PASSWRITTENDUMPS.COM
400-251
20-Mar-17
PassWritten Workbook 400-251 CCIE SECURITY WRITTEN
www.passwritten.com | www.passwrittendumps.com
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
This Page is Left Blank Intentionally
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
1) What are the two different modes in which Private AMP cloud can be deployed? (Choose two) A. Cloud Mode B. Internal Mode C. Public Mode D. External Mode E. Proxy Mode F. Air Gap Mode Answer: A,F
2) Refer to the exhibit. Which two effects of this configuration are true? (Choose Two) A. user five can view usernames and password B. user superuser can view the configuration C. User superuser can change usernames and passwords D. User superuser can view usernames and passwords E. User five can execute the show run command F. User cisco can view usernames and passwords Answer: B,E
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
3) Which three commands can you use to configure VXLAN on a Cisco ASA firewall?(Choose three) A. default-mcast-group B. set ip next-hop verify-availiability C. sysopt connection tcpmss D. segment-id E. inspect vxlan F. nve-only Answer: A,D,F 4) Which Cisco ISE profiler service probe can collect information about Cisco Discovery Protocol? A. SNMP Query B. DHCP SPAN C. DHCP D. HTTP E. RADIUS F. NetFlow Answer: A 5) Which type of attack uses a large number of spoofed MAC addresses to emulate wireless clients? A. DoS against an access point B. DoS against a client station C. chopchop attack D. Airsnaf attack E. device-probing attack F. authentication-failure attack
Answer: A
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
6) Which two statements about NetFlow Secure Event logging on a Cisco ASA are true? (Choose two) A. It is supported only in single context mode B. It can log different event types on the same device to different collectors C. It tracks configured collections over TCP D. It can be used without collectors E. It supports one event type per collector F. It can export templates through NetFlow Answer:B,E
7) Refer to the exhibit. After you applied this EtherChannel configuration to a Cisco ASA, the EtherChannel failed to come up. Which reason for the problem is the most likely? A. The channel-group modes are mismatched B. The lacp system-priority and lacp port-priority values are same C. The EtherChannel requires three ports, and only two are configured D. The EtherChannel is disabled Answer:A
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
8) Which option best describes RPL? A. RPL stands for Routing over Low-power Lossy Networks that use link-state LSAs to determine the best route between leaves and the root border router B. RPL stands Routing over Low-power Lossy networks that use distance vector DOGAG to determine the best route between leaves and the root border router C. RPL stands for Routing over low priority links that use link-state LSAs to determine the best route between two root border routers D. RPL stands for Routing over low priority links that use distance vector DOGAG to determine the best route between two border routers Answer: A 9) Which WEP configuration can be exploited by a weak IV attack? A. When the static WEP password has been given away B. When the static WEP password has been stored without encryption C. When a per-packet WEP key is in use D. When a 40-bit key is in use E. When the same WEP key is used to create every packet F. When a 64-bit key is in use Answer: E 10) Which OpenStack project has orchestration capabilities? A. Heat B. Cinder C. Horizon D. Sahara Answer: A 11) Which three statements about Cisco AnyConnect SSL VPN with the ASA are true? (Choose three) A. Real-time application performance improves if DTLS is implemented B. DTLS can fall back to TLS without enabling dead peer detection C. The ASA will verify the remote HTTPS certificate D. By default, the ASA uses the Cisco AnyConnect Essentials license E. By default, the VPN connection connects with DTLS F. Cisco AnyConnect connections use IKEv2 by default when it is configured as the primary protocol on the client Answer: A,E,F
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
12) Which two options are benefits of global ACLs? (Choose two) A. They only operate on logical interfaces B. They are more efficient because they are processed before interface access rules C. They can be applied to multiple interfaces D. They are flexible because they match source and destination IP addresses for packets that arrive on any interface E. They save memory because they work without being replicated on each interface Answer: D,E 13) Which three statements about 802.1x multiauthentication mode are true? (Choose three) A. It can be deployed in conjunction with MDA functionality on voice VLANs B. It requires each connected client to authenticate individually C. Each multiauthentication port can support only one voice VLAN D. It is recommended for auth-fail VLANs E. On non-802.1x devices, It can support only one authentication method on a single port F. It is recommended for guest VLANs Answer: A,B,C
14)
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
Refer to the exhibit. Which three additional configuration elements must you apply to complete a functional FlexVPN deployment? (Choose three)
Answer: D,E,F
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
15) You are considering using RSPAN to capture traffic between several switches. Which two configuration aspects do you need to consider? (Choose two) A. Not all switches need to support RSPAN for it to work B. The RSPAN VLAN need to be blocked on all trunk interfaces leading to the destination RSPAN switch C. All switches need to be running the same IOS version D. All distribution switches need to support RSPAN E. The RSPAN VLAN need to be allow on all trunk interfaces leading to the destination RSPAN switch Answer: A,E
16) Refer to the exhibit. You applied this VPN cluster configuration to a Cisco ASA and the cluster failed to form. How do you edit the configuration to correct the problem? A. Define the maximum allowable number of VPN connections B. Define the master/ slave relationship C. Enable load balancing D. Configure the cluster IP address Answer: D
17) Refer to the exhibit. Which effect of this configuration is true? A. If the RADIUS server is unreadable, SSH users cannot authenticate B. All commands are validate by the RADIUS server before the device executes them
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
C. Users accessing the device via SSH and those accessing enable mode are authenticated against the RADIUS server D. Users must be in the RADIUS server to access the serial console E. Only SSH users are authenticated against the RADIUS server Answer: C
18) Refer to the exhibit. Which two configurations must you perform to enable the device to use this class map? (Choose two) A. B. C. D. E.
