Cisco 400-251 Online Practice Questions and Exam Preparation

Cisco 400-251 Online Questions & Answers

• Question 431:

  Which attribute cannot be used in Mobile Device Management (MDM) Authorization policy?

  A. DaysSinceLastCheckin
  B. DeviceRegistrationStatus
  C. MDMServername
  D. MDMServerReachable
  E. NetworkAccess:EAPChaningResult
  E. NetworkAccess:EAPChaningResult

• Question 432:

  Which statement about MDM is true?

  A. It can support endpoints without requiring them to register
  B. If an authorized user refreshes the web browser, the session must be reauthorized with the LDAP server
  C. Cisco ISE communicates with the MDM server by way of REST API calls
  D. MDM policies can be configured with as few as two attributes
  E. It reports the IP address of the enpoint to the Cisco ISE as the input parameter of the endpoint
  F. Each cisco ISE node required its own MDM server
  D. MDM policies can be configured with as few as two attributes

• Question 433:

  Which evasion techn]que is used by the attacker?

  A. ACL imp le-mentation to d rap unwanted traffic
  B. URL filtering to block malicious sites
  C. resource exhaustion
  D. NAT translations on routers and switches
  E. Telnet to launch device administrative session
  F. port access using Dotlx
  C. resource exhaustion

• Question 434:

  Refer to the exhibit. Which two statements about the given IPv6 ZBF configuration are true?(Choose two)

  R1(config)# parameter-map type inspect param-map R1(config=profile)#sessions maximum 10000 R1(config=profile)#ipv6 routing-header-enforcement loose R1(config=profile)# R1(config=profile)#class-map type inspect match-any class R1(config-cmap)#match protocol tcp R1(config-cmap)#match protocol udp R1(config-cmap)#match protocol icmp R1(config-cmap)#match protocol ftp R1(config-cmap)# R1(config-cmap)#policy-map type inspect policy R1(config-pmap)#class type inspect class R1(config-pmap-c)#inspect param-map R1(config-pmap-c)# R1(config-pmap-c)#zone security z1 R1(config-sec-zone)#zone security z2 R1(config-sec-zone)# R1(config-sec-zone)#zone-pair security zp source z1 destination z2 R1(config-sec-zone-pair)#service-policy type inspect policy

  A. It passes TCP, UDP, ICMP, and FTP Traffic in both directions between z1 and z2.
  B. It provides backward compatibility with legacy IPv4 inspection.
  C. It passes TCP, UDP, ICMP and FTP traffic from z1 and z2.
  D. It inspects TCP, UDP, ICMP and FTP traffic from z2 and z1.
  E. It provides backward compatibility with legacy IPv6 inspection.
  F. It inspects TCP, UDP, ICMP, and FTP traffic from z1 and z2.
  E. It provides backward compatibility with legacy IPv6 inspection.
  F. It inspects TCP, UDP, ICMP, and FTP traffic from z1 and z2.

• Question 435:

  Which of the following IOS ipsec transform-set configuration provides both encryption and integrity protection?

  A. esp-sha512-hmac
  B. esp-sha256-hmac
  C. esp-gcm 128
  D. esp-gmac 128
  E. esp-aes 256
  C. esp-gcm 128

• Question 436:

  Which command is required for bonnet filter on Cisco ASA to function properly?

  A. dynamic-filter inspect tcp /80
  B. dynamic-filter whitelist
  C. inspect botnet
  D. inspect dns dynamic-filter-snoop
  D. inspect dns dynamic-filter-snoop

• Question 437:

  You are inspecting Cisco Email Security Appliance (ESA) mail_logs, and find the following log lines:

  

  Which of the following statements are true regarding this email message? (Choose two.)

  A. Default Incoming Email Policy was used
  B. Multiple Anti-Virus engines were used to scan the email message
  C. Message ID (MID) 792 was scanned by VOF (Virus Outbreak Filters)
  D. Message was delivered to the recipient [email protected]
  E. Incoming Content Filter was used in Incoming Mail Policy
  F. Message was not delivered to the recipient [email protected]
  G. E-mail message was successfully delivered to the destination SMTP server responsible for ccie.local domain
  E. Incoming Content Filter was used in Incoming Mail Policy
  F. Message was not delivered to the recipient [email protected]

• Question 438:

  Which statement is true regarding the wireless security technologies?

  A. WPA provides message Integrity using AES.
  B. WPA2 PSK mode allows passphrase to store locally on the device.
  C. WEP is more secure than WPA2 because it uses AES for encryption .
  D. WPA2-ENT mode does not require RADIUS for authentication
  E. WPA2-PSK mode provides better security by having same passphrase across the network.
  F. WPA2 is more secure than WPA because it uses TKIP for encryption.
  B. WPA2 PSK mode allows passphrase to store locally on the device.

• Question 439:

  Which statement about password encryption and integrity on a Cisco lOS device is true?

  A. The "service password-encryption" global command performs encryption and hashing of all the passwords
  B. The "enable secret" uses DES for the password hashing
  C. The "service password-encryption" global command encrypts all the passwords except for CHAP password
  D. The enable secret is preferred over enable password because of encryption
  E. The "username secret " command encrypts the password with SHA- 256 hashing
  F. When "enable secret" is missing from the configuration, the console session cannot get privilege access using console password due to missing encryption
  D. The enable secret is preferred over enable password because of encryption

• Question 440:

  Refer to the exhibit. One of the windows machines in your network is having connectivity issues using 802.1x. Windows machines are setup to acquire an IP address from the DHCP server configured on the switch, which is supposed to hand over IP addresses from the 50.1.1.0/24 network, and forward AAA requests to the radius server at 161.1.17.14 using shared key "cisco". Knowing that interface Gi0/2 on the switch may receive authentication requests from other devices and looking at the provided switch configuration, what could be the possible cause of this failure?

  aaa new model aaa authentication login default group radius aaa authentication login NO_AUTH aaa authentication login vty local aaa authentication dot1x default group radius aaa accounting dot1x default start-stop group radius ! username cisco privilege 15 password 0 cisco dot1x system-auth-control ! interface GigabitEthernet0/2 switchport mode access ip access-group Pre-Auth in authentication host-mode multi-auth authentication open authentication port-control auto dot1x pae authenticator ! vlan 50 interface Vlan50 ip address 50.1.1.1 255.255.255.0 ip dhcp excluded-address 50.1.1.1 ip dhcp pool pc-pool network 50.1.1.0 255.255.255.0 default-router 50.1.1.1 ! ip access-list extended Pre-Auth permit udp any eq bootpc any eq bootps deny ip any any ! radius server ccie address ipv4 161.1.7.14 auth-port 1645 acct-port 1646 key cisco ! line con 0 login authentication NO_AUTH line vty 0 4 login authentication vty

  A. authentication for multiple hosts not configured on interface Gi0/2
  B. aaa network authorization is not configured
  C. an incorrect ip address is configured for SVI 50
  D. an incorrect default route is pushed on supplicant from SW1
  E. 802.1X authentication is not enabled on interface Gi0/2
  F. an incorrect radius server address is defined
  G. 802.1X is disabled on the switch
  E. 802.1X authentication is not enabled on interface Gi0/2