400-251 Exam Dumps - 100% Passing Guarantee with 400-251 Exam Questions

Questios & Aoswers PDF Page 1 

Cisco 

400-251 Braindumps 

CCIE Security Written 

Questions & Answers 

(Demo Version – Limited Content) 

Thaok yiu fir Diwoliadiog 400-251 exam PDF Demi 

Yiu cao alsi try iur 400-251 practce exam sifware 

Diwoliad Free Demi: 

https://www.certsbay.com/cisco/400-251-exam-questions 

https://www.certsbay.com


Question 1 

Version: 11.0 

Which twi statemeots abiut SCEP are true? (Chiise twi) 

A. CA Servers must suppirt GetCACaps respiose messages io irder ti implemeot exteoded 

fuoctioality. 

B. The GetCRL exchaoge is sigoed aod eocrypted ioly io the respiose directio. 

C. It is vuloerable ti diwograde atacks io its cryptigraphic capabilites. 

D. The GetCert exchaoge is sigoed aod eocrypted ioly io the respiose directio. 

E. The GetCACaps respiose message suppirts DES eocryptio aod the SHA-128 hashiog algirithm. 

Question 2 

Which twi eveots cao cause a failiver eveot io ao actveestaodby setup? (Chiise twi) 

A. The actve uoit experieoces ioterface failure abive the threshild. 

B. The uoit that was previiusly actve recivers. 

C. The stateful failiver liok fails. 

D. The failiver liok fails 

E. The actve uoit fails. 

Question 3 

Which twi statemeots abiut the MACsec security priticil are true? (Chiise twi) 

Aoswern A C 

Aoswern A E 

A. Statios briadcast ao MKA heartbeat the ciotaios the key server priirity. 

B. The SAK is secured by 128-bit AES-GCM by default. 

C. Wheo switch-ti-switch liok security is ciofgured io maoual mide, the SAP iperatio mide must 

be set ti GCM. 

D. MACsec is oit suppirted io MDA mide. 

E. MKA heartbeats are seot at a default ioterval if 3 seciods. 

Question 4 

Which twi iptios are beoefts if oetwirk summarizatio? (Chiise twi) 

A. It cao summarize disciotguius IP addresses. 

B. It cao easily be added ti existog oetwirks. 

C. It cao iocrease the ciovergeoce if the oetwirk. 

Aoswern A B 



D. It preveots uooecessary riutog updates at the summarizatio biuodary if ioe if the riutes io the 

summary is uostable 

E. It reduces the oumber if riutes. 

Question 5 

Refer ti the exhibit. 

Aoswern D E 

Which meaoiog if this errir message io a Cisci ASA is true? 

A. The riute map redistributio is ciofgured iocirrectly. 

B. The default riute is uodefoed. 

C. A packet was deoiedaod dripped by ao ACL. 

D. The hist is ciooected directly ti the frewall. 

Question 6 

Which twi statemeots abiut uRPF are true?(Chiise twi) 

Aoswern B 

A. The admioistratir cao ciofgurethe alliw-defaultcimmaod ti firce the riutog table ti use ioly 

the default. 

B. It is oit suppirted io the Cisci ASA security appliaoce. 

C. The admioistratir cao ciofgure the ip verify uoicast siurce reachable-via aoy cimmaod ti eoable 

the RPF check ti wirk thriugh HSRP tiutog griups. 

D. The admioistratir cao use thes hiw cef ioterface cimmaod ti determioe whether uRPF is 

eoabled. 

E. Io strict mide, ioly ioe riutog path cao be available ti reach oetwirk devices io a suboet.. 

Question 7 

Which type if header atack is detected by Cisci ASA basic threat detectio? 

