High Value 400-251 Bundle 2020

2019 Cisco Official New Released 400-251 ♥♥
https://www.certifytools.com/400-251-exam.html


we provide Tested Cisco 400-251 practice test which are the best for clearing 400-251 test, and to get certified by Cisco CCIE Security Written Exam. The 400-251 Questions & Answers covers all the knowledge points of the real 400-251 exam. Crack your Cisco 400-251 Exam with latest dumps, guaranteed!

Online 400-251 free questions and answers of New Version:

NEW QUESTION 1

Which two descriptions of how the Cisco recommended wireless guest traffic isolation model works are true? (Choose two.)

  • A. The foreign controller tunnels the traffic over EoIP to another WLC known as the anchor controller, which is located in the DMZ, thus achieving traffic isolation and keeping guest traffic away from corporate traffic
  • B. The anchor controller tunnels the traffic over LWPP to another WLC known as the foreign controller, which is located in the DMZ, thus achieving traffic isolation and keeping guest traffic away from the corporate traffic
  • C. The foreignt controller then tunnels the traffic over LWAPP to anchor WLC know as the anchor controller, which is located in the DMZ, thus achieving traffic isolation and keeping guest traffic away from the corporate traffic
  • D. The access point that serves the guest sets up LWAPP tunnel to a WLC controller known as the anchor controller
  • E. The anchor controller tunnels the traffic over EoIP to another WLC known as the foreign controller, which is located in the DMZ, thus acheiving traffic isolation and keeping guest traffic away from the corporate traffic
  • F. The access point that serves the guest sets up an EoIP tunnel to a WLC controller known as the foreign controller
  • G. The access point that serves the guest sets up a LWAPP tunnel to a WLC controller known as the foreign controller

Answer: AG

NEW QUESTION 2

Which statement about deploying policies with the Firepower Management Center is true?

  • A. All policies are deployed on-demand when the administrator triggers them.
  • B. Deploy tasks can be scheduled to deploy policies automatically.
  • C. The leaf domain can deploy changes to all subdomains simultaneously.
  • D. The global domain can deploy changes to individual subdomains.
  • E. Policies are deployed automatically when the administrator saves them.

Answer: B

NEW QUESTION 3

All your employees must authenticate their devices to the network, be they company-owned or
employee-owned assets, with ISE as the authentication server, i ne primary identity store used is Microsoft Active Directory, with username and password authentication. To ensure the security of your enterprise, your security policy dictates that only company owned assets get access to the enterprise network, while personal assets have restricted access. Which configuration allows you to enforce this policy using only ISE and Active Directory?

  • A. Configure an authentication policy that checks against the MAC address database of company assets in the ISE endpoint identity store to determine the level of access depending on the device.
  • B. Deployment of a Mobile Device Management solution is required, which can be used to register all devices against the MDM server, and use that to assign appropriate access levels.
  • C. Configure an authorization policy that assigns the device the appropriate profile based on whether the device passes Machine Authentication or not.
  • D. Configure an authorization policy that checks against the MAC address database of company assets in the ISE endpoint identity store to ^determine the level of access depending on the device.
  • E. Configure an authentication policy that uses the computer credentials in Active Directory to determine whether the device is company-owned or personal.

Answer: D

NEW QUESTION 4

Which statement correctly describes TAP mode deployment in IPS?

  • A. Access rules configured in TAP mode generates events when triggered as well as perform defined action on the traffic stream
  • B. TAP mode is available when ports are configured as passive iterfaces
  • C. Access rules configured in TAP mode do not generate events
  • D. TAP mode implementation requires SPAN configuration on a switch
  • E. TAP mode is available when IPS is deployed inline
  • F. In TAP mode traffic flow gets disturbed for analysis

Answer: E

NEW QUESTION 5

Refer to the exhibit.
class Partner-Class
limit-resource routers 50
limit-resource ASDM 4
limit-resource VPN other 400
limit-resource xlates 18000
Which effect of this configuration is true?

