1. Home
  2. Cisco
  3. 400-251

Cisco 400-251 Online Practice Questions and Exam Preparation

400-251 Exam Details

  • Exam Code
    :400-251
  • Exam Name
    :CCIE Security Written
  • Certification
    :Cisco Certifications
  • Vendor
    :Cisco
  • Total Questions
    :665 Q&As
  • Last Updated
    :Dec 10, 2021

Cisco 400-251 Online Questions & Answers

  • Question 141:

    Which connection mechanism does the eSTREAMER service use to communicate?

    A. IPsec tunnels with 3DES or AES encryption
    B. TCP over SSL only
    C. SSH
    D. EAP-TLS tunnels
    E. TCP with optional SSL encryption
    F. IPsec tunnels with 3DES encryption only

  • Question 142:

    What are two important guidelines to follow when implementing VTP? (Choose two)

    A. When using secure mode VTP, only configure management domain passwords on VTP servers.
    B. Enabling VTP pruning on a server will enable the feature for the entire management domain.
    C. All switches in the VTP domain must run the same version of VTP.
    D. CDP must be enabled on all switches in the VTP management domain.
    E. Use of the VTP multi-domain feature should be restricted to migration and temporary implementation.

  • Question 143:

    Which two statements about 802.1X components are true? (Choose two)

    A. The access layer switch is the policy enforcement point.
    B. The certificates that are used in the client-server-authentication process are stored on the access switch.
    C. The RADIUS server is the policy enforcement point.
    D. The RADIUS server is the policy information point.
    E. The RADIUS server is the policy decision point.
    F. An LDAP server can serve as the policy enforcement point.

  • Question 144:

    Which of the following is true regarding failover link when ASAs are configured in the failover mode?

    A. It is not recommended to use secure communication over failover link when ASA terminating the VPN tunnel
    B. Only the configuration replication sent across the link can be secured using a failover key
    C. The information sent over the failover link can only be in clear text
    D. The information sent over the failover link can be sent in clear text or it could be secured communication using a failover key
    E. Failover key is not required for the secure communication over the failover link
    F. The information sent over the failover link can be only be sent as a secured communication C

  • Question 145:

    Which statement about VRF-Ute Implementation in a service provider network is true?

    A. It requires multiple links between CE and PE for each VPN connection to enable privacy
    B. It uses input interface to differentiate routes for different VPNs on the CE device
    C. It can only support one VRF instance per CE device
    D. It can support only one VRF Instance per CE device, but their address spaces must not overlap
    E. It disables the sharing one CE device among multiple customers
    F. It can have multiple VRF instances associated with a single interface on a CE device

  • Question 146:

    Which effect of the crypto key encrypt write rsa command on a router is true?

    A. The device locks the encrypted key, but the key is lost when the router is reloaded.
    B. The device encrypts and locks the key before authenticating it with an external CA server.
    C. The device unlocks the encrypted key, but the key is lost when the router is reloaded.
    D. The device locks the encrypted key and saves it to the NVRAM.
    E. The device saves the unlocked encrypted key to the NVRAM.

  • Question 147:

    In order to enable the Certificate Authority (CA) server feature using Simple Certificate Enrollment Protocol (SCEP) on an IOS device, which three of the following configuration steps are required? (Choose three.)

    A. Set the hostname of the device
    B. Set an authoritative clock source on the device
    C. Enable ip http server on the device
    D. Issue no shut under the crypto pki server command
    E. Enable auto-rollover for the pki server
    F. Generate a self-signed certificate

  • Question 148:

    Which is true regarding Authentication Proxy?

    A. It first checks if the NAT entry exists for the destination host
    B. It prompts user with a web-based authentication if user authentication information found
    C. It does not apply the DACL for the traffic passing through the device
    D. It applies a global ACL if the user authentication information not found
    E. It triggers on HTIP, HTIPS and FTP connections
    F. It triggers only on HTTP connection

  • Question 149:

    Refer to the exhibit. ASA2 is configured for the Clientless SSL VPN connection with DNS server at 150.1.7.201 that is reachable only from the Management0/0 interface. The incoming VPN session will be received on the outside interface with

    authentication credentials. Username: ccie, Password: ccie.

    ASA2 is configured for the Self-Signed certificate with trustpoint “ccietrust” enabled for the outside interface. It has been reported that resources accessibility is timing out after the VPN connection establishment. Which possible reason is true?

    A. The CA trustpoint "ccietrust" has incorrect keypair.
    B. The tunnel group is tied up with the incorrect group policy.
    C. Webvpn needs to be enabled on the management interface.
    D. Management interface has incorrect security level configured.
    E. The "ccieacl" should be configured for port 443.
    F. The domain-lookup should be performed from management interface.
    G. Incorrect banner value in the group policy.

  • Question 150:

    Which three statements correctly describe the encoding used by NETCONF and RESTONF? (Choose three.)

    A. NETCONF uses YAML-encoded data
    B. RESTCONF uses XML-encoded data
    C. RESTCONF uses JSON-encoded data
    D. NETCONF uses JSON-encoded data
    E. RESTCONF uses YAML-encoded data
    F. NETCONF uses XML-encoded data

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cisco exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 400-251 exam preparations and Cisco certification application, do not hesitate to visit our Vcedump.com to find your solutions here.