[2017 New] Dumps For Exam 400-251 With New Updated Exam Questions (51-75)
2017 July Cisco Official New Released 400-251 Dumps in Lead2pass.com!
100% Free Download! 100% Pass Guaranteed!
Are you worring about the 400-251 exam? With the complete collection of 400-251 exam questions and answers, Lead2pass has assembled to take you through your 400-251 exam preparation. Each Q & A set will test your existing knowledge of 400-251 fundamentals, and offer you the latest training products that guarantee you passing 400-251 exam easily.
Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/400-251.html
QUESTION 51
What are feature that can stop man-in-the-middle attacks? (Choose two)
A. ARP sniffing on specific ports
B. ARP spoofing
C. Dynamic ARP inspection
D. DHCP snooping
E. destination MAC ACLs
Answer: CD
QUESTION 52
Which two statements about CoPP are true? (Choose two)
A. When a deny rule in an access list is used for MQC is matched, classification continues on the next class
B. It allows all traffic to be rate limited and discarded
C. Access lists that are used with MQC policies for CoPP should omit the log and log-input keywords
D. The mls qos command disables hardware acceleration so that CoPP handles all QoS
E. Access lists that use the log keyword can provide information about the device’s CPU usage
F. The policy-map command defines the traffic class
Answer: AC
QUESTION 53
Refer to the exhibit. Which effect of this configuration is true?
A. The WLC accepts self-signed certificates from the RADIUS server to authorize APs.
B. The WLC adds the MAC addresses listed in the ssc ap-policy to its internal authorization list.
C. The WLC adds the ssc access point to the auth-list internal authorization list.
D. The WLC accepts the manufacture-installed certificate from the local access point.
E. The WLC accepts self-signed certificates from devices added to itsa internal authorization list.
Answer: D
QUESTION 54
Drag and Drop Question
Drag each ip transmission and Fragmentation term on the left to the matching statement on right
Answer:
QUESTION 55
Which two network protocols can operate on the Application Layer?(Choose two)
A. DNS
B. UDP
C. TCP
D. NetBIOS
E. DCCP
F. SMB
Answer: AF
QUESTION 56
Refer to the exhibit, which effect of this configuration is true?
A. The PMTUD value sets itself to 1452 bytes when the interface MTU is set to 1492 bytes
B. SYN packets carries 1452 bytes in the payload when the Ethernet MTU of the interface is set to 1492 bytes
C. The maximum size of TCP SYN+ACK packets passing the transient host is set to 1452 bytes and the IP MTU of the interface is set to 1492 bytes
D. The MSS to TCP SYN packets is set to 1452 bytes and the IP MTU of the interface is set to 1492 bytes
E. The minimum size of TCP SYN+ACL packets passing the router is set to 1452 bytes and the IP MTU of the interface is set to 1492 bytes
Answer: D
QUESTION 57
Which of the following statement is true about the ARP spoofing attack?
A. Attacker sends the ARP request with the MAC address and IP address of the legitimate resource in the network.
B. Attacker of ends the ARP request with MAC address and IP address of its own.
C. ARP spoofing does not facilitate man in-the-middle attack for the attacker.
D. Attacker sends the ARP request with its own MAC address and IP address of legitimate resource in the network.
Answer: D
QUESTION 58
Which command can you enter to cause the locally-originated Multicast Source Discovery Protocol Source-Active to be prevented from going to specific peers?
A. ip msdp mesh-group mesh-name {<peer-address>|<peer-name>}
B. ip msdp redistribute [list <acl>][asn as-access-list][route-map <map>]
C. ip msdp sa-filter out <peer> [list<acl>] [route-map<map>]
D. ip msdp default-peer {<peer-address> | <peer-name>}[prefix-list<list>]
E. ip msdp sa-filter in <peer> [list<acl>][route-map <map>]
Answer: C
QUESTION 59
CCMP (CCM mode Protocol) is based on which algorithm?
A. 3DES
B. Blowfish
C. RC5
D. AES
E. IDEA
Answer: D
QUESTION 60
Drag and Drop Question
Drag and drop each step in the SCEP process on the left into the correct order of operations on the right.
Answer:
QUESTION 61
Which command can you enter on the Cisco ASA to disable SSH?