  • A. It creates a resource class.
  • B. It creates a default class.
  • C. It oversubscribes VPN sessions for the given class.
  • D. It allows each context to use all available resources.

Answer: A

NEW QUESTION 6

Which statement is correct regarding Cisco VSG functionality?

  • A. It allows Active-Active failover operation mode when deployed as HA pair.
  • B. It applies security profile only after VM instantiation.
  • C. It allows third-party orchestration tool to interact with XML API's for its provisioning.
  • D. It does not allow to extend Zone-based firewall capabilities to VMs on VXLAN.
  • E. It allows administrative segregation due to which Security Administration can author and manage port profiles.
  • F. It does not provide trusted access to VMs in an enterprise data center.

Answer: C

NEW QUESTION 7

Which command sequence do you enter to add the host 10.2.1.0 to the CISCO object group?

  • A. object-group network CISCO group-object 10.2.1.0
  • B. object network CISCO network-object object 10.2.1.0
  • C. object-group network CISCO network-object host 10.2.1.0
  • D. object network CISCO group-object 10.2.1.0

Answer: C

NEW QUESTION 8

How is the Cisco IronPort email data loss prevention licensed?

  • A. It is a per-site license
  • B. It comes free with Iron Port Email server
  • C. It is a per-enterprise license
  • D. It is a per-server license
  • E. It is a per-user license

Answer: E

NEW QUESTION 9

A client computer at 10.10.7.4 is trying to access a Linux server(11.0.1.9) that is running a Tomcat Server
application.
What TCP dump filter would be best to verify that traffic is reaching the Linux Server eth0 interface?

  • A. tcpdump -I eth0 host 10.10.7.4 and host 11.0.1.9 and port 8080.
  • B. tcpdump -l eth0 host 10.10.7.4 and 11.0.1.9.
  • C. tcpdump -I eth0 dst 11.0.1.9 and dst port 8080.
  • D. tcpdump -I eth0 scr 10.10.7.4 and dst 11.0.1.9 and dst port 8080

Answer: D

NEW QUESTION 10

Refer to the exhibit.
400-251 dumps exhibit
Which two statements about the given IPv6 ZBF configuration are true? (Choose two.)

  • A. It inspects TCP, UDP, ICMP, and FTP traffic from z1 to z2.
  • B. It provides backward compatibility with legacy IPv4 inspection.
  • C. It inspects TCP, UDP, ICMP, and FTP traffic from z2 to z1.
  • D. It passes TCP, UDP, ICMP, and FTP traffic in both directions between z1 and z2.
  • E. It provides backward compatibility with legacy IPv6 inspection.
  • F. It passes TCP, UDP, ICMP, and FTP traffic from z1 to z2.

Answer: AE

NEW QUESTION 11

Which statement about the Cisco AMP Virtual Private Cloud Appliance is true for deployments in cloudproxy mode?

  • A. The appliance can perform disposition lookups against the Protect DB without an internet connection
  • B. The amp-sync tool syncs the threat-intelligence repository on the appliance on the AMP public cloud through the Update Host
  • C. The appliance can automatically download threat-intelligence updates directly from the AMP public cloud
  • D. The updates Host automatically downloads updates and deploys them to the Protect DB on a daily basis
  • E. The appliance communicates directly with the endpoint connectors only

Answer: C

NEW QUESTION 12

Which statement about Cisco ISE Guest portals is true?

  • A. To permit BYOD access, a Guest portal must use RADIUS authentication.
  • B. If you delete a Guest portal without removing its authorization policy and profiles, they will be assigned automatically to the default Guest portal.
  • C. The Hotspot Guest portal can be configured for password-only authentication.
  • D. The Sponsored Guest portal allows guest users to create an account.
  • E. The sponsored-Guest portal and Self-Registered Guest portal require a defined Endpoint Identity Group.
  • F. When you make changes to an authorized Guest portal configuration, it must be reauthorized before the changes will take effect.

