[2017 New] Lead2pass 2017 100% Real 400-251 Exam Questions (151-175)
2017 August Cisco Official New Released 400-251 Dumps in Lead2pass.com!
100% Free Download! 100% Pass Guaranteed!
Thank you so much Lead2pass. You helped me passing my 400-251 exam easily, 90% of the exam questions from the dump appeared in my exam.
Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/400-251.html
QUESTION 151
Which two statements about the SHA-1 algorithm are true? (Choose two)
A. The SHA-1 algorithm is considered secure because it always produces a unique hash for the same message.
B. The SHA-1 algorithm takes input message of any length and produces 160-bit hash output.
C. The SHA-1 algorithm is considered secure because it is possible to find a message from its hash.
D. The purpose of the SHA-1 algorithm is to provide data confidentiality.
E. The purpose of the SHA-1 algorithm is to provide data authenticity.
Answer: BE
QUESTION 152
Refer to the exhibit. What is the meaning of the given error massage?
A. Ike is disable on the remote peer
B. The mirrored crypto ACLs are mismatched
C. The pre-shared keys are mismatched
D. The PFS group are mismatched
Answer: C
QUESTION 153
Event Store is a component of which IPS application?
A. SensorApp
B. InterfaceApp
C. MainApp
D. NotificationApp
E. AuthenticationApp
Answer: C
QUESTION 154
Refer to the exhibit. What are two TLS inspection methods you could implement for outbond internet traffic that can prevent the given untrusted error? (Choose two)
A. Add the self-signed CA certificate from the inspection appliance to the Trusted Root Certification Authority on the client
B. Apply an intermediate CA certificate from a trusted authority on the inspection appliance.
C. Download a copy of the private key from the content provider,
D. Update your organizational procedures to instruct users to click “I Understand the Risks” to accept the error and continue
E. Conditionally decrypt traffic based c$ trust level Store private keys in a FIPS Level 2 HSM on the inspection appliance
Answer: AB
QUESTION 155
Drag and Drop Question
Drag each IPv6 extension header on the left into the recommended order for more than one extension header in the same IPv6 packet on the right.
Answer:
QUESTION 156
What are two action you can take to protect against DDOS attacks on cisco router and switches?(Choose two)
A. Rate limit SYN packets
B. Filter the RFC-1918 address space
C. configuration IP snooping
D. implement MAC address filtering
E. Configuration PIM-SM
Answer: AB
QUESTION 157
Which two statements about SOX are true? (Choose two.)
A. SOX is an IEFT compliance procedure for computer systems security.
B. SOX is a US law.
C. SOX is an IEEE compliance procedure for IT management to produce audit reports.
D. SOX is a private organization that provides best practices for financial institution computer systems.
E. Section 404 of SOX is related to IT compliance.
Answer: BE
QUESTION 158
Which two options are disadvantages of MPLS layers 3 VPN services? (Choose two)
A. They requires cooperation with the service provider to implement transport of non-IP traffic.
B. SLAs are not supported by the service provider.
C. It requires customers to implement QoS to manage congestion in the network.
D. Integration between Layers 2 and 3 peering services is not supported.
E. They may be limited by the technology offered by the service provider.
F. They can transport only IPv6 routing traffic.
Answer: DE
QUESTION 159
Which RFC outlines BCP 84?
A. RFC 3704
B. RFC 2827
C. RFC 3030
D. RFC 2267
E. RFC 1918
Answer: A
QUESTION 160
Which option is a benefit of implementing RFC 2827?
A. prevents DoS from legitimate, non-hostile end systems
B. prevents disruption of special services such as Mobile IP
C. defeats DoS attacks which employ IP source address spoofing
D. restricts directed broadcasts at the ingress router
E. allows DHCP or BOOTP packets to reach the relay agents as appropriate
Answer: C
QUESTION 161
Refer to the exhibit. After you configured routes R1 and R2 for IPv6 OSPFv3 authentication as shown, the OSPFv3 neighbor adjacency failed to establish.
What is a possible reason for the problem?
A. R2 received a packet with an incorrect area form the loopback1 interface
B. OSPFv3 area authentication is missing
C. R1 received a packet with an incorrect area from the FastEthernet0/0 interface
D. The SPI and the authentication key are unencrypted
E. The SPI value and the key are the same on both R1 and R2
Answer: C
QUESTION 162
Which statement about ICMPv6 filtering is true?
A.
B.
C.
D.
E.
F.
Answer: B
QUESTION 163
Which three statements about the Unicast RPF in strict mode and loose mode are true?(Choose three)
A. Loose mode requires the source address to be present in the routing table.
B. Inadvertent packet loss can occur when loose mode is used with asymmetrical routing.
C. Interfaces in strict mode drop traffic with return that point to the Null 0 Interface.
D. Strict mode requires a default route to be associated with the uplink network interface.
E. Strict mode is recommended on interfaces that will receive packets only from the same subnet to which is assigned.
F. Both loose and strict modes are configured globally on the router.
Answer: ADE
Explanation:
http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html
QUESTION 164
What protocol does IPv6 Router Advertisement use for its messages?
