1. Home
  2. Cisco
  3. 400-251

Cisco 400-251 Online Practice Questions and Exam Preparation

400-251 Exam Details

  • Exam Code
    :400-251
  • Exam Name
    :CCIE Security Written
  • Certification
    :Cisco Certifications
  • Vendor
    :Cisco
  • Total Questions
    :665 Q&As
  • Last Updated
    :Dec 10, 2021

Cisco 400-251 Online Questions & Answers

  • Question 321:

    All your remote users use AnyConnect VPN to connect into your corporate network, with an ASA providing the VPN services. Authentication is through ISE using Radius as the protocol ISE uses Active Directory as the Identity Source. You want to be able to assign different policies to users depending on their group membership in Active Directory. Which is one possible way of doing that?

    A. Configure an authorization policy in ISE to send back a RADIUS Class-25 attribute with the name of the ASA Tunnel Group (Connection Profile)
    B. This is only possible when LDAP authorization is configured directly to Active Directory
    C. Configure an authentication policy in ISE to send back a RADIUS Class-25 attribute with the name of the ASA Group Policy
    D. Configure an authentication policy in ISE to send back a RADIUS Class-25 attribute with the name of the ASA tunnel Group (Connection Profile)
    E. Configure an authorization policy in ISE to send back a RADIUS Class-25 attribute with the name of the ASA Group Policy

  • Question 322:

    Refer to the exhibit. What are two functionalities of this configuration? (Choose two)

    A. Traffic will not be able to pass on gigabitEthernet0/1.
    B. The ingress command is used for an IDS to send a reset on vlan 3 only.
    C. The source interface should always be a VLAN.
    D. The encapsulation command is used to do deep scan on dot1q encapsulation traffic
    E. Traffic will only be sent to gigabitEthernet 0/20

  • Question 323:

    Which two statements about Botnet Traffic Filter snooping are true? (Choose two)

    A. It can log and block suspicious connections from previously unknown bad domains and IP addresses.
    B. It requires the Cisco ASA DNS server to perform DNS lookups.
    C. It requires DNS packet inspection to be enabled to filter domain names in the dynamic database.
    D. It checks inbound traffic only.
    E. It can inspect both IPv4 and IPv6 traffic.
    F. It checks inbound and outbound traffic.

  • Question 324:

    If multiple contexts share an ingress interface which would be the criteria used by ASA for packet classification?

    A. Destination IP address
    B. ASA ingress interface IP address
    C. ASA ingress interface unique MAC address
    D. ASA NAT configuration
    E. Policy based routing on ASA
    F. ASA egress interface IP address
    G. Destination MAC address

  • Question 325:

    Which four task items need to be performed for an effective risk assessment and to evaluate network posture?(Choose four)

    A. discovery
    B. baselining
    C. scanning
    D. notfication
    E. validation
    F. escalation
    G. mitigation
    H. profiling

  • Question 326:

    Which three statements about RLDP are true? (Choose three)

    A. It detects rogue access points that are connected to the wired network.
    B. It can detect rogue APs that use WPA encryption.
    C. It can detect rogue APs operating only on 5 GHz.
    D. It can detect rogue APs that use WEP encryption.
    E. The AP is unable to serve clients while the RLDP process is active.
    F. Active Rogue Containment can be initiated manually against rogue devices detected on the wired network.

  • Question 327:

    Which three statements about VXLAN are true? (Choose three)

    A. It can converge topology without STP.
    B. It enables up to 24 million VXLAN segments to coexist in the same administrative domain.
    C. It uses encrypted TCP/IP packets to transport data over the physical network.
    D. The VTEP encapsulates and de-encapsulates VXLAN traffic by adding or removing several fields, including a 16-bit VXLAN header.
    E. It uses a 24-bit VXLAN network identifier to provide layer 2 isolation between LAN segments.
    F. It can migrate a virtual machine from one Layer 2 domain to another over a Layer 3 network.

  • Question 328:

    Which two statements about the OpenDNSAnycast network are true? (Choose two)

    A. It ensures that requests are routes to the nearest data center
    B. It is simpler and easier to scale than unicast
    C. It automatically routes DNS requests to the server with the least load
    D. It assigns a unique IP address and a unique hash value to each server, which dramatically simplifies network management and ensures that failing servers can be identifies and taken offline immediately
    E. If defends the network against DDoS attacks by forcing malicious traffic to a single server, which leaves he remaining servers unaffected
    F. If allows multiple servers at multiple locations to be represented by a single IP address
    G. It is significantly more secure than unicast, but it may cause some additional latency

  • Question 329:

    Which location for the PAC file on Cisco IronPort WSA in the default?

    A. http://:9001/pacfile.pac
    B. http://:8022/pacfile.pac
    C. http://:9091/pacfile.pac
    D. http://:8080/pacfile.pac

  • Question 330:

    What are the two different modes in which private AMP cloud can be deployed ? (Choose two)

    A. Air Gap Mode
    B. External Mode
    C. Internal Mode
    D. Public Mode
    E. Cloud Mode
    F. Cloud Proxy Mode

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cisco exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 400-251 exam preparations and Cisco certification application, do not hesitate to visit our Vcedump.com to find your solutions here.