The latest Cisco CCIE 400-251 exam dump and 400-251 pdf free sharing, easily pass the Cisco CCIE 400-251 exam certification. “400-251 CCIE Security” leads4pass.com year-round exam questions to ensure high pass rates
Table of Contents:
- Latest Cisco CCIE 400-251 pdf
- Test your Cisco CCIE 400-251 exam level
- Watch the Cisco CCIE 400-251 video tutorial online
- Related 400-251 Popular Exam resources
- Get Lead4Pass Coupons (12% OFF)
- What are the advantages of Lead4pass?
Latest Cisco CCIE 400-251 pdf
[PDF] Free Cisco CCIE 400-251 pdf dumps download from Google Drive: https://drive.google.com/open?id=1izuLzJAFClLatQZtmzmy_cnCuTi-mfLy
[PDF] Free Full Cisco pdf dumps download from Google Drive: https://drive.google.com/open?id=1CMo2G21nPLf7ZmI-3_hBpr4GDKRQWrGx
400-251 CCIE Security – Cisco: https://www.cisco.com/c/en/us/training-events/training-certifications/exams/current-list/400-251-ccie-security.html
Test your Cisco CCIE 400-251 exam level
QUESTION 1
Whcih two statements about uRPF are true? (Choose two)
A. The administrator can configure the allow-default command to force the routing table to user only default route.
B. Is is not supported on the Cisco ASA security appliance.
C. The administrator can configure the ip verify unicast source reachable-via any command to enable the RPF check to
work through HSRP routing groups.
D. The administrator can use the show cef interface command to determine whether uRPF is enable.
E. In strict mode, only one routing path can be available to reach network devices on a subnet.
Correct Answer: DE
Unicast Reverse Path Forwarding http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html
QUESTION 2
Which location for the PAC file on Cisco IronPort WSA in the default?
A. http://:9001/pacfile.pac
B. http://:8022/pacfile.pac
C. http://:9091/pacfile.pac
D. http://:8080/pacfile.pac
Correct Answer: A
QUESTION 3
In which type of multicast does the Cisco ASA forward IGMP messages to the upstream router?
A. clustering
B. PIM multicast routing
C. stub multicast routing
D. multicast group concept
Correct Answer: C
QUESTION 4
You have an ISE deployment with 2 nodes that are configured as PAN and MnT (Primary and Secondary), and 4 Policy
Services Nodes. How many additional PSNs can you add to this deployment?
A. 0
B. 1
C. 3
D. 5
E. 4
F. 2
Correct Answer: B
QUESTION 5
Which statement is correct regarding password encryption and integrity on a cisco IOS device?
A. With “enable secret” missing in the configuration the console session cannot get privilege access using console
password due to missing encryption
B. The “enable password” is preferred over “enable secret” as it uses a stronger encryption algorithm
C. The “service password-encryption” global command encrypts all the passwords except the CHAP secret
D. The “username secret” command encrypts the password with SHA-256 hashing
E. The “enable secret” uses MD5 for the password hashing
F. The “service password-encryption” global command performs both encryption and hashing of all the passwords
Correct Answer: E
QUESTION 6
You are troubleshooting a FlexVPN deployment. You find that while the tunnels from the spokes to the hub are in the
“up” state, communication is still broken. Upon further investigation, you determine that an ICMP echo that inrtiated from
an endpoint in the spoke site is seen by the destination endpoint in the hub site, which sends an ICMP echo reply back,
but this reply is not received on endpoint A. Your FlexVPN hub and spoke are behind a NAT device. Which option is a
possible cause of this failure?
A. UDP 500 is blocked outbound from the hub or inbound on the spoke.
B. UDP 4500 is blocked outbound from the hub or inbound on the spoke.
C. FlexVPN does not work with NAT
D. UDP 4500 is blocked outbound from the spoke or inbound on the hub
E. ESP is blocked outbound from the hub or inbound on the spoke.
Correct Answer: B
QUESTION 7
Which Opentack project has orchestraion capabilities?
