Cisco 400-251 Online Practice Questions and Exam Preparation

Cisco 400-251 Online Questions & Answers

• Question 601:

  On a Cisco Wireless LAN Controller (WLC), which web policy enables failed Layer 2 authentication to fall back to WebAuth authentication with a user name and password?

  A. On MAC Filter Failure
  B. Passthrough
  C. Splash Page Web Redirect
  D. Conditional Web Redirect
  E. Authentication
  A. On MAC Filter Failure

• Question 602:

  Which command is used to enable 802.1x authentication on an interface?

  A. authentication port-control auto
  B. aaa authorization auth-proxy default
  C. aaa authorization network default group tacacs+
  D. authentication control-direction both
  E. authentication open
  A. authentication port-control auto

• Question 603:

  Refer to the exhibit.Which two effects of this configuration are true?(Choose two)

  CertBus-SwitchA(config)# cgmp leave-processing

  A. IGMPv2 leave group messages are stored in the switch CAM table for faster processing
  B. Hosts send leave group messages to the all-router multicast address when they want to stop receiving data for that group
  C. It improves the processing time of CGMP leave messages
  D. Hosts send leave group messages to the Solicited-Node Address multicast address FF02::1:FF00:0000/104
  E. It optimizes the use of network bandwidth on the LAN segment
  F. It allows the switch to detect IGMPv2 leave group messages
  B. Hosts send leave group messages to the all-router multicast address when they want to stop receiving data for that group
  E. It optimizes the use of network bandwidth on the LAN segment

• Question 604:

  Refer to the exhibit. One of the Windows machines in your network is experiencing a dot1x authentication failure. Windows machines are setup to acquire an IP address from the DHCP server configured on the switch, which is supposed to hand over IP addresses from the 50.1.1.0/24 network, and forward AAA requests to the radius server at 161.1.7.14 using shared key "cisco". Knowing that interface Gi0/2 on switch may receive authentication requests from other devices and looking at the provided switch configuration, what could be the possible cause of this failure?

  aaa new model aaa authentication login default group radius aaa authentication login NO_AUTH none aaa authentication login vty local aaa authenticatio dot1x default group radius aaa authentication network default group radius aaa accounting dot1x default start-stop group radius ! username cisco privilege 15 password 0 cisco ! interface GigabitEthernet0/2 switchport mode access ip access-group Pre-Auth in authentication host-mode multi-auth authentication open authentication port-control auto dot1x pae authenticator ! vlan 50 interface Vlan50 ip address 50.1.1.1 255.255.255.0 ! ip dhcp excluded-address 50.1.1.1 ip dhcp pool pc-pool network 50.1.1.0 255.255.255.0 default-router 50.1.1.1 ! ip access-list extended Pre-Auth permit udp any eq bootpc any eq bootps deny ip any any ! radius server ccie address ipv4 161.1.7.4 auth-port 1645 acct-port 1646 key cisco ! line con 0 login authentication NO_AUTH line vty 0 4 login authentication vty

  A. authentication port-control has not been on gi0/2
  B. an incorrect radius server address is defined
  C. an incorrect pre-authentication acl has been configured
  D. aaa dot1x authentication has not been not configured
  E. an incorrect dhcp pool has been not configured
  F. an incorrect dhcp pool has not configured
  G. aaa login authentication is not configured
  H. authentication is not enabled on gi0/2
  B. an incorrect radius server address is defined

• Question 605:

  Which three Cisco attributes for LDAP authorization are supported on the ASA? (Choose three)

  A. Web-VPN-ACL-Filters
  B. IPsec-Default-Domain
  C. IPsec-Client-Firewall-Name
  D. Authorization-Type
  E. L2TP-Encryption
  F. Authenticated-User-idle-Timeout
  A. Web-VPN-ACL-Filters
  B. IPsec-Default-Domain
  F. Authenticated-User-idle-Timeout

• Question 606:

  Which statement about Dynamic ARP inspection is true?

  A. It requires that DHCP snooping be disabled to build valid binding database
  B. It validates ARP requests and responses on untrusted ports using MAC address table
  C. It drops invalid ARP responses and requests on the switch untrusted ports
  D. It validates ARP requests and responses on trusted ports using IP-to-MAC address binding
  E. It is supported only in DHCP environments to detect invalid ARP requests and responses
  F. It forwards invalid ARP responses and requests on switch untrusted ports
  D. It validates ARP requests and responses on trusted ports using IP-to-MAC address binding

• Question 607:

  DRAG DROP

  Drag each step in the configuration of flexible netflow IPv6 traffic Unicast flows on the left into the Correct order of operation on the right.

  Select and Place:

  

  

• Question 608:

  DRAG DROP

  Drag each Cisco TrustSec feature on the left to its description on the right?

  Select and Place:

  

  

• Question 609:

  

  Refer to the exhibit. The ASA at 150.1.7.43 is configured to receive the IP address to SGT mapping from ISE at 161.1.7.14. Which statement about this packelt capture from Wireshark is true?

  A. The TACACS connection keep alive using UDP originated from ASA
  B. The SXP message uses TCP port 64999 for connection termination
  C. The RADIUS connection keep alive using TCP originated from ISE
  D. The SXP message uses MD5 for authentication and integrity check.
  E. The ISE keep alive message for NDAC connection using TCP originated from ASA
  F. The NTP keep alive message using UDP originated from ISE
  G. The SXP keep alive message for SXP connection using UDP originated from ASA
  E. The ISE keep alive message for NDAC connection using TCP originated from ASA

• Question 610:

  You have an ISE deployment with 2 nodes that are configured as PAN and MnT (Primary and Secondary), and 4 Policy Services Nodes. How many additional PSNs can you add to this deployment?

  B. 1
  C. 3
  D. 5
  E. 4
  F. 2
  B. 1