Pinpoint 400-251 Free Practice Questions 2019

400-251 Royal Pack Testengine pdf

100% Actual & Verified — 100% PASS

Unlimited access to the world's largest Dumps library!

Download 400-251 Dumps Free

Product Description:
Exam Number/Code: 400-251
Exam name: CCIE Security Written Exam
n questions with full explanations
Certification: Cisco Certification

HOW TO GET 400-251 Exam PDF Collection Free?

Want to know 400-251 dumps features? Want to lear more about 400-251 dumps experience? Study 400-251 dumps. Gat a success with an absolute guarantee to pass Cisco 400-251 (CCIE Security Written Exam) test on your first attempt.

Free demo questions for Cisco 400-251 Exam Dumps Below:

NEW QUESTION 1
ISE can be integrated with an MDM to ensure that only registered devices are allowed on the network and use the MDM to push policies to the device. Devices can go in and out of compliance, either due to policy changes on the MDM server, or another reason. For a device that has already authenticated on the network and stays connected, but falls out of compliance, what can be done to ensure that a non-copliant device is checked periodically and re-assessed before allowing access to the network?

  • A. Enable Change of Authorization (CoA) on MDM
  • B. FireAMP connector scan can be used to relay posture information to ISE via the AMP cloud
  • C. The MDM agent will automatically disconnect the device from the network when it is non-compliant
  • D. Enable Change of Authorization (CoA) on ISE
  • E. Enable Period Compliance Checking (PCC) on ISE
  • F. The MDM agent periodically sends a packet with compliance info that the wireless controller can use to limit network access.

Answer: D

NEW QUESTION 2
Which statement is true regarding SSL policy implementation in a Firepower system?

  • A. Access control policy is optional for the SSL policy implementation
  • B. If Firepower system cannot decrypt the traffic, it allows the connection
  • C. Intrusion policy is mandatory to configure the SSL inspection
  • D. Access control policy is responsible to handle all the encrypted traffic if SSL policy is tied to it
  • E. Access control policy is invoked first before the SSL policy tied to it
  • F. IF SSL policy is not supported by the system, then access control policy handles all the encrypted traffic

Answer: E

NEW QUESTION 3
Various methods are available for load-balancing across WSA deployment. Which method requires the least effort for all types of endpoints (campus and data center) across the enterprise?

  • A. Push out proxy settings to endpoints through Windows GPO settings
  • B. Host a PAC file on the WSA or an intranet web server and point all endpoints to it for auto-configuration
  • C. Configure an SRV DNS record to point to the WSA for all WAN services
  • D. Use transparent Layer 4 redirection with multiple WSAs behind a load-balancer
  • E. Use WPAD that uses the IP addresses of the WSAs

Answer: D

NEW QUESTION 4
Which two combinations of node are allowed in a Cisco ISE distributed deployment? (Choose two)

  • A. ISE cluster with eight nodes
  • B. Pair of passive ISE nodes for automatic failover
  • C. One or more policy service ISE nodes for session failover standalone
  • D. Primary and secondary administration ISE nodes for high availability
  • E. Active and standby ISE notes for high availibilty

Answer: BD

NEW QUESTION 5
Which two statements about Cisco VSG are true? (Choose two.)

  • A. Because it is deployed at Layer 2, it can be inserted without significant reengineering of the network.
  • B. According to Cisco best practices, the VSG should use the same VLAN for VSM-VEM control traffic and management traffic.
  • C. It uses optional IP-to-virtual machine mappings to simplify management of virtual machines.
  • D. It uses the Cisco VSG user agent to register with the Cisco Prime Network Services Controller.
  • E. It can be integrated with VMWare vCenter to provide transparent provisioning of policies and profiles.
  • F. It has built-in intelligence for redirecting traffic and fast-path offload.

