reduces the need for on-premises hardware, but scalles best when the central central management console is depoyed on-site
  G. It supports numerours user authentication methods, including LDAP, RADIUS, kerberos, and NTLM
  H. It uses powerful encryption to protext confidential, proprietary, and sensive data as it transits to and from the cloud
  C. It maximizes security by requiring active authentication for all users.

• Question 128:

  Which statements is true regarding SSL policy implementation in a Firepower system?

  A. Access control policy is optional for the SSL policy implementation
  B. If Firepower system cannot decrypt the traffic, it allows the connection
  C. Intrusion policy is mandatory to configure the SSL inspection
  D. Access control policy is responsible to handle all the encrypted traffic if SSL policy is tried to it
  E. Access control policy is invoked first before the SSL policy tied to it
  F. If SSL policy is not supported by the system then access control policy handles all the encrypted traffic
  E. Access control policy is invoked first before the SSL policy tied to it

• Question 129:

  Refer to the exhibit. A customer has opened a case with Cisco TAC reporting an issue that one of the Windows client supported to logion to the network using MAB is no longer able to access any allowed resources. Looking at the configuration of the switch. What cloud be the possible issue?

  aaa authentication login default group radius aaa authentication login NO_AUTH none aaa authentication login vty local aaa authentication dotix default group radius aaa authentication network default group radius aaa accounting update newinfo aaa accounting dotix default start-stop group radius ! ip dhcp excluded-address 60.1.1.11 ip dhcp excluded-address 60.1.1.2 ! ip dhcp pool mabpc-pool network 60.1.1.0.255.255.255.0 default-router 60.1.1.2

  cts sxp enable cts sxp default source-ip 10.9.31.22 cts sxp default password ccie cts sxp connection peer 10.9.31.1 password default mode peer listener hold-time 0 ! dotix system-auth-control ! interface GigabitEthernet1/0/9 switchport mode access ip-device tracking maximum 10 authentication host-mode multi-auth authentication port-control auto mab ! radius-server host 161.1.7.14 key cisco radius-server timeout 60 ! interface Vlan10 ip address 10.9.31.22.255.255.255.0 ! interface Vlan50 no ip address ! interface Vlan60 ip address 60.1.1.2.255.255.255.0 ! interface Vlan150 ip address 150.1.7.2.255.255.255.0

  A. CoA configuration is missing.
  B. Dot1x should be globally disabled for MAB to work.
  C. There is an Issue with DHCP pool configuration.
  D. Incorrect CTS configuration on the switch.
  E. Switch configuration is properly configured and the issue is on the radius server.
  F. AAA authorization is incorrectly configured.
  G. The VLAN configuration is missing on the authentication port.
  A. CoA configuration is missing.

• Question 130:

  

  Refer to the exhibit. Which two statements about a device with this configuration are true? (Choose two)

  A. When a peer re-establishes a previous connection to the device. CTS retains all existing SGT mapping entries for 3 minutes
  B. If a peer reconnects to the device within 120 seconds of terminating a CTS-SXP connection, the reconciliation timer starts
  C. If a peer re-establishes a connection to the device before the hold-down tier expires, the device retains the SGT mapping entries it learned during the previous connection for an additional 3 minutes
  D. It sets the internal hold-down timer of the device to 3 minutes
  E. When a peer establishes a new connection to the device, CTS retains all existing SGT mapping entries for 3 minutes
  F. If a peer reconnects to the device within 180 seconds of terminating a CTS-SXP connection, the reconciliation timer starts
  B. If a peer reconnects to the device within 120 seconds of terminating a CTS-SXP connection, the reconciliation timer starts
  C. If a peer re-establishes a connection to the device before the hold-down tier expires, the device retains the SGT mapping entries it learned during the previous connection for an additional 3 minutes