A. TCP
B. ICMPv6
C. ARP
D. UDP
Answer: B
QUESTION 165
Drag and Drop Question
Drag each ESP header field on the left into the corresponding field-length category on the right
Answer:
QUESTION 166
When TCP intercept is enabled in its default mode, how does it react to a SYN request?
A. It intercepts the SYN before it reaches the server and responds with a SYN-ACK
B. It drops the connection
C. It monitors the attempted connection and drops it if it fails to establish within 30 seconds
D. It allows the connection without inspection
E. It monitors the sequence of SYN, SYN-ACK, and ACK messages until the connection is fully established
Answer: A
Explanation:
The default mode of TCP intercept is active intercept mode
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfdenl.html
QUESTION 167
Refer to the exhibit. What are the two effects of the given configuration? (Choose two)
A. It permits Time Exceeded messages that indicate the fragment assembly time was exceeded
B. It permits Destination Unreachable messages that indicate the host specified in the datagram rejected the message due to filtering
C. It permits Destination Unreachable messages that indicate a problem delivering the datagram to the destination address specified in the datagram
D. It permits Parameter Problem messages that indicate an unrecognized value in the Next Header Filed
E. It permits Parameter Problem messages that indicate an error in the header
F. It permits Destination Unreachable messages that indicate an invalid port on the host specified in the datagram
Answer: CF
Explanation:
icmp type 1 code 3 is for address unreachable, icmp 1 code 4 is for port unreachable.
http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/22974-icmpv6codes.html
QUESTION 168
According ISO27001 ISMS, which of the following are mandatory documents? (Choose 4)
A. ISMS Policy
B. Corrective Action Procedure
C. IS Procedures
D. Risk Assessment Reports
E. Complete Inventory of all information assets
Answer: ACDE
Explanation:
Corrective action report is a required document but not the procedure
https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
QUESTION 169
Which two statements about ICMP redirect messages are true? (Choose two)
A. By default, configuring HSRP on the interface disables ICMP redirect functionality.
B. They are generated when a packet enters and exits the same router interface.
C. The messages contain an ICMP Type 3 and ICMP code 7.
D. They are generated by the host to inform the router of an alternate route to the destination.
E. Redirects are only punted to the CPU if the packets are also source-routed.
Answer: AB
QUESTION 170
Which two statements about NAT-PT with IPv6 are true? (Choose two)
A. It can be configured as dynamic, static, or PAT.
B. It provides end-to-end security.
C. It supports IPv6 BVI configurations.
D. It provides support for Cisco Express Forwarding.
E. It provides ALG support for ICMP and DNS.
F. The router can be a single point of failure on the network.
Answer: AE
QUESTION 171
Which of the following Cisco IPS signature engine has relatively high memory usage ?
A. The STRING-TCP engine
B. The STRING-UDP engine
C. The NORMALIZER engine
D. The STRING-ICMP engine
Answer: A
Explanation:
String-TCP engine has the highest number of signatures and has higher memory utilization
http://www.ndm.net/ips/pdf/cisco/IOS-IPS/white_paper_c11_549300.pdf
QUESTION 172
Which of the following two options can you configure to avoid iBGP full mesh?(Choose two)
A. BGP NHT
B. route reflector
C. local preference
D. confederations
E. Virtual peering
Answer: BD
QUESTION 173
Refer to the exhibit, if R1 is acting as a DHCP server, what action can you take to enable the pc to receive an ip address assignment from the DHCP server ?
A. Configure the IP local pool command on R2
B. Configure DHCP option 150 on R2
C. Configure the IP helper-address command on R2 to use R1’s ip address
D. Configure the IP helper-address command on R1 to use R2’s ip address
E. Configuration DHCP option 82 on R1
F. Configure the ip local pool command on R1
Answer: C
QUESTION 174
Which two statements about LEAP are true? (Choose two)
A. It is compatible with the PAP and MS-CHAP protocols
B. It is an ideal protocol for campus networks
C. A symmetric key is delivered to the authenticated access point so that future connections from the same client can be encrypted with different keys
D. It is an open standard based on IETF and IEEE standards
E. It is compatible with the RADIUS authentication protocol
F. Each encrypted session is authentication by the AD server
Answer: EF
QUESTION 175
Which two of the following ICMP types and code should be allowed in a firewall to enable traceroute? (Choose two)
A. Destination Unreachable-protocol Unreachable
B. Destination Unreachable-port Unreachable
C. Time Exceeded-Time to Live exceeded in Transit
D. Redirect-Redirect Datagram for the Host
E. Time Exceeded-Fragment Reassembly Time Exceeded
F. Redirect-Redirect Datagram for the Type of service and Host
Answer: BC
Suggestion, read 400-251 questions carefully try to understand or guess what they’re asking for. Hope everyone passes.
400-251 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDMERESjlYcVlZNWs
2017 Cisco 400-251 exam dumps (All 470 Q&As) from Lead2pass:
https://www.lead2pass.com/400-251.html [100% Exam Pass Guaranteed]