400-251 Exam Details
-
Exam Code
:400-251 -
Exam Name
:CCIE Security Written -
Certification
:Cisco Certifications -
Vendor
:Cisco -
Total Questions
:665 Q&As -
Last Updated
:Dec 10, 2021
Cisco 400-251 Online Questions & Answers
-
Question 411:
Which two combinations of nodes are allowed in a Cisco ISE distributed deployment? (Choose two)
A. ISE cluster with eight nodes
B. Pair of passive ISE nodes for automatic failover
C. One or more policy service ISE nodes for session failover standalone
D. Primary and secondary administration ISE nodes for high availability
E. Active and standby ISE nodes for high availability. -
Question 412:
Which three transports have been defined for SNMPv3? (Choose three)
A. DTLS
B. SSH
C. TLS
D. SSL
E. IPcec secured tunnel
F. GET -
Question 413:
Refer to the exhibit. A customer has opened a case with Cisco TAC reporting an issue that one of the Windows client supposed to login to the network using MAB is no longer able to access any allowed resources. Looking at the configuration of the switch, what could be the possible cause of MAB failure?
aaa authentication login default group radius aaa authentication login NO_AUTH none aaa authentication login vty local aaa authentication dot1x default group radius aaa authentication network default group radius aaa accounting update newinfo aaa accounting dot1x default start-stop group radius ! aaa server radius dynamic-author client 161.1.7.14 server key cisco ! ip dhcp excluded-address 60.1.1.11 ip dhcp excluded-address 60.1.1.2 ! ip dhcp pool mabpc-pool network 60.1.1.0 255.255.255.0 default-router 60.1.1.2 ! cts sxp enable cts sxp default soure-ip 10.9.31.22 cts sxp default password ccie cts sxp connection peer 10.9.31.1 password default mode peer listener hold time 0 ! dot1x system auth-control ! interface GigabitEthernet1/0/9 switchport mode access ip device tracking maximum 10 authentication host mode multi-auth authentication port-control auto ! radius-server host 161.1.7.14 key cisco radius-server timeout 60 ! line con 0 login authentication NO_AUTH
A. The switch is properly configured and the issue is on the radius server
B. There is an issue with the CoA configuration
C. AAA authentication is incorrectly configured on the switch
D. There is an issue with the DHCP pool configuration
E. Dotlx should be globally disabled for the MAB to work
F. incorrect CTS configuration on the switch
G. MAB is disabled on port Gi1/0/9 -
Question 414:
Refer to the exhibit. For which type of user is this downloadable ACL appropriate?
A. management
B. employees
C. guest users
D. network administrator
E. onside contractors -
Question 415:
DRAG DROP
Drag each type of spoofing attack on the left on an action you can take to prevent it on the right.
Select and Place:
-
Question 416:
Refer to the exhibit. R15 is trying to initiate Site-to-Site IPsec certificate based VPN tunnel with the peer at 20.1.7.16. The CA is running at port 80 on address 172.16.100.18 . R15 has a BGP peer at 20.1.6.18 doing an authenticated session to establish reachability with the VPN remote site. The VPN tunnel will secure traffic between 192.168.15.0/24 and 192.168.16.0/24 networks. It has been reported that VPN tunnel is not coming up with remote site, what could be the issue?
A. Incorrect ACL defined for the traffic encryption
B. Incorrect static route
C. Incorrect crypto map configuration
D. Incorrect ISAKMP policy configuration
E. The crypto map is not applied on the correct interface
F. Incorrect truspoint configuration
G. Incorrect BGP peer Configuration -
Question 417:
Which two staements about Botnet Traffic Filter snooping are true?(Choose two)
A. It can log and block suspicious connections from previously unknown bad domains and IP addresses
B. It requires the Cisco ASA DNS server to perform DNS lookups.
C. It requires DNS packet inspection to be enabled to filter domain names in the dynamic database
D. It checks inbound traffic only
E. It can inspect both IPv4 and IPv6 traffic
F. It checks inbound and outbound traffic -
Question 418:
Which two of the following probes can be configured on Cisco Identity service engine? (Choose two.)
A. DHCP
B. RADIUS
C. HTTP
D. FTP
E. CTS
F. SXP -
Question 419:
Which three statements about EAP-Chaining are true? (Choose three)
A. EAP-FAST does not allow multiple authentication binding and this limitation is used for mutual authentication in EAP-Chaining
B. The EAP-FAST PAC provisioning phase is responsible to establish SSH tunnel between supplicant and ISE to perform EAP-Chaining
C. It is enabled on Cisco AnyConnect NAM automatically when EAP-FAST user and machine authentication is enabled
D. It allows user and machine authentication with one RADIUS/EAP session
E. It is supported on the Windows 802.1x supplicant
F. It can use only EAP-FAST, and it requires the use of Cisco AnyConnect NAM
G. It is enabled on NAM automatically when EAP-TLS user and machine authentication is enabled -
Question 420:
You have been tasked with configuring URL Redirect for Cisco ISE posture validation. You need to create the URL Redirect ACLs on Cisco Switches and Cisco WLC. You will:
A. Deny traffic to ISE on the switch ACL and permit traffic to ISE in the WLC ACL B. Permit traffic to ISE on the switch ACL and deny traffic to ISE in the WLC ACL
C. Deny traffic on both the switch and the WLC ACLs
D. Permit traffic on both the switch and the WLC ACLs
Related Exams:
-
300-745
Designing Cisco Security Infrastructure (300-745 SDSI) v1.0 -
350-101
Implementing and Operating Cisco Wireless Core Technologies (350-101 WLCOR)v1.0 -
352-011
Cisco Certified Design Expert Practical -
500-052
Cisco Unified Contact Center Express -
500-173
Designing the FlexPod Solution (FPDESIGN) -
500-201
Deploying Cisco Service Provider Mobile Backhaul Solutions -
500-210
SP Optical Technology Field Engineer Representative -
500-220
Engineering Cisco Meraki Solutions (ECMS) v2.2 -
500-230
Cisco Service Provider Routing Field Engineer -
500-240
Cisco Mobile Backhaul for Field Engineers
Tips on How to Prepare for the Exams
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cisco exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 400-251 exam preparations and Cisco certification application, do not hesitate to visit our Vcedump.com to find your solutions here.