400-251 Exam Details

  • Exam Code
    :400-251
  • Exam Name
    :CCIE Security Written
  • Certification
    :Cisco Certifications
  • Vendor
    :Cisco
  • Total Questions
    :665 Q&As
  • Last Updated
    :Dec 10, 2021

Cisco 400-251 Online Questions & Answers

  • Question 651:

    Which three of the following security services are offered by Cisco Web Security Appliance? (Choose three.)

    A. FTP over HTTP traffic inspection
    B. RTMP traffic inspection
    C. McAfee Anti-Virus Engine
    D. URL filtering
    E. Trend Micro Anti-Virus Engine
    F. DNS traffic inspection

  • Question 652:

    Refer to the exhibit. One of the Windows machines in your network is having a Dot1x authentication failure. Windows machines are setup to acquire an IP address from the DHCP server configured on the switch, which is supposed to hand over IP address from the 50.1.1.0/24 network, and forward AAA requests to the radius server at 161.1.7.14. Knowing that interface Gi0/2 on the switch may receive authentication requests from other devices and looking at the provided switch configuration, what could be the possible cause of this failure?

    aaa new model aaa authentication login default group radius aaa authentication login NO_AUTH none aaa authentication login vty local aaa authenticatio dot1x default group radius aaa authentication network default group radius aaa accounting dot1x default start-stop group radius ! username cisco privilege 15 password 0 cisco dot1x system-auth-control ! interface GigabitEthernet0/2 switchport mode access ip access-group Pre-Auth in authentication host-mode multi-auth authentication open authentication port-control auto dot1x pae authenticator ! vlan 50 interface Vlan50 ip address 50.1.1.1 255.255.255.0 ! ip dhcp excluded-address 50.1.1.1 ip dhcp pool pc-pool network 50.1.2.0 255.255.255.0 default-router 50.1.1.1 ! ip access-list extended Pre-Auth permit udp any eq bootpc any eq bootps deny ip any any !

    radius server ccie address ipv4 161.1.7.4 auth-port 1645 acct-port 1646 key cisco ! line con 0 login authentication NO_AUTH line vty 0 4 login authentication vty

    A. AAA login authentication is not configured.
    B. An incorrect radius server address is defined.
    C. Authentication port-control is not set on interface gi0/2.
    D. Authentication is not enabled on interface gi0/2.
    E. AAA dot1x authentication is not configured.
    F. An incorrect pre-authentication acl is configured.
    G. An incorrect dhcp pool is configured.

  • Question 653:

    ISE can be integrated with an MDM to ensure that only registered devices are allowed on the network, and use the MDM to push policies to the device. Devices can go in and out of compliance, either due to policy changes on the MDM server, or another reason. For a device that has already authenticated on the network and stays connected, but falls out of compliance, what can be done to ensure that a non- complaint device is checked periodically and re-assessed before allowing access to the network?

    A. Enable Change of authorization (CoA) on MDM
    B. FireAMP connector scan can be used to relay posture information to ISE via FireAMP cloud
    C. The MDM agent will automatically disconnect the device from the network when it is non-complaint
    D. Enable change of authorization (CoA) on ISE
    E. Enable Period Compliance Checking (PCC) on ISE
    F. The MDM agent periodically sends a packet with compliance info that the wireless controller can be used to limit network access

  • Question 654:

    Which statement about the Cisco AMP Virtual Private Cloud Appliance is true for deployments in cloud- proxy mode?

    A. The appliance can perform disposition lookups against the Protect DB without an internet connection
    B. The amp-sync tool syncs the threat-intelligence repository on the appliance on the AMP public cloud through the Update Host
    C. The appliance can automatically download threat-intelligence updates directly from the AMP public cloud
    D. The updates Host automatically downloads updates and deploys them to the Protect DB on a daily basis
    E. The appliance communicates directly with the endpoint connectors only

  • Question 655:

    Which statement is true regarding TLS security protocol?

    A. It is always recommended to disable TLS version 1.0 in the browser so that it on ly supports SSL for better security
    B. TLS version 1.0 is less secure than SSL version 3.0
    C. The TLS and SSL versions can interoperate in the client-server handshake
    D. You need to replace SSL certificate with TLS certificate for successful TLS operation
    E. It only supports data authentication for the client-server session using a browser
    F. There are differences between TLS and SSL version 2 and 3

  • Question 656:

    Which two statements about NetFlow Secure Event Logging on a Cisco ASA are true? (Choose two)

    A. It tracks configured collectors over TCP.
    B. It is supported only in single-context mode.
    C. It can export templates through NetFlow.
    D. It can be used without collectors.
    E. It supports one event type per collector.
    F. It can log different event types on the same device to different collectors.

  • Question 657:

    As a managed service provider, you have a mult tenant environment where your CSRs in different regions that are deployed at a cloud provider are terminating VPN tunnels from multiple customers in separate VRFs. Each of the regions has a subnet that is dedicated for the customer and so requires communication between the same customer networks in the sites through the CSR. Which method is the best way to achieve this connectivity using the internet as the only transport medium to access the other cloud regions?

    A. Deploy an MPLS over GRE VPN tunnel
    B. Set up a DMVPN, which provides this functionality with standard configuration.
    C. Create a VPN tunnel with multi-VRF encapsulation.
    D. Deploy multiple site-to-site tunnels, one for each customer VRF.

  • Question 658:

    In an effort to secure your enterprise campus network, any endpoint that connects to the network should authenticate before being granted access. For all corporate-owned endpoints, such as laptops, mobile phones and tables, you would like to enable 802.1x and once authenticated allow full access to the network. For all employee owned personal devices, you would like to use web authentication, and only allow limited access to the network. Which two authentication methods can ensure that an employee on a personal device can't use his or her Active Directory credentials to log on to the network by simply reconfiguring their supplicant to use 802.1x and getting unfettered access? (Choose two)

    A. Use PEAP-EAP-MSCHAPv2
    B. Use EAP-FAST
    C. Use EAP-TLS or EAP-TTLS
    D. Use EAP-MSCHAPv2
    E. Use PAP-CHAP-MSCHAP
    F. Use PEAP-EAP-TLS

  • Question 659:

    Which two options are benefits of the Cisco ASA transparent firewall mode? (Choose two)

    A. It can establish routing adjacencies.
    B. It can perform dynamic routing.
    C. It can be added to an existing network without significant reconfiguration.
    D. It supports extended ACLs to allow Layer 3 traffic to pass from higher to lower security interfaces.
    E. It provides SSL VPN support.

  • Question 660:

    Refer to the exhibit which two statement about the given IPV6 ZBF configuration are true? (Choose two)

    A. It provides backward compability with legacy IPv6 inspection
    B. It inspect TCP, UDP, ICMP and FTP traffic from Z1 to Z2.
    C. It inspect TCP, UDP, ICMP and FTP traffic from Z2 to Z1.
    D. It inspect TCP,UDP, ICMP and FTP traffic in both direction between z1 and z2.
    E. It passes TCP, UDP, ICMP and FTP traffic from z1 to z2.
    F. It provide backward compatibility with legacy IPv4 inseption.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cisco exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 400-251 exam preparations and Cisco certification application, do not hesitate to visit our Vcedump.com to find your solutions here.