Cisco 400-251 Online Practice Questions and Exam Preparation

Cisco 400-251 Online Questions & Answers

• Question 371:

  Which statement is true for BYOD Single SSID flow?

  A. End user has to manually disconnect from the corporate SSID and re-connect.
  B. Employee must not configure the supplicant on the device to connect to the corporate SSID.
  C. The authentication used to connect to the corporate SSID is used for single-sign-on to the onboarding and provisioning process.
  D. A change of authorization (CoA) is triggered from Network Access Device (NAD) to ISE to provide full access after the provisioning process without requiring the employee to reconnect to the network.
  C. The authentication used to connect to the corporate SSID is used for single-sign-on to the onboarding and provisioning process.

• Question 372:

  A user attempts to browse the internet through a CWS integrated router, and the HTTP 403 Forbidden error message is returned. Which reason for the problem is the most likely?

  A. User authentication failed
  B. The CWS connector is down
  C. The user is not logged in to CWS
  D. The user attempted to access web site that is blocked by CWS policy
  E. The connection timed out
  F. The CWS license has expires
  D. The user attempted to access web site that is blocked by CWS policy

• Question 373:

  Which two statements about the MACsec security protocol are true?(Choose two)

  A. When switch-to-switch link security is configured in manual mode, the SAP operation mode must be set to GCM
  B. MACsec is not supported in MDA mode.
  C. Stations broadcast an MKA heartbeat that contains the key server priority
  D. MKA hearbeats are sent at a default interval of 3 seconds
  E. The SAK is secured by 128 bit AES-GCM by default
  C. Stations broadcast an MKA heartbeat that contains the key server priority
  E. The SAK is secured by 128 bit AES-GCM by default

• Question 374:

  Your organization signed up for Umbrella Enterprise. Before you deploy Umbrella client, you configured the Umbrella DNS server as forwarders on your enterprise DNS servers to offer basic basic security services for internet-bound traffic. Which option describes how the Umbrella protects your internal endpoints from potentially malicious sites that have not been inspected by Umbrella?

  A. Traffic is allowed through and then passivelly inspected by the Umbrella cloud
  B. When the request is made, Umbrella cloud launches a simultaneous request to the destination service, and attempts to inspect it. After the is inspected, the client is allowed or denied access based on the results
  C. Traffic is redirected through Umbrella cloud service before it is denied or allowed through to the destination
  D. Traffic is duplicated to Umbrella cloud and inspected. If it is malicious, the client is blocked automatically.
  E. Traffic is denied with an access blocked message.
  C. Traffic is redirected through Umbrella cloud service before it is denied or allowed through to the destination

• Question 375:

  DRAG DROP

  Drag each OSPF security feature on the left to its description on the right.

  Select and Place:

  

  

• Question 376:

  While a configuration audit is performed on a router, the set session-key command is found under a crypto map applied to a WAN interface. Which three statements about this command are true? (Choose three)

  A. This command sets a peer authentication string because the IPsec peer does not support automatic mutual authentication and a manual method is required
  B. When configuring the Crypto map, (ipsec-manual) must be defined as part of the parameters
  C. This command is used to encrypt traffic to another device which does not support internet key exchange
  D. Another way of overcoming this issue is to use the crypto isakmp peer address command with an all zeros wildcard address and mask combination
  E. Both peers must be configured for manual peer authentication for this configuration to work
  F. This command is used to manually configure an IPsec SA: two entries are needed on each side to encrypt and decrypt traffic over the tunnel
  G. This command is used to manually configure an IPsec SA: only one entry are needed on each side to encrypt and decrypt traffic over the tunnel
  B. When configuring the Crypto map, (ipsec-manual) must be defined as part of the parameters
  E. Both peers must be configured for manual peer authentication for this configuration to work
  F. This command is used to manually configure an IPsec SA: two entries are needed on each side to encrypt and decrypt traffic over the tunnel

• Question 377:

  A managed service provider wants to deploy their services in a public cloud, such as Microsoft Azure. They plan to use CSRs to terminate VPN tunnels from customer routers to the CSR. Which way is most efficient to ensure that the traffic from each customer is completely isolated from the other?

  A. Deploy zone-based firewall services and apply them to each tunnel
  B. Terminate each VPN tunnel on a separate CSR for optimal security
  C. Enable multitenant VPN services on the CSR for path isolation
  D. Separate each tunnel in its own VRF
  E. Apply access lists on the tunnels
  A. Deploy zone-based firewall services and apply them to each tunnel

• Question 378:

  A server with IP address 209.165.202.150 is protected behind the inside interface of a Cisco ASA and the Internet on the outside interface. User on the Internet need to access the server ay any time, but the firewall administrator does not want to apply NAT to the address of the server because it is currently a public address. Which three of the following commands can be used to accomplish this? (Choose three)

  A. static (outside, inside) 209.165.202.150 209.165.202.150 netmask 255.255.255.255
  B. nat (inside) 1 209.165.202.150 255.255.255.255
  C. static (inside, outside) 209.165.202.150 209.165.202.150 netmask 255.255.255.255
  D. no nat-control
  E. access-list no-nat permit ip host 209.165.202.150 any nat (inside) 0 access-list no-nat
  F. nat (inside) 0 209.165.202.150 255.255.255.255
  C. static (inside, outside) 209.165.202.150 209.165.202.150 netmask 255.255.255.255
  E. access-list no-nat permit ip host 209.165.202.150 any nat (inside) 0 access-list no-nat
  F. nat (inside) 0 209.165.202.150 255.255.255.255

• Question 379:

  Which two statements about SPAN sessions are true? (Choose two)

  A. A single switch stack can support up to 32 source and RSPAN destination sessions.
  B. Source ports and source VLANs can be mixed in the same session
  C. They can monitor sent and received packets in the same session.
  D. Multiple SPAN sessions can use the same destination port.
  E. Local SPAN and RSPAN can be mixed in the same session.
  F. They can be configured on ports in the disabled state before enabling the port.
  C. They can monitor sent and received packets in the same session.
  F. They can be configured on ports in the disabled state before enabling the port.

• Question 380:

  What are three types of CoA we use in ISE? (Choose three.)

  A. PoD (Packet of Disconnect)
  B. Port Bounce
  C. Terminate
  D. Reauth
  E. No CoA (change of authorization)
  B. Port Bounce
  D. Reauth
  E. No CoA (change of authorization)