1. Home
  2. Cisco
  3. 400-251

Cisco 400-251 Online Practice Questions and Exam Preparation

400-251 Exam Details

  • Exam Code
    :400-251
  • Exam Name
    :CCIE Security Written
  • Certification
    :Cisco Certifications
  • Vendor
    :Cisco
  • Total Questions
    :665 Q&As
  • Last Updated
    :Dec 10, 2021

Cisco 400-251 Online Questions & Answers

  • Question 511:

    ISE is configured to use MsCHAPv2 inner method for PEAP authentication of users. What set of credentials needs to be exchanged between ISE and the client for successful establishment of the PEAP tunnel and subsequent authentication?

    A. Username and Password from ISE and the client
    B. Identity certificate from ISE, Machine Identity certificate from the client and username and Password of the user
    C. Identity certificate from ISE and user identity certificate from the client
    D. Identity certificate from ISE and Username and Password of the user from the client

  • Question 512:

    Which two limitations of ISE inline posture are true?

    A. The Cisco Discovery Protocol is not supported
    B. QoS is not supported in a virtual environment
    C. The Simple Network Management Protocol agent is not supported
    D. Flexible NettFlow is not supported
    E. Multicast is not supported

  • Question 513:

    DRAG DROP

    Drag and drop step in the flow of packets on a DMVPN network using GDOI on the left into the correct sequence on the right.

    Select and Place:

  • Question 514:

    Which statement about encryption headers on the Cisco ESA is true?

    A. The optional Cisco Iron Port Encryption appliance provides extended encryption headers.
    B. They can be applied to outgoing messages only to force more secure message handling than is provided by the current encryption settings on the ESA
    C. Content filters can be applied to add encryption headers to outgoing messages only
    D. They can be configured to enable return receipt, expire messages and prevent the recipient from forwarding the message
    E. The encryption settings defined in a profile can override the encryption header in a message
    F. The X-PostX-Use Script encryption header disables JavaScript in the message which forces it to open locally on the recipients computer

  • Question 515:

    Which statement about TLS support on the ESA is true?

    A. By default the ESA encrypts al messages before sending them over a TLS connection
    B. You can configure a content filter to encrypt a message with TLS immediately after the ESA receives it
    C. If the destination controls of a domain are set to TLS Required and the TLS connection is down, the ESA
    D. TLS can secure messages for point-to-point transmission
    E. If the destination controls of a domain are set to None, email messages is sent over TLS if it is available
    F. If the destination controls of a domain are set to TLS Required and the TLS connection is down, the ESA query connection comes up
    G. If the destination controls of a domain are set to TLS Required and the TLS connection is down the ESA encryption over a non-TLS connection

  • Question 516:

    How does the Cisco Firepower Decrypt-known method perform SSL decryption on inbound traffic?

    A. The system identifies the server certificate during the SSL handshake and downloads the associated private key from the CA to decrypt the traffic
    B. The system matches the incoming server certificate to a previously stored certificate on the server and uses the private key to decrypt the traffic
    C. The system uses a CA certificate on the server to resign the exchanges server certificate then use private key of the CA certificate to decrypt the traffic
    D. The system uses a CA certificate on the server to resign the exchanges server certificate then uses a separate private key to decrypt the traffic

  • Question 517:

    Refer to the exhibit. Which effect of this configuration is true?

    A. Users attempting to access the console port are authenticated against the TACACS+ server.
    B. The device tries to reach the server every 24 hours and falls back to the LOCAL database if it fails.
    C. If TACACS+ authentication fails, the ASA uses Cisco 123 as its default password.
    D. The servers in the TACACS+ group are reactivated every 1440 seconds.
    E. Any VPN user with a session timeout of 24 hours can access the device.

  • Question 518:

    Which requirement for the FTD high availability setup is true?

    A. Units must be in different domains in FMC
    B. Units must have DHCP configured for the Interfaces
    C. Units must not have the same major, minor, and maintenance software version running on them
    D. Units can have any uncommitted changes on FMC and need not be fully deployed
    E. Units must be synchronized using the same NTP source.
    F. Units must be configured in routed mode
    G. Units must be configured in transparent mode

  • Question 519:

    Refer to the exhibit. Which effect of this configuration is true?

    RTR-A(config-if)# ipv6 mld report-link local-groups

    A. It enables MLD query messages for all link-local groups.
    B. It enables local group membership for MLDv1 and MLDv2.
    C. It enabled hosts to send MLD report messages for groups in 224.0.0.0/24.
    D. It enables the host to send MLD report messages for nonlink local groups.
    E. It configures the node to generate a link-local group report when it joins the solicited-node multicast group.

  • Question 520:

    A hosted service provider is planning to use firewall contexts in its multitenant environment and will manage these firewalls on behalf of its customers and allow them access to it for monitoring. For management purposes the lead architect of the service provider has decided to connect this management interface to a single shared management zone VLAN (901) and allocate each context a unique IP form the assigned range of this VLAN. Which three statements about this design are true? (Choose three)

    A. Though this design is valid, a physical interface cannot be allocated to multiple contexts due to ASA traffic classifier restrictions; this is only possible with subinterfaces.
    B. This design concept is valid and requires some modifications. However, it would be more secure to only allow customer management access from the data VLANs in their hosted environment to ensure adequate Layer 2/ Layer 3 separation between tenants
    C. The ASA multicontext traffic classifier works differently for shared interfaces that exist on the same VLAN and have the same MAC address when NAT is in use, other rules are applied when NAT is not in use.
    D. The ASA classifier works only for data interfaces and not for management interfaces. The No Management-only command must be applied for this concept to work.
    E. This design concept is not valid because it is not possible to allocate a physical interface to all contexts due to ASA traffic classifier restrictions, this is only possible with subinterfaces.
    F. Subinterfaces of the interface can be allocated only to contexts and not the actual management physical interface
    G. The design for the management zone does not work unless unique MAC addresses are assigned

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cisco exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 400-251 exam preparations and Cisco certification application, do not hesitate to visit our Vcedump.com to find your solutions here.