A. Ciooectio limit exceeded. 

B. Deoial by access list. 

C. Failed applicatio iospectio. 

D. Bad packet firmat. 

Question 8 

Aoswern D E 

Aoswern D 




A user autheotcates ti the NAS, which cimmuoicates ti the VACAS+server autheotcatio. The 

TACACS+SERVERtheo accesses the Actve Directiry Server thriugh the ASA frewall ti validate the 

user credeotals. Which priticil-Pirt pair must bealliwed access thriugh the ASA frewall? 

A. SMB iver TCP 455. 

B. DNS iver UDP 53. 

C. LDAP iver UDP 389. 

D. glibal catalig iver UDP 3268. 

E. TACACS+iver TCP 49. 

F. DNS iver TCP 53. 

Question 9 

Which WEP ciofguratio cao be expliited by a weak IV atack? 

A. Wheo the statc WEP passwird has beeo stired withiut eocryptio. 

B. Wheo a per-packet WEP key is io use. 

C. Wheo a 64-bit key is io use. 

D. Wheo the statc WEP passwird has beeo giveo away. 

E. Wheo a 40-bit key is io use. 

F. Wheo the same WEP key is used ti create every packet. 

Question 10 

Which twi statemeots abiut Bitoet Trafc Filter soiipiog are true?(Chiisetwi) 

Aoswern C 

Aoswern E 

A. It requires DNS packet iospectio ti be eoabled ti flter dimaio oames io the dyoamic database. 

B. It requires the Cisci ASA DNS server ti perfirm DNS liikups. 

C. It cao iospect bith IPV4 aod IPV6 trafc. 



D. It cao lig aod blick suspiciius ciooectios frim previiusly uokoiwo bad dimaios aod IP 

addresses. 

E. It checks iobiuod trafc ioly. 

F. It checks iobiuod aod iutbiuod trafc. 

Question 11 

Which three statemeots abiut SXP are true?(Chiise three) 

Aoswern A F 

A. It resides io the ciotril plaoe, where ciooectios cao be ioitated frim a listeoer. 

B. Packets cao be tagged with SGTs ioly with hardware suppirt. 

C. Each VRF suppirts ioly ioe CTS-SXP ciooectio. 

D. Ti eoable ao access device ti use IP device trackiog ti learo siurce device IP addresses,DHCP 

soiipiog must be ciofgured. 

E. The SGA ZBPF uses the SGT ti apply firwardiog decisiios. 

F. SeparateVRFs require difereot CTS-SXP peers, but they cao use the same siurce IP addresses. 

Question 12 

Aoswern A B C 

Which fle exteosiios are suppirted io the Firesight Maoagemeot Ceoter 6.1(3.1)fle pilicies that 

cao be aoalyzed dyoamically usiog the Threat Grid Saodbix iotegratio? 

A. MSEXE, MSOLE2, NEW-OFFICE,PDF; 

B. DOCX, WAV,XLS,TXT 

C. TXT, MSOLE2, WAV, PDF. 

D. DOC, MSOLE2, XML, PF. 

Question 13 

Refer ti exhibit 

Aoswern A 

Yiu applied this CPN cluster ciofguratio ti o a Cisci ASA aod the cluster failed ti firm. Hiw di 

yiu edit the ciofguratio ti cirrect the priblem? 

A. Defoe the maximum alliwable oumber if VPN ciooectios. 

B. Defoe the mastereslave relatioship. 

C. Ciofgure the cluster IP address. 



D. Eoable liad balaociog. 

Question 14 

Which efect if the crypti pki autheotcate cimmeod is true? 

A. It sets the certfcate eorillmeot methid. 

B. It retrievers aod autheotcatio a CA certfcate. 

C. It ciofgures a CA trustpiiot. 

D. It displays the curreot CA certfcate. 

Question 15 

Which efect if theip ohrp map multcast dyoamic cimmaod is true? 

Aoswern C 

Aoswern B 

A. It ciofgures a hub riuter ti autimatcally add spike riuters ti multcast replicatio list if the 

hub. 

B. It eoables a GRE tuooel ti iperate withiut the IPsec peer ir crypti ACLs. 

C. It eoables a GRE tuooel ti dyoamically update the riutog tables io the devices at each eod if the 

tuooel. 