A. Crypto key generate ecdsa label
B. Crypto key generate rsa usage-keys noconfirm
C. Crypto keys generate rsa general-keys modulus 768
D. Crypto keys generate ecdsa noconfirm
E. Crypto keys zeroize rsa noconfirm
Answer: E
QUESTION 62
Which one of the foiling Cisco ASA adapts security appliance rule samples will send HTTP data to the AIP-SSM module to evaluate and stop HTTP attacks?
A.
B.
C.
D.
Answer: D
QUESTION 63
Why is the IPv6 type 0 routing header vulnerable to attack?
A. It allows the receiver of a packet to control its flow.
B. It allows the sender to generate multiple NDP requests for each packet.
C. It allows the sender of a packet to control its flow.
D. It allows the sender to generate multiple ARP requests for each packet.
E. It allows the receiver of a packet to modify the source IP address.
Answer: C
QUESTION 64
What context-based access control (CBAC. command sets the maximum time that a router running Cisco IOS Will wait for a new TCP session to reach the established state?
A. IP inspect max-incomplete
B. IP inspect tcp finwait-time
C. Ip inspect udp idle-time
D. Ip inspect tcpsynwait-time
E. Ip inspect tcp idle-time
Answer: D
QUESTION 65
Which three statements about Cisco Flexible NetFlow are true? (Choose three.)
A. The packet information used to create flows is not configurable by the user.
B. It supports IPv4 and IPv6 packet fields.
C. It tracks all fields of an IPv4 header as well as sections of the data payload.
D. It uses two types of flow cache, normal and permanent.
E. It can be a useful tool in monitoring the network for attacks.
Answer: BCE
QUESTION 66
Which best practice can limit inbound TTL expiry attacks?
A. Setting the TTL value to more than the longest path in the network
B. Setting the TTL value to zero
C. Setting the TTL value to less than the longest path in the network
D. Setting the TTL value equal to the longest path in the network
Answer: C
QUESTION 67
On Which encryption algorithm is CCMP based?
A. IDEA
B. BLOWFISH
C. RCS
D. 3DES
E. AES
Answer: E
QUESTION 68
By defaults which amount of time does the ASA add to the TTL value of a DNS entry to determine the amount of time a DNS entry is valid?
A. 60 seconds
B. 30 seconds
C. 0 second
D. 180 seconds
E. 120 seconds
F. 100 seconds
Answer: A
QUESTION 69
Drag and Drop Question
Drag and drop the desktop-security terms from the left onto their right definitions on the right.
Answer:
QUESTION 70
What is the name of the unique tool/feature in cisco security manager that is used to merge an access list based on the source/destination IP address service or combination of these to provide a manageable view of access policies?
A. merge rule tool
B. policy simplification tool
C. rule grouping tool
D. object group tool
E. combine rule tool
Answer: E
QUESTION 71
Refer to the exhibit. Which statement about the effect of this configuration is true?
A. reply protection is disable
B. It prevent man-in-the-middle attacks
C. The replay window size is set to infinity
D. Out-of-order frames are dropped
Answer: D
QUESTION 72
when a host initiates a TCP session, what is the numerical range into which the initial sequence number must fail?
A. 0 to 65535
B. 1 to 1024
C. 0 to 4,294,967,295
D. 1 to 65535
E. 1 to 4,294,967,295
F. 0 to 1024
Answer: C
QUESTION 73
What port has IANA assigned to the GDOI protocol?
A. UDP 4500
B. UDP 500
C. UDP 1812
D. UDP 848
Answer: D
QUESTION 74
Drag and Drop Question
Drag each Cisco TrustSec feature on the left to its description on the right.
Answer:
QUESTION 75
Which statement is true about SYN cookies?
A. The state is kept on the server machine TCP stack
B. A system has to check every incoming ACK against state tables
C. NO state is kept on the server machine state but is embedded in the initial sequence number
D. SYN cookies do not help to protect against SYN flood attacks
Answer: C
At Lead2pass, we are positive that our Cisco 400-251 dumps with questions and answers PDF provide most in-depth solutions for individuals that are preparing for the Cisco 400-251 exam. Our updated 400-251 braindumps will allow you the opportunity to know exactly what to expect on the exam day and ensure that you can pass the exam beyond any doubt.
400-251 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDbkNSWnpMam9TWWM
2017 Cisco 400-251 exam dumps (All 449 Q&As) from Lead2pass:
https://www.lead2pass.com/400-251.html [100% Exam Pass Guaranteed]