[2017 New] Lead2pass 2017 100% Real 400-251 Exam Questions (176-200)
2017 August Cisco Official New Released 400-251 Dumps in Lead2pass.com!
100% Free Download! 100% Pass Guaranteed!
We Lead2pass.com are providing 400-251 exam braindumps here in both PDF file and Online Practice Test Formats. The 400-251 dumps are updated time to time having all the questions answers which cover complete course outlines of the 400-251 certification exam.
Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/400-251.html
QUESTION 176
What are the three response types for SCEP enrollment requests? (Choose three.)
A. PKCS#7
B. Reject
C. Pending
D. PKCS#10
E. Success
F. Renewal
Answer: BCE
QUESTION 177
Refer to the exhibit. What is the configuration design to prevent?
A. Man in the Middle Attacks
B. Dynamic payload inspection
C. Backdoor control channels for infected hosts
D. DNS Inspection
Answer: C
Explanation:
Cisco ASA firewall is configured for botnet filtering which prevents backdoor control channels from infected hosts.
QUESTION 178
Which three statements about the Cisco IPS sensor are true? (Choose three.)
A. You cannot pair a VLAN with itself.
B. For a given sensing interface, an interface used in a VLAN pair can be a member of another inline interface pair.
C. For a given sensing interface, a VLAN can be a member of only one inline VLAN pair, however, a given VLAN can be a member of an inline VLAN pair on more than one sensing interface.
D. The order in which you specify the VLANs in a inline pair is significant.
E. A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs.
Answer: ACE
Explanation:
Inline VLAN Interface Pairs
You cannot pair a VLAN with itself.
For a given sensing interface, a VLAN can be a member of only one inline VLAN pair. However, a given VLAN can be a member of an inline VLAN pair on more than one sensing interface.
The order in which you specify the VLANs in an inline VLAN pair is not significant. A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs.
QUESTION 179
Which command sets the Key-length for the IPv6 send protocol?
A. IPv6 nd ns-interval
B. Ipv6 ndra-interval
C. IPv6 nd prefix
D. IPv6 nd inspection
E. IPv6 nd secured
Answer: E
QUESTION 180
Which two statement about MSDP ate true? (Choose three)
A. It can connect to PIM-SM and PIM-DM domains
B. It announces multicast sources from a group
C. The DR sends source data to the rendezvous point only at the time the source becomes active
D. It can connect only to PIM-DM domains
E. It registers multicast sources with the rendezvous point of a domain
F. It allows domains to discover multicast sources in the same or different domains.
Answer: BEF
QUESTION 181
What are two advantages of NBAR2 over NBAR? (Choose two)
A. Only NBAR2 support Flexible NetFlow for extracting and exporting fields from the packet header.
B. Only NBAR2 allows the administrator to apply individual PDL files.
C. Only NBAR2 support PDLM to support new protocals.
D. Only NBAR2 can use Sampled NetFlow to extract pre-defined packet headers for reporting.
E. Only NBAR2 supports custom protocols based on HTTP URLs.
Answer: AE
QUESTION 182
Which two statements about Network Edge Authentication Technology (NEAT) are true? (Choose two)
A. It requires a standard ACL on the switch port
B. It conflicts with auto-configuration
C. It allows you to configure redundant links between authenticator and supplicant switches
D. It supports port-based authentication on the authenticator switch
E. It can be configured on both access ports and trunk ports
F. It can be configured on both access ports and EtherChannel ports
Answer: DE
QUESTION 183
What are three pieces of data you should review in response to a suspected SSL MITM attack? (Choose three)
A. The IP address of the SSL server
B. The X.509 certificate of the SSL server
C. The MAC address of the attacker
D. The MAC address of the SSL server
E. The X.509 certificate of the attacker
F. The DNS name off the SSL server
Answer: ABF
QUESTION 184
From what type of server can you to transfer files to ASA’s internal memory ?
A. SSH
B. SFTP
C. Netlogon
D. SMB
Answer: D
QUESTION 185
Which configuration is the correct way to change VPN key Encryption key lifetime to 10800 seconds on the key server?
A.
B.
C.
D.
Answer: A
QUESTION 186
Which feature can you implement to protect against SYN-flooding DoS attacks?
A. the ip verify unicast reverse-path command
B. a null zero route
C. CAR applied to icmp packets
D. TCP Intercept
Answer: D
Explanation:
https://www.sans.org/security-resources/idfaq/preventing-syn-flooding-with-cisco-routers/5/5
QUESTION 187
Refer to the exhibit. If R1 is connected upstream to R2 and R3 at different ISPs as shown, what action must be taken to prevent Unicast Reverse Path Forwarding (uRPF) from dropping asymmetric traffic?
A. Configure Unicast RPF Loose Mode on R2 and R3 only.
B. Configure Unicast RPF Loose Mode on R1 only.
C. Configure Unicast RPF Strict Mode on R1 only.
D. Configure Unicast RPF Strict Mode on R1,R2 and R3.
E. Configure Unicast RPF Strict Mode on R2 and R3 only.
Answer: B
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_urpf/configuration/xe-3s/sec-data-urpf-xe-3s-book/sec-unicast-rpf-loose-mode.html
http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html
QUESTION 188
Refer to the exhibit. Which effect of this Cisco ASA policy map is true?