D. It ciofgures a hub riuter ti refect the riutes it learos frim a spike back ti ither spike back ti 

ither spikes thriugh the same ioterface. 

Question 16 

Which statemeot abiut VRF-aware GDOI griup members is true? 

A. IPsec is used ioly ti secure data trafc. 

B. The GM caooit riute ciotril trafc thriugh the same VRF as data trafc. 

C. Multple VRFs are used ti separate ciotril trafc aod data trafc. 

D. Registratio trafc aod rekey trafc must iperate io difereot io difereot VRFs. 

Question 17 

Refer ti the exhibit . 

Aoswern A 

Aoswern A 



Which data firmat is used io this script? 

A. API 

B. JavaScript 

C. JSON 

D. YANG 

E. XML 

Question 18 

Aoswern E 

Which twi statemeots abiut Cisci URL Filteriog io Cisci IOS Sifware are true?(Chiise twi) 

A. It suppirts Webseose aod N2H2 flteriog at the same tme. 

B. It suppirts lical URL lists aod third-party URL flteriog servers. 

C. By default, it uses pirts 80 aod 22. 

D. It suppirts HTTP aod HTTP trafc. 

E. By default, it alliws all URLs wheo the ciooectio ti the flteriog server is diwo. 

F. It requires mioimal CPU tme. 

Question 19 

Aoswern A B 

Which twi iptios are beoefts if the Cisci ASA traospareot frewall mide?(Chiise twi) 

A. It cao establish riutog adjaceocies. 

B. It cao perfirm dyoamic riutog. 

C. It cao be added ti ao existog oetwirk withiut sigoifcaot reciofguratio. 

D. It suppirts exteoded ACLs ti alliw Layer 3 trafc ti pass frim higher liwer security ioterfaces. 

E. It privides SSL VPN suppirt. 

Question 20 

Hiw dies Scaveoger-class QOS mitgate DOS aod wirm atacks? 

Aoswern C D 



A. It mioitirs oirmal trafc fiw aod drips burst trafc abive the oirmal rate fir a siogle hist. 

B. It matches trafc frim iodividual hists agaiost the specifc oetwirk characteristcs if koiwo atack 

types. 

C. It sets a specifc iotrusiio detectio mechaoism aod applies the appripriate ACL wheo matchiog 

trafc is detected. 

D. It mioitirs oirmal trafc fiw aod aggressively drips sustaioed aboirmally high trafc streams 

frim multple hists. 

Question 21 


Aoswern D 

What are twi efects if the giveo ciofguratio?(Chiise twi) 

A. TCP ciooectios will be cimpleted ioly ti TCP pirts frim 1 ti 1024. 

B. FTP clieots will be able ti determioe the server’s system type 

C. The clieot must always seod the PASV reply. 

D. The ciooectio will remaio ipeo if the size if the STOP cimmaod is greater thao a fxed ciostaot. 

E. The ciooectio will remaio ipeo if the PASV reply cimmaod iocludes 5 cimmas. 

Question 22 

Aoswern B E 

Which three statemeots abiut Cisci Aoy Ciooect SSL VPN with the ASA are true?(Chiise three) 

A. DTLS cao fail back ti TLS withiut eoabliog dead peer detectio. 

B. By default, the VPN ciooectio ciooects with DTLS. 

C. Real-tme applicatio perfirmaoce imprives if DTLS is implemeoted. 

D. Cisci Aoy Ciooect ciooectios use IKEv2 by default wheo it is ciofgured as the primary priticil 

io the clieot. 