Answer: A

NEW QUESTION 13

Which two statements about MACsec are true? (Choose two)

  • A. It maintains network intelligence as it applied to router uplinks and downlinks.
  • B. It works in conjunction with IEEE 802.1X -2010 port-based access control.
  • C. It uses symmetric-key encryption to protect data confidentiality.
  • D. It encrypts packets at Layer 3, which allows devices to handle packets in accordance with network polices.
  • E. It can be enabled on individual port at Layer 3 to allow MACsec devices to access the network.
  • F. It can use IEEE 802.1x master keys to encrypt wired and wireless links

Answer: BC

NEW QUESTION 14

Refer to the exhibit
400-251 dumps exhibit
Refer to the exhibit Customer has opened a case with Cisco TAC reporting issue that client connect to the network using guest account. Looking at the configuration of the switch, w possible issue?

  • A. MAB should be disabled on the authentication port
  • B. Dynamic authorization configuration has incorrect RADIUS server
  • C. issue with the DHCP pool configuration
  • D. Dot1x is disabled on the authentication port
  • E. AAA network authorization incorrectly configured
  • F. CTS is incorrectly configured
  • G. Issue with redirect ACL "cwa_edirecrt"

Answer: G

NEW QUESTION 15

400-251 dumps exhibit
Refer the exhibit, Which Cisco firepower policy has detected a “CnC Connector” of comp event?

  • A. DNS policy
  • B. Network analysis policy
  • C. Identity policy
  • D. SSL policy
  • E. File policy
  • F. Intrusion policy

Answer: F

NEW QUESTION 16

196) Which four tasks are needed to configure RSA token authenticate

  • A. Generate the sdconf.rec file on the RSA server for the authenticate
  • B. Add the ACS server to the allowed ODBC query list on the server
  • C. Define an OSBC client connection on the SRA server
  • D. On the ACS server, define the ODBC connection and the s RSA server
  • E. Define an authentication agent on the RSA server
  • F. Add the RSA server as an external identity serve on ACS
  • G. Define an accounting agent on the RSA server
  • H. Upload the sdconf.rec to the ACS server

Answer: AEFH

NEW QUESTION 17

Which statement about the wireless security technologies is true?

  • A. WPA2-PSK mode provides better security by having same passphrase across the network
  • B. WPA2 provides message integrity using AES
  • C. WPA2-PSK mode does not allow a passphrase to be stored locally on the device
  • D. WPA2 is more secure than WPA because it uses TKIP for encryption
  • E. WEP is more secure than WPA2 because it uses AES for encryption
  • F. WPA2-ENT mode does not require RADIUS for authentication

Answer: B

NEW QUESTION 18

Refer to the exhibit.
400-251 dumps exhibit
RTR-A(config-if)# ipv6 mld report-link local-groups
Which effect of this configuration is true?

  • A. It enables MLD query messages for all link-local groups.
  • B. It enables local group membership for MLDv1 and MLDv2.
  • C. It enabled hosts to send MLD report messages for groups in 224.0.0.0/24.
  • D. It enables the host to send MLD report messages for nonlink local groups.
  • E. It configures the node to generate a link-local group report when it joins the solicited-node multicast group.

Answer: C

NEW QUESTION 19

Which command sequence do you enter to add the host 10.2.1.0 to the CISCO object group?

  • A. object network CISCO Network-object object 10.2.1.0
  • B. Object-group network CISCO group-object 10.2.1.0
  • C. Object-group network CISCOnetwork-object host 10.2.1.0
  • D. Object- network CISCO group-object 10.2.1.0

Answer: C

NEW QUESTION 20

Which two options are important considerations when you use NetFlow to obtain the full picture of network taffic? (Choose two)

  • A. It monitors only TCP connections.
  • B. It monitors only routed traffic.
  • C. It monitors all traffic on the interface on which it is deployed.
  • D. It monitors only ingress traffic on the interface on which it is deployed.
  • E. It is unable to monitor over time.

