Cisco 400-251 Online Practice Questions and Exam Preparation

Cisco 400-251 Online Questions & Answers

• Question 221:

  Which three statements about Cisco AnyConnect SSL VPN with the ASA are true? (Choose three)

  A. DTLS can fall back to TLS without enabling dead peer detection.
  B. By default, the VPN connection connects with DTLS.
  C. Real-time application performance improves if DTLS is implemented
  D. Cisco AnyConnect connections use IKEv2 by default when it is configure as the primary protocol on the client.
  E. By default, the ASA uses the Cisco AnyConnect Essentials license.
  F. The ASA will verify the remote HTTPS certificate.
  B. By default, the VPN connection connects with DTLS.
  C. Real-time application performance improves if DTLS is implemented
  E. By default, the ASA uses the Cisco AnyConnect Essentials license.

• Question 222:

  Refer to the exhibit. One of the Windows machines in your network is having connectvity issues using 802.1x. Windows machines are setup to acquire an IP address from the DHCP server configured on the switch, which is supposed to hand over IP addresses from the 50.1.1.0/24 network, and forward AAA requests to the radius server at 161.1.7.14 using shared key "cisco". Knowing that interface Gi0/2 on switch may receive authentication requests from other devices and looking at the provided switch configuration, what could be the possible cause of this failure?

  aaa new model aaa authentication login default group radius aaa authentication login NO_AUTH none aaa authentication login vty local aaa authentication dot1x default group radius aaa authentication network default group radius aaa accounting dot1x default start-stop group radius ! username cisco privilege 15 password 0 cisco ! interface GigabitEthernet0/2 switchport mode access ip access-group Pre-Auth in authentication host-mode multi-auth authentication open authentication port-control auto dot1x pae authenticator ! vlan 50 interface Vlan50 ip address 50.1.1.1 255.255.255.0 ! ip dhcp excluded-address 50.1.1.1 ip dhcp pool pc-pool network 50.1.1.0 255.255.255.0 default-router 50.1.1.1 ! ip access-list extended Pre-Auth permit udp any eq bootpc any eq bootps deny ip any any ! radius server ccie address ipv4 161.1.7.14 auth-port 1645 acct-port 1646 key cisco ! line con 0 login authentication NO_AUTH line vty 0 4 login authentication vty

  A. authentication for multiple hosts not configured on infterface Gi0/2
  B. an incorrect default route is pushed on supplicant from SW1
  C. an incorrect ip address is configured for SVI 50
  D. 802.1X is disabled on the switch
  E. There is a RADIUS key mismatch
  F. 802.1x authentication is not enabled on interface Gi0/2
  G. aaa network authorization is not configured
  D. 802.1X is disabled on the switch

• Question 223:

  Which two statements about Cisco AMP for Web Security are true? (Choose two)

  A. It can prevent malicious data exfiltration by blocking critical files from exiting through the Web gateway.
  B. It can perform reputation-based evaluation and blocking by uploading the fingerprint of incoming files to a cloud-based threat intelligence network.
  C. It can detect and block malware and other anomalous traffic before it passes through the Web gateway.
  D. It can perform file analysis by sandboxing known malware and comparing unknown files to a local repository of the threats.
  E. It can identify anomalous traffic passing through the Web gateway by comparing it to an established of expected activity.
  F. It continues monitoring files after they pass the Web gateway.
  B. It can perform reputation-based evaluation and blocking by uploading the fingerprint of incoming files to a cloud-based threat intelligence network.
  F. It continues monitoring files after they pass the Web gateway.

• Question 224:

  Which two statements about a wireless access point configured with the guest-mode command are true? (Choose two)

  A. It can support more than one guest-mode SSID.
  B. It supports associations by clients that perform passive scans.
  C. It allows clients configured without SSIDs to associate.
  D. It allows associated clients to transmit packets using its SSID.
  E. If one device on a network is configure in guest-mode, clients can use the guest-mode SSID to connect to any device in the same network.
  B. It supports associations by clients that perform passive scans.
  C. It allows clients configured without SSIDs to associate.

• Question 225:

  Which statement is true regarding x.509 certificate?

  A. The algorithm in the certificate used by the subject to encrypt the traffic.
  B. The Subject distinguished name in the certificate is of the entity who issued the certificate.
  C. The serial number in the certificate is common across the certificates issued by the same CA.
  D. The issuer distinguished name in the certificate is of the entity receiving the certificate.
  E. The algorithm in the certificate used by the receiver to sign the certificate.
  F. The version number in the certificate is x.509 version applied to the certificate.
  F. The version number in the certificate is x.509 version applied to the certificate.

• Question 226:

  Which two statements about 6to4 tunneling are true? (Choose two)

  A. It provides a /128 address block.
  B. It supports static and BGPV4 routing.
  C. It provides a /48 address block.
  D. It supports managed NAT along the path of the tunnel.
  E. The prefix address of the tunnel is determined by the IPv6 configuration of the interface.
  F. It supports multihoming.
  B. It supports static and BGPV4 routing.
  C. It provides a /48 address block.

• Question 227:

  Which statement is true regarding securing connection using MACsec?

  A. It secures connection between two supplicant clients
  B. Switch uses session keys to calculate decrypted packet ICV value for the frame integrity check
  C. Switch configured for MACSec can only accept MACSec frames from the MACSec client
  D. It is implemented after a successful MAB authentication of supplicant
  E. It provides network layer encryption on a wireless network
  F. ISAKMP protocol is used to manage MACSec encryption keys B
  B. Switch uses session keys to calculate decrypted packet ICV value for the frame integrity check

• Question 228:

  Which IPS deployment mode is most reliant on the Automatic Application Bypass feature?

  A. Passive
  B. Strict
  C. Transparent
  D. Switched
  E. Tap
  F. Inline
  F. Inline

• Question 229:

  Which statement description of the Strobe scan is true?

  A. It never opens a full TCP connection.
  B. It relies on ICMP "port unreachable" message to determine if the port is open
  C. It is used to find the ports that already have an existing vulnerability to exploit.
  D. It checks the firewall deployment in the path.
  E. It is a directed scan to a known TCP/UDP port
  F. It evades network auditing tools
  C. It is used to find the ports that already have an existing vulnerability to exploit.

• Question 230:

  Refer to the exhibit. You issued the show crypto isakmp sa command to troubleshoot a connection failure on an IPsec VPN, what possible issue does the given output indicate?

  ASA# show crypto isakmp saype: LZL Active SA: 1 Rekey SA: 0 (a tunnel will report 1 Active and 1 rekey SA during rekey) IKE peer: 192.168.10.10 Rekey: BB Role: initiator

  

  A. The pre-shared keys are mismatched.
  B. The peer is failing to respond.
  C. The transform sets are mismatched.
  D. The crypto ACLs are mismatched.
  A. The pre-shared keys are mismatched.