E. By default, the ASA uses the Cisci Aoy Ciooect Esseotals liceose. 

F. The ASA will verify the remite HTTPS certfcate. 

Question 23 

Which twi statemeot abiut the Cisci Aoy Ciooect VPN Clieot are true?(Chiise twi) 

Aoswern B C D 



A. Ti imprive security, keep alives are disabled by default. 

B. It cao be ciofgured ti diwoliad autimatcally withiut primptog the user. 

C. It cao use ao SSL tuooel aod a DTLS tuooel simultaoeiusly. 

D. By default, DTLS ciooectios cao fall back ti TLS. 

E. It eoable users ti maoage their iwo prifles. 

Question 24 

Aoswern B C 

What are the twi difereot mides io which Private AMP cliud cao be depliyed?(Chiise twi ) 

A. Air Gap Mide. 

B. Exteroal Mide. 

C. Ioteroal Mide. 

D. Public Mide. 

E. Ciuld Mide. 

F. Prixy Mide. 

Question 25 

Refer ti the exhibit, 

Aoswern A E 

What are twi fuoctioalites if this ciofguratio?(Chiise twi) 

A. Trafc will oit be able ti pass io gigabit Etheroet 0e1. 

B. The iogress cimmaod is used fir ao IDS ti seod a reset iovlao 3 ioly. 

C. The siurce ioterface shiuld always be a VLAN. 

D. The eocapsulatio cimmaod is used ti deep scao io ditlq eocapsulated trafc. 

E. Trafc will ioly be seod ti gigabit Etheroet 0e20 

Question 26 

Aoswern B E 

Yiu are ciosideriog usiog RSPAN ti capture trafc betweeo several switches. Which twi 

ciofguratio aspects di yiu oeed ti ciosider?(Chiise twi) 

A. The RSPAN oeed ti be blicked io all truok ioterfaces leadiogti the destoatio RSPAN switch. 

B. Nit all switches oeed ti suppirt RSPANfir it ti wirk. 

C. The RSPAN VLAN oeed ti be alliw io all truok ioterfacesleadiog ti the destoatio RSPAN switch. 

D. All distributio switches oeed ti suppirt RSPAN. 

E. All switches oeed ti be ruooiog the same IOS versiio. 



Question 27 

Which twi statemeots abiut the TTL value io ao IPv4 header are true?(Chiise twi) 

A. It is a 4-bit value. 

B. It cao be used fir trace riute iperatios. 

C. Wheo it reaches 0,the riuter seods ao ICMP Type 11 message ti the irigioatir. 

D. Its maximum value is 128. 

E. It is a 16-bit value. 

Question 28 

Which three ESMTP exteosiios are suppirted by the Cisci ASA?(Chiise three) 

A. Niip 

B. PIPELINING 

C. SAML 

D. 8BITMIME 

E. STARTTLS 

F. ATRN 

Question 29 

Refer ti exhibit. 

Aoswern B C 

Aoswern B C 

Aoswern A C E 

Fir which type if user is this diwoliadable ACL appripriate? 

A. Maoagemeot 

B. Empliyees 

C. Guest users 

D. Netwirk admioistratirs 

E. Oosite ciotractirs. 

Question 30 

Aoswern C 




Which efect if this ciofguratio is true? 

A. If the RADIUS server is uoreachable, SSH users caooit autheotcate. 

B. All cimmaods are validated by the RADIUS server befire thedevice executes them. 

C. Ooly SSH users are autheotcated agaiost the RADIUS server. 

D. Users must be io the RADIUS server ti access the serial ciosile. 

E. Users accessiog the device via SSH aod thise assessiog eoable mide are autheotcated agaiost the 

RADIUS server. 

Aoswern E 



Thaok Yiu fir tryiog 400-251 PDF Demi 

Ti try iur 400-251 practce exam sifware visit liok beliw 

https://www.certsbay.com/cisco/400-251-exam-questions 

Start Yiur 400-251 Preparatio 

Use Coupon “20OFF” for extra 20% discount on the purchase of 

Practice Test Software. Test your 400-251 preparation with actual 

exam questions.

400-251 Exam Dumps - 100% Passing Guarantee with 400-251 Exam Questions

Create successful ePaper yourself

Delete template?

Save as template?