Answer: EF

NEW QUESTION 6
Refer to the exhibit. aaa new-model
aaa authentication login default group radius aaa authentication login NO_AUTH none aaa authentication login vty local
aaa authentication dot1x default group radius aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!u
sername cisco privilege 15 password 0 cisco dot1x system-auth-control
!i
nterface GigabitEthernet0/2 switchport mode access
ip access-group Pre-Auth in authentication host-mode multi-auth authentication open
authentication port-control auto
!v
lan 50
interface Vlan50
ip address 50.1.1.1 255.255.255.0
!i
p dhcp excluded-address 5.1.1.1 ip dhcp pool pc-pool
network 50.1.1.0 255.255.255.0
default-router 50.1.1.1
!i
p access-list extended Pre-Auth
permit udp any eq bootpc any eq bootps deny ip any any
!r
adius server ccie
address ipv4 161.1.7.14 auth-port 1645 acct-port 1646 key cisco
!l
ine con 0
login authentication NO_AUTH lien vty 0 4
login authentication vty
One of the Windows machines in your network is having connectivity issues using
802.1 x. Windows machines are set up to acquire an IP address from the DHCP server configured on the switch, which is supposed to hand over IP addresses from the 50.1.1.0/24 network, and forward AAA requests to the radius server at 161.1.7.14 using shared key "cisco". Knowing that interface Gi0/2 on SW1 may receive authentication requests from other devices and looking at the provided switch configuration, what could be the possible cause of this failure?

  • A. There is a RADIUS key mismatch
  • B. Authentication for multiple hosts is not configured on interface Gi0/2
  • C. 802.1x authentication is not enabled on interface Gi0/2.
  • D. An incorrect IP address is configured for SVI 50.
  • E. aaa network authorization is not configured.
  • F. 802.1x is disabled on the switch.
  • G. An incorrect default route is pushed on supplicant form SW1.

Answer: C

NEW QUESTION 7
Refer to the exhibit.
400-251 dumps exhibit
Which data format is used in this script?

  • A. JSON
  • B. YANG
  • C. API
  • D. XML
  • E. JavaScript

Answer: D

NEW QUESTION 8
Refer to the exhibit.
400-251 dumps exhibit
Which two configurations must you perform to enable the device to use this class map? (Choose two)

  • A. Configure PDLM
  • B. Configure the ip nbar custom command
  • C. Configure the ip nbar protocol discovery command
  • D. Configure the transport hierarchy
  • E. Configure the DSCP value

Answer: BC

NEW QUESTION 9
Nexus 9000 Platform supports which of the following configuration management tools?

  • A. Ansible
  • B. Chef
  • C. Jenkins
  • D. Pupet
  • E. Salt

Answer: D

NEW QUESTION 10
Which description of a Botnet attack is true?

  • A. It can be used to participate in DDoS.
  • B. It is form a wireless attack where the attacker installs an access point to create backdoor to a network.
  • C. It is launched by a collection of noncompromised machines controlled by the Command and Control system.
  • D. It is launched by a single machine controlled by the Command and Control system.
  • E. It is form of a fragmentation attack to evade an intrusion prevention security device.
  • F. It is a form of a man-in-the-middle attack where the compromised machine is controlled remotely.

Answer: AD

NEW QUESTION 11
Refer to the exhibit.
aaa authentication login default group radius aaa authentication login NO_AUTH none aaa authentication login vty local
aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting update newinfo
aaa accounting dot1x default start-stop group radius
!i
p dhcp excluded-address 60.1.1.11 ip dhcp excluded-address 60.1.1.2
!i
p dhcp pool mabpc-pool network 60.1.1.0 255.255.255.0
default-router 60.1.1.2
!c
ts sxp enable
cts sxp default source-ip 10.9.31.22 cts sxp default password ccie
cts sxp connection peer 10.9.31.1 password default mode peer listener hold-time 0!d
ot1x system-auth-control
!i
nterface GigabitEthernet1/0/9 switchport mode access
ip device tracking maximum 10 authentication host-mode multi-auth authentication port-control auto mab
!r
adius-server host 161.1.7.14 key cisco radius-server timeout 60
!
interface VLAN10
ip address 10.9.31.22 255.255.255.0
!i
nterface Vlan50 no ip address
!i
nterface Vlan60
ip address 60.1.1.2 255.255.255.0
!i
nterface Vlan150
ip address 150.1.7.2.255.255.255.0
Looking at the configuration what may cause the MAB authentication to fail for a supplicant?

