400-251 Royal Pack Testengine pdf
100% Actual & Verified — 100% PASS
Unlimited access to the world's largest Dumps library!Download 400-251 Dumps Free
Exam Number/Code: 400-251
Exam name: CCIE Security Written Exam
n questions with full explanations
Certification: Cisco Certification
Proper study guides for 400-251 CCIE Security Written Exam certified begins with 400-251 dumps preparation products which designed to deliver the 400-251 dumps by making you pass the 400-251 test at your first time. Try the free 400-251 dumps right now.
Online 400-251 free questions and answers of New Version:
NEW QUESTION 1
Which of the following is used by WSA to extract session information from ISE and use that in access policies?
- A. RPC
- B. pxGrid
- C. SXP
- D. Proprietary protocol over TCP/8302
- E. EAP
- F. RADIUS
NEW QUESTION 2
Which statement about VRF-lite implementation in a service provider network is true?
- A. It requires multiple links between CE and PE for each VPN connection to enable privacy
- B. It uses input interfaces to differentiate routes for different VPNs on the CE device
- C. It can only support one VRF instance per CE device
- D. It can have multiple VRF instances associated with a single interface on a CE device
- E. It supports multiple VPNs at a CE device but their address spaces should not overlap
NEW QUESTION 3
Which IPS deployment mode can blacklist traffic?
- A. Transparent
- B. Strict
- C. Inline
- D. Passive
- E. Tap
- F. Switched
NEW QUESTION 4
Which two statements about role-based access control are true? (Choose two.)
- A. The user profile on an AAA server is configured with the roles that grant user privileges.
- B. If the same user name is used for a local user account and a remote user account, the roles defined in the remote user account override the local user account.
- C. Server profile administrators have read and write access to all system logs by default.
- D. A view is created on the Cisco IOS device to leverage role-based access controls.
- E. Network administrators have read and write access to all system logs by default.
NEW QUESTION 5
Which two design options are best to reduce security concerns when adopting loT into an organization? (Choose two.)
- A. Segment the Field Area Network from the Data Center network.
- B. Encrypt sensor data in transit.
- C. Ensure that application can gather and analyze data at the edge.
- D. Implement video analytics on IP cameras.
- E. Encrypt data at rest on all devices in the loT network.
NEW QUESTION 6
Which three statements about the keying methods used by MACSec are true? (Choose three.)
- A. SAP is not supported on switch SVls.
- B. SAP is supported on SPAN destination ports.
- C. MKA is implemented as an EAPoL packet exchange.
- D. Key management for host-to-switch and switch-to-switch MACSec sessions is provided by MKA.
- E. SAP is enabled by default for Cisco TrustSec in manual configuration mode.
- F. A valid mode for SAP is NULL.
NEW QUESTION 7
Which two statements about MAB are true? (Choose two)
- A. It requires the administrator to create and maintain an accurate database of MAC addresses.
- B. It server at the primary authentication mechanism when deployed in conjunction with 802.1x.
- C. It operates at Layer 2 and Layer 3 of the OSI protocol stack.
- D. It can be used to authenticate network devices and users.
- E. MAC addresses stored in the MAB database can be spoofed.
- F. It is a strong authentication method.
NEW QUESTION 8
Refer to the exhibit.
Which effect of this configuration is true?
- A. Users attempting to access the console port are authenticated against the TACACS+ server.
- B. The device tries to reach the server every 24 hours and falls back to the LOCAL database if it fails.
- C. If TACACS+ authentication fails, the ASA uses Cisco 123 as its default password.
- D. The servers in the TACACS+ group are reactivated every 1440 seconds.
- E. Any VPN user with a session timeout of 24 hours can access the device.
NEW QUESTION 9
Which three types of addresses can the Botnet Traffic Filter feature of the Cisco ASA monitor? (Choose three)
- A. dynamic address
- B. known malware addresses
- C. known allowed addresses
- D. ambiguous addresses
- E. internal addresses
- F. listed addresses
NEW QUESTION 10
Which effect of the ip nhrp map multicast dynamic command is true?
- A. It configures a hub router to reflect the routes it learns from a spoke back to other spokes through the same interface.
- B. It configures a hub router to automatically add spoke routers to the multicast replication list of the hub.
- C. It enables a GRE tunnel to operate without the IPsec peer or crypto ACLs.
- D. it enables a GRE tunnel to dynamically update the routing tables on the devices at each end of the tunnel.
NEW QUESTION 11
Which criteria does ASA use for packet classification if multiple contexts share an ingress interlace MAC address?
- A. ASA ingress interface IP address
- B. policy-based routing on ASA
- C. destination IP address
- D. destination MAC address
- E. ASA ingress interface MAC address
- F. ASA NAT configuration
- G. ASA egress interface IP address
NEW QUESTION 12
In an effort to secure your enterprise campus network, any endpoint that connects to the network should authenticate before being granted access. For all corporate-owned endpoints, such as laptops, mobile phones and tablets, you would like to enable 802.1x and once authenticated allow full access to the network. For all employee owned personal devices, you would like to use web authentication, and only allow limited access to the network. Which two authentication methods can ensure that an employee on a personal device can't use his or her Active Directory credentials to log on to the network by simply re configuring their supplicant to use 802.1x and getting unfettered access? (Choose two.)
- A. Use PEAP-EAP-MSCHAPv2
- B. Use EAP-FAST
- C. Use EAP-TLS or EAP-TTLS
- D. Use EAP-MSCHAPv2
- E. Use PAP-CHAP-MSCHAP
- F. Use PEAP-EAP-TLS
NEW QUESTION 13
Refer to the exhibit
Refer to the exhibit Customer has opened a case with Cisco TAC reporting issue that client connect to the network using guest account. Looking at the configuration of the switch, w possible issue?
- A. MAB should be disabled on the authentication port
- B. Dynamic authorization configuration has incorrect RADIUS server
- C. issue with the DHCP pool configuration
- D. Dot1x is disabled on the authentication port
- E. AAA network authorization incorrectly configured
- F. CTS is incorrectly configured
- G. Issue with redirect ACL "cwa_edirecrt"
NEW QUESTION 14
Drag and drop the protocol on the left onto their description on the right:
Explanation: A-2 B-4 C-1 D-3
NEW QUESTION 15
What are three features that are enabled by generating Change of Authorization (CoA) requests in a push
model? (Choose three.)
- A. session reauthentication
- B. session identification
- C. host reauthentication
- D. MAC identification
- E. session termination
- F. host termination
NEW QUESTION 16
Which two statement about RADIUS VSAs are true?(Choose two)
- A. They allow the RADIUS server to exchange vendor-specific information with the network access server
- B. They allow product form the other vendors to Interoperate with Cisco routers that support RADIUS
- C. They VSA Implementation supports multiple VSAs, including cisco-avpair
- D. They can be used for both authentication and authentication on Cisco routers
- E. Cisco’s unique vendor-ID is 26
- F. Cisco VSA Implementation allow TACACS+ authorization features to be used with a RADIUS server
P.S. Surepassexam now are offering 100% pass ensure 400-251 dumps! All 400-251 exam questions have been updated with correct answers: https://www.surepassexam.com/400-251-exam-dumps.html (414 New Questions)
[TRY FREE] BUY 400-251 Full version( pdf+software ):