A. Cinder
B. Horizon
C. Sahara
D. Heat
Correct Answer: D
QUESTION 8
Which of the following four traffic should be allowed during an unknown posture state? (Choose four)
A. Traffic from AnyConnect client, with posture module, to ASA
B. Traffic to FireAMP cloud for AMP for endpoint scan results
C. Traffic to public search engines
D. Traffic to remediation servers, if needed
E. DHCP traffic
F. DNS traffic
G. SSH traffic for network device administration
H. Traffic to ISE PSNs to which client Provisioning Protocol FQDN points
Correct Answer: DEFH
QUESTION 9
On which geographic basis can the Cisco Firepower NGFW filter traffic?
A. Source and destination country and continent
B. Source city and country
C. Source country
D. Source and destination city and country
E. Source and destination country
F. Source country and continent
Correct Answer: E
Reference
QUESTION 10
Which best practice can limit inbound TTL expiry attacks?
A. Setting the TTL value to zero
B. Setting the TTL value to more than longest path in the network
C. Setting the TTL value equal to the longest path in the network.
D. Setting the TTL value to less than the logest path in the network
Correct Answer: C
QUESTION 11
Which two options are important considerations when you use NetFlow to obtain the full picture of network taffic?
(Choose two)
A. It monitors only TCP connections.
B. It monitors only routed traffic.
C. It monitors all traffic on the interface on which it is deployed.
D. It monitors only ingress traffic on the interface on which it is deployed.
E. It is unable to monitor over time.
Correct Answer: CE
QUESTION 12
Refer to the exhibit. One of the Windows machines in your network is experiencing a Dot1x authentication failure.
Windows machines are setup to acquire an IP address from the DHCP server configured on the switch, which is
supposed to hand over IP addresses from the 50.1.1.0/24 network, and forward AAA requests to the radius server at
161.1.7.14 using shared key “cisco”. Knowing that interface Gi0/2 on switch may receive authentication requests from
other devices and looking at the provided switch configuration, what could be the possible cause of this failure?
aaa new model
aaa authentication login NO_AUTH none
aaa authentication login vty local
aaa authentication dot1x default group radius
aaa authentication network default group radius
aaa accounting dot1x default start-stop group radius
!
username cisco privilege 15 password 0 cisco
dot1x system-auth-control
!
interface GigabitEthernet0/2
switchport mode access
ip access-group Pre-Auth in
authentication host-mode multi-auth
authentication open
authentication port-control auto
dot1x pae authenticator
!
vlan 50
interface Vlan50 ip address 50.1.1.1 255.255.255.0
!
ip dhcp excluded-address 50.1.1.1
ip dhcp pool pc-pool
network 50.1.1.0 255.255.255.0
default-router 50.1.1.1
!
ip access-list extended Pre-Auth
permit udp any eq bootpc any eq bootps
deny ip any any
!
radius server ccie
address ipv4 161.1.7.14 auth-port 1645 acct-port 1646
key cisco
!
line con 0
login authentication NO_AUTH
line vty 0 4
login authentication vty
A. an incorrect dhcp pool is configured
B. aaa network authorization is not configured
C. an incorrect pre-authentication acl is configured
D. authentication port-control is not set on interface gi0/2
E. an incorrect radius server addresss is defined
F. aaa login authentication is not configured
G. authentication is not enabled on interface gi0/2
Correct Answer: B
QUESTION 13
What are the major components of a Firepower health monitor alert?
A. The severity level, one or more alert responses, and a remediation policy.
B. A health monitor, one or more alert responses, and a remediation policy.
C. One of more health modules, the severity level, and an alert response.
D. One of more health modules, one or more alert responses, and one or more alert actions.
E. One health modules and one or more alert responses.
Correct Answer: C
Related 400-251 Popular Exam resources
Get Lead4Pass Coupons(12% OFF)
What are the advantages of Lead4pass?
We have a number of cisco, Microsoft, IBM, CompTIA, and other exam experts. We update exam data throughout the year.
Top exam pass rate! We have a large user base. We are an industry leader! Choose Lead4Pass to pass the exam with ease!
Summarize:
We collect the latest Cisco CCIE 400-251 exam questions and answers as part of the first step to help you pass the exam. You can download 400-251 pdf online or watch youtube. Here you can improve your skills and exam experience! Click here for the full 400-251 exam questions.