  • A. There is an issue with the DHCP pool configuration
  • B. The VLAN configuration is missing on the authentication port
  • C. Incorrect CTS configuration on the switch
  • D. AAA authorization is incorrectly configured on the switch
  • E. CoA configuration is missing
  • F. Dot1x should be globally disabled for MAB to work
  • G. Switch configuration is properly configured and the issue is on the RADIUS server

Answer: E

NEW QUESTION 12
Refer to the exhibit.
400-251 dumps exhibit
Which two statements about the given IPv6 ZBF configuration are true? (Choose two.)

  • A. It inspects TCP, UDP, ICMP, and FTP traffic from z1 to z2.
  • B. It provides backward compatibility with legacy IPv4 inspection.
  • C. It inspects TCP, UDP, ICMP, and FTP traffic from z2 to z1.
  • D. It passes TCP, UDP, ICMP, and FTP traffic in both directions between z1 and z2.
  • E. It provides backward compatibility with legacy IPv6 inspection.
  • F. It passes TCP, UDP, ICMP, and FTP traffic from z1 to z2.

Answer: AE

NEW QUESTION 13
Refer to the exhibit.
400-251 dumps exhibit
The AMP cloud is configured to report AMP Connector scan events from Windows machines that belong to the Audit group to the FMC However, the scanned events are not showing up in the PMC. Which possible cause is true?

  • A. There is a possible issue with certificate download from the AMP cloud for FMC integration.
  • B. The AMP cloud «s pointing to an incorrect FMC address.
  • C. The event must be viewed as a malware event in the f MC.
  • D. The DNS address is misconfigured on the FMC.
  • E. An incorrect group is selected for the events export in the AMP cloud for FMC.
  • F. The FMC is pointing to an incorrect AMP cloud address.

Answer: CE

NEW QUESTION 14
Refer to the exhibit.
R2# sh run | sec wcp
ip wccp web-cache redirect-list 101 group-list 12 password 0 ccie ip wccp web-cache redirect in
!R
2# sh access-lists Standard IP access list 11 10 permit 171.1.7.12 Standard IP access list 12 10 permit 171.1.7.21
Extended IP access list 101
10 permit tcp 172.16.1.0 0.0.0.255 host 192.168.101.3 eq www
20 permit tcp 172.16.1.0 0.0.0.255 host 192.168.102.3 eq www R1# sh wccp interfaces
IPv4 WCCP interface configuration GigabitEthernet1
Output services 0
Input services 1
Mcast services 0 Exclude In: False
R2# sh ip wccp wec-cache detail
No information is available for the service
R2 is configured as a WCCP router to redirect HTTP traffic for policy implementation to WSA as 171.1.7.12 with the passphrase used for authentication as "ccie". The redirection is for the traffic on R2 Gi2 interface in the inbound direction. There is an issue reported that websites are not accessible anymore. What could be the cause?

  • A. There is an issue with WSA server list binded for the redirection
  • B. There is an issue with routing of traffic between R2 and WSA
  • C. There is an issue with WCCP redirection applied on Gi2 interface
  • D. There is an issue with destination servers defined for WCCP redirection
  • E. There is an issue with WCCP passphrase cofnigured on R2
  • F. There is an issue with source network defined for WCCP redirection

Answer: A

NEW QUESTION 15
Which statement correctly represents the ACI security principle of Object Model?

  • A. It is logical representation of an application and its interdependencies in the network fabric
  • B. It is policy placed at the intersection of a source and destination EPGs.
  • C. It is defined by the policy applied between EPGs for communication.
  • D. lt consists of one or more tenants having multiple contexts.
  • E. These are rules and policies used by an EPG to communicate with other EPGs.
  • F. It is collection of endpoints representing an application with in a context.

Answer: D

NEW QUESTION 16
Which two statements about the Cisco AnyConnect VPN Client are true? (Choose two.)

  • A. It can use an SSL tunnel and a DTLS tunnel simultaneously.
  • B. It enables users to manage their own profiles.
  • C. It can be configured to download automatically without prompting the user.
  • D. By default, DTLS connections can fall back to TLS.
  • E. To improve security, keepalives are disabled by default.

Answer: AC

P.S. Easily pass 400-251 Exam with 414 Q&As Certleader Dumps & pdf Version, Welcome to Download the Newest Certleader 400-251 Dumps: https://www.certleader.com/400-251-dumps.html (414 New Questions)


[TRY FREE] BUY 400-251 Full version( pdf+software ):
https://www.exambible.com/400-251-exam/