Answer: BE

NEW QUESTION 21

What is the best description of a docker file?

  • A. Text document used to build an image
  • B. Message Daemon files
  • C. Software used to manage containers
  • D. Repository for docker images

Answer: A

NEW QUESTION 22

What are two types of attacks against wireless networks that be prevented by a WLC? (Choose two)

  • A. DHCP rouge server attacks
  • B. Layer 3 flooding attacks
  • C. Inverse ARP attacks on specific ports
  • D. IP spoofing attacks
  • E. ARP sniffing attacks on specific ports

Answer: AD

NEW QUESTION 23

Which two statements about NetFlow Secure Event Logging on a Cisco ASA are true? (Choose two)

  • A. It tracks configured collectors over TCP.
  • B. It is supported only in single-context mode.
  • C. It can export templates through NetFlow.
  • D. It can be used without collectors.
  • E. It supports one event type per collector.
  • F. It can log different event types on the same device to different collectors.

Answer: CF

NEW QUESTION 24

Which description of a hybrid SDN framework is true?

  • A. The control plane and data plane are pulled from the networking element and put in an SDN controller and SDN agent
  • B. The control plane function is split between a SDN controller and the networking element.
  • C. The data plane is pulled from the networking element and put in an SDN controller.
  • D. The control plane is pulled from the networking element and put in an SDN controller

Answer: B

NEW QUESTION 25

Which option best describes RPL?

  • A. RPL stands for Routing over low priority links that use link-state LSAs to determine the best route between two root border routers.
  • B. RPL stands for Routing over low priority links that use distance vector DOGAG to determine the best route between two root border routers.
  • C. RPL stands for Routing over Low-power Lossy Networks that use link-state LSAs to determine the best route between leaves and the root border router.
  • D. RPL stands for Routing over Low-power Lossy Networks that use distance vector DOGAG to determine the best route between leaves and the root border router.

Answer: D

NEW QUESTION 26

When applying MD5 route authentication on routers running RIP or EIGRP, which two important key chain considerations should be accounted for? (Choose two.)

  • A. Key 0 of all key chains must match for all routers in the autonomous system.
  • B. The lifetimes of the keys in the chain should overlap.
  • C. Routers should be configured for NTP to synchronize their clocks.
  • D. No more than three keys should be configured in any single chain.
  • E. Link compression techniques should be disabled on links transporting any MD5 hash.

Answer: BC

NEW QUESTION 27

Which statement about managing Cisco ISE Guest Services is true?

  • A. Only a Super Admin or System Admin can delete the default Sponsor portal.
  • B. Only ISE administrators from an external identify store can be members of a Sponsor group.
  • C. By default, an ISE administrator can manage only the guest accounts he or she created in the Sponsor portal.
  • D. ISE administrators can view and set a guest’s password to a custom value in the Sponsor portal.
  • E. ISE administrators can access the Sponsor portal only if they have valid Sponsor accounts.
  • F. ISE administrators can access the Sponsor portal only from the Guest Access menu.

Answer: C

NEW QUESTION 28

Which three of these are properties of RC4? (Choose three.)

  • A. It is a block cipher.
  • B. It is a stream cipher.
  • C. It is used in AES.
  • D. It is a symmetric cipher.
  • E. It is used in SSL.
  • F. It is an asymmetric cipher.

Answer: BDE

NEW QUESTION 29

Which authentication does WCCPv2 use to protect messages against Interception, inspection, and replay attacks?

  • A. Clear text
  • B. Two factor
  • C. EAP
  • D. MD5
  • E. Kerberos

Answer: D

NEW QUESTION 30
......

Recommend!! Get the Full 400-251 dumps in VCE and PDF From Passcertsure, Welcome to Download: https://www.passcertsure.com/400-251-test/ (New 448 Q&As Version)