A. The Cisco ASA is unable to examine the TLS session.
B. The server ends the SMTP session with a QUIT command if the algorithm or key length is insufficiently secure.
C. it prevents a STARTTLS session from being established.
D. The Cisco ASA logs SMTP sessions in clear text.
Answer: D
Explanation:
http://www.cisco.com/c/en/us/about/security-center/intelligence/asa-esmtp-starttls.html#interact
https://stomp.colorado.edu/blog/blog/2012/12/31/on-smtp-starttls-and-the-cisco-asa/
And in RFC 3207 that governs this TLS negotiation is said that
” If the SMTP client decides that the level of authentication or privacy is not high enough for it to continue, it SHOULD issue an SMTP QUIT command immediately after the TLS negotiation is complete.
If the SMTP server decides that the level of authentication or privacy is not high enough for it to continue, it SHOULD reply to every SMTP command from the client (other than a QUIT command) with the 554 reply code (with a possible text string such as “Command refused due to lack of security”).”
Hence it is the client that sends QUIT command, not the server
This is an example of ASA logging an SMTP session that was established using TLS:
Mar 07 2017 19:40:04: %ASA-6-108007: TLS started on ESMTP session between client outside:98.139.212.154/45850 and server inside:192.168.1.12/25
QUESTION 189
What security element must an organization have in place before it can implement a security audit and validate the audit results?
A. firewall
B. network access control
C. an incident response team
D. a security policy
E. a security operation center
Answer: D
QUESTION 190
Which two statements about RFC 2827 are true? (Choose two.)
A. RFC 2827 defines egress packet filtering to safeguard against IP spoofing.
B. A corresponding practice is documented by the IEFT in BCP 38.
C. RFC 2827 defines ingress packet filtering for the multihomed network.
D. RFC 2827 defines ingress packet filtering to defeat DoS using IP spoofing.
E. A corresponding practice is documented by the IEFT in BCP 84.
Answer: BD
QUESTION 191
From the list below, which one is the major benefit of AMP Threat GRID?
A. AMP Threat Grid collects file information from customer servers and run tests on them to see if they are infected with viruses
B. AMP Threat Grid learns ONLY from data you pass on your network and not from anything else to monitor for suspicious behavior. This makes the system much faster and efficient
C. AMP Threat Grid combines Static, and Dynamic Malware analysis with threat intelligence into one combined solution
D. AMP Threat Grid analyzes suspicious behavior in your network against exactly 400 behavioral
indicators
Answer: C
QUESTION 192
Drag and Drop Question
Drag each field authentication Header on the left into the order in which it appears in the header on the right
Answer:
QUESTION 193
Which two statement about Infrastructure ACLs on Cisco IOS software are true? (Choose two.)
A. Infrastructure ACLs are used to block-permit the traffic in the router forwarding path.
B. Infrastructure ACLs are used to block-permit the traffic handled by the route processor.
C. Infrastructure ACLs are used to block-permit the transit traffic.
D. Infrastructure ACLs only protect device physical management interface.
Answer: BD
QUESTION 194
Which three statements about SCEP are true?(Choose three)
A. It Supports online certification revocation.
B. Cryptographically signed and encrypted message are conveyed using PKCS#7.
C. The certificate request format uses PKCS#10.
D. It supports multiple cryptographic algorithms, including RSA.
E. CRL retrieval is support through CDP (Certificate Distribution Point) queries.
F. It supports Synchronous granting.
Answer: BCE
QUESTION 195
class-map nbar_rtp
match protocol rtp payload-type “0, 1, 4 – 0x10, 10001b – 10010b, 64”
The above NBAR configuration matches RTP traffic with which payload types?
A.
B.
C.
D.
Answer: A
QUESTION 196
Refer to the exhibit. What type of attack is represented in the given Wireshark packet capture?
A. a SYN flood
B. spoofing
C. a duplicate ACK
D. TCP congestion control
E. a shrew attack
Answer: A
QUESTION 197
What message does the TACACS+ daemon send during the AAA authentication process to request additional authentication information?
A. ACCEPT
B. REJECT
C. CONTINUE
D. ERROR
E. REPLY
Answer: C
QUESTION 198
Refer to the exhibit.While troubleshooting a router issue, you executed the show ntp association command and it returned this output.
Which condition is indicated by the reach value of 357?
A. The NTP continuously received the previous 8 packets.
B. The NTP process is waiting to receive its first acknowledgement.
C. The NTP process failed to receive the most recent packet, but it received the 4 packets before the most recent packet.
D. The NTP process received only the most recent packet.
Answer: C
QUESTION 199
Which three IP resources is IANA responsible for? (Choose three.)
A. IP address allocation
B. detection of spoofed address
C. criminal prosecution of hackers
D. autonomous system number allocation
E. root zone management in DNS
F. BGP protocol vulnerabilities
Answer: ADE
QUESTION 200
Which three attributes may be configured as part of the Common Tasks panel of an authorization profile in the Cisco ISE solution? (Choose three.)
A. VLAN
B. voice VLAN
C. dACL name
D. voice domain permission
E. SGT
Answer: ACD
The 400-251 online practice test prepare you according to the real exam scenario. Free demo is available to check before buying the 400-251 study guide.
400-251 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDMERESjlYcVlZNWs
2017 Cisco 400-251 exam dumps (All 470 Q&As) from Lead2pass:
https://www.lead2pass.com/400-251.html [100% Exam Pass Guaranteed]