Configure PDLM Configure the ip nbar custom command Configure the ip nbar protocol discovery command Configure teh transport hierarchy Configure the DSCP value
Answer: B,C
19) Which three messages are part of the SSL protocol? (Choose Three) A. B. C. D. E. F.
Change CipherSpec Alert Record Message Authenication CipherSpec Handshake
Answer: A,C,F
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
20) Which command is used to enable 802.1x authentication on an interface? A. B. C. D. E.
authentication port-control auto aaa authorization auth-proxy default aaa authorization network default group tacacs+ authentication control-direction both authentication open
Answer: A 21) Which two design options are best to reduce security concerns when adopting IoT into an organization? (Choose two) A. B. C. D. E.
Encrypt data at rest on all devices in the IoT network Implement video analytics on IP cameras Encrypt sensor data in transit Segment the Field Area Network form the Data Centre network Ensure that applications can gather and analyze data at the edge
Answer: C,E 22) Which encryption type is used by ESA for implementing the Email Encryption? A. B. C. D. E.
SSL Encryption TLS Identity Based Encryption (IBE) PKI S/MIME Encryption
Answer: E 23)Which two statement about the MACsec security protocol are true? (Choose two) A. MACsec is not supported in MDA mode B. Stations broacast an MKA heartbeat that contains the key server priority C. When switch-to-switch link security is configured in manual mode, the SAP operation mode must be set to GCM D. MKA heartbeats are sent at a default intercal of 3 seconds E. The SAK is secured by 128-bit AES-GCM by default Answer: B,E
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
24) Which type of header attack is detected by Cisco ASA threat detection? A. B. C. D.
failed application inspection connection limit exceeded bad packet format denial by access list
Answer: C
25) Which two statements about SCEP are true? (Choose two) A. B. C. D. E.
The GetCACaps response message supports DES encryption and the SHA-128 hashing algorithm CA servers must support GetCACaps response messages in order to implement extended functionality The GetCert exchanges is signed and encrypted only in the response direction It is vulnerable to downgrade attacks on its cryptographic capabilities The GetCRL exchange is signed and encrypted only in the response direction
Answer: B,D 26) Which effect of the ip nhrp map multicast dynamic command is true? A. It configures a hub router to reflect the routes it learns from a spoke back to other spokes through the same interface B. It enables a GRE tunnel to dynamically update the routing tables on the devices at each end of the tunnel C. It configures a hub router to automatically add spoke routers to the multicast replication list of the hub D. It enables a GRE tunnel to operate without the IPsec peer or crypto ACLs Answer: C
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
27) Refer to the exhibit. A user authenticates to the NAS, Which communicates to the TACACS+ server for authentication. The TACACS+ server then accesses the Active Directory Server through the ASA firewall to validate the user credentials which protocol-port pair must be allowed access through the ASA firewall? A. B. C. D. E. F.
DNS over TCP 53 global catalog over UDP 3268 LDAP over UDP 389 DNS over UDP 53 TACACS+ over TCP 49 SMB over TCP 455
Answer: C
28) Which effect of the crypto pki authenticate command is true? A. B. C. D.
It sets the certificate enrollment method It retrieves and authenticates a CA certificate It displays the current CA certificate It configures a CA trustpoint
Answer: B
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
29) Refer to the exhibit. What is the maximum number of site-to-site VPNs allowed by this configuration? A. B. C. D. E. F.
10 15 unlimited 5 0 1
Answer: B 30) How does Scavenger-class QoS mitigate DoS and worm attacks? A. It matches traffic from individual hosts against the specific network characteristics of known attack types B. It sets a specific intrusion detection mechanism and applies the appropriate ACL when matching traffic is detected C. It monitors normal traffic flow and drops burst traffic above the normal rate for a single host D. It monitors normal traffic flow and aggressively drops sustained abnormally high traffic streams from multiple hosts Answer: D 31) Which three statements about SXP are true? (Choose three) A. To enable an access device to use IP device tracking to learn source device IP addresses, DHCP snooping must be configured B. Each VRF supports only one CTS-SXP connection C. It resides in the control plane, where connections can be initiated from a listener D. Separate VRFs require different CTS-SXP peers, but they can use the same source IP addresses E. The SGA ZBPF uses the SGT to apply forwarding decisions F. Packets can be tagged with SGTs only with hardware support Answer: B,D,F
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
32) Refer to the exhibit. Which two effects of this configuration are true? (Choose two) A. B. C. D.
Configuration commands on the router are authorized without checking the TACACS+ server When a user logs in to privileged EXEC mode, the router will track all user activity Requests to establish a reverse AUX connection to the router will be authorized against the TACACS+ server When a user attempts to authenticate on the device, the TACACS+ server will prompt the user to enter the username stored in the router's database E. If a user attempts to log in as a level 15 user, the local database will be used for authentication and the TACACS+ will be used for authorization F. It configures the router's local database as the backup authentication method for all TTY, console, and aux logins
Answer: A,F
33) Which two options are benefits of the cisco ASA Identify Firewall? (Choose two) A. B. C. D. E.
It can identify threats quickly based on their URLs It can operate completely independently of other services It supports an AD server module to verify identity data It decouples security policies from the network topology It can apply security policies on an individual user or user-group basis
Answer: C,E
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
34) Refer to the exhibit. Which two effects of this configuration are true? (Choose two) A. B. C. D. E. F.
It allows the switch to detect IGMPv2 leave group messages It optimizes the use of network bandwidth on the LAN segment IGMPv2 leave group messages are stored in the switch CAM table for faster processing Host send leave group messages to the Solicited-Node Address multicast address FF02::1:FF00:0000/104 It