1. Home
  2. Cisco
  3. 400-251

Cisco 400-251 Online Practice Questions and Exam Preparation

400-251 Exam Details

  • Exam Code
    :400-251
  • Exam Name
    :CCIE Security Written
  • Certification
    :Cisco Certifications
  • Vendor
    :Cisco
  • Total Questions
    :665 Q&As
  • Last Updated
    :Dec 10, 2021

Cisco 400-251 Online Questions & Answers

  • Question 521:

    Which of the following statements about Cisco TrustSec is incorrect?

    A. SGT Exchange Protocol (SXP) is required for SGT propagation
    B. Cisco TrustSec enforcement points can be a router, switch, or firewall
    C. Cisco TrustSec uses the Security Group Tag (SGT) to enforce group access policies
    D. A Cisco Firewall can perform stateful packet inspection based on SGT rules
    E. IKEv2 can be used to negotiate and inform Ipsec about SGT capability

  • Question 522:

    Which statement of DKIM signing in ESA is true?

    A. The receiving server gets the signing public key from ISE
    B. The ESA does not allow the creation of a signing key pair
    C. The signing public key is required by the sending server
    D. The singing private key is required by the reeving server
    E. The receiving server gets the public from the DNS.
    F. The domain profile is used to associate the receiving domain with the signing key

  • Question 523:

    What are the two available firewall modes on the Cisco NGFW? (Choose two.)

    A. Transparent
    B. ERSPAN
    C. Inline Pair
    D. Passive
    E. Routed
    F. Inline Tap

  • Question 524:

    What one policy element is mandatory to create a Posture Requirement in ISE?

    A. Posture Condition
    B. Posture Remediation Action
    C. Posture Policy
    D. Authorization Profile

  • Question 525:

    Which statement about zone-based policy firewall implementation is true?

    A. If an interface belongs to a zone, then the traffic to and from that interface is always allowed
    B. All the interfaces of the device cannot be the part of the same zone
    C. A zone pair can have a zone as both source and destination
    D. An interface can be member of multiple zones
    E. If default zone is enabled, then traffic from zone interface to non-zone interface is dropped
    F. By default, traffic between the interfaces in the same zone is dropped

  • Question 526:

    Which statement about Local Web Authentication is true?

    A. It can use VLANs arid ACLs to enforce authorization
    B. It supports Change of Authorization and VLAN enforcement
    C. It supports posture and profiling services W
    D. The ISE serves web pages
    E. The network device handles guest authentication
    F. The Web portal can be customized locally or managed by the ISE

  • Question 527:

    Which statement is not true about Passive Authentication using WMI?

    A. The session directory information can be shared with ecosystem partners, such as firewalls and web security appliances.
    B. The identity is not a part of the Kerberos authentication that occurs as part of the normal Active Directory processes.
    C. The AD authentication triggers a notification through WMI.
    D. ISE is subscribed to those WMI messages and learns about the authentication event, the user ID, and the source IP address of that authentication.
    E. ISE performs an AD lookup and learns the user's group membership, adding the information to the session directory.

  • Question 528:

    How does a Cisco ISE server determine whether a client supports EAP chaining?

    A. It sends an identity-type TLV to the client and analyzes the response.
    B. It analyzes the options field in the TCP header of the first packet it receives from the client
    C. It analyzes the X.509 certificate it received from the client through the TLS tunnel.
    D. It sends an MD5 challenge to the client and analyzes the response
    E. It analyzes the EAPoL message the client sends during the initial handshake

  • Question 529:

    DRAG DROP

    Drag each EAP variant in the 802.lx framework to the matching statement on the right.

    Select and Place:

  • Question 530:

    Which are two of the valid IPv6 extension headers? (Choose two)

    A. Options
    B. Authentication Header
    C. Mobility
    D. Protocol
    E. Next Header
    F. Hop Limit

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cisco exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 400-251 exam preparations and Cisco certification application, do not hesitate to visit our Vcedump.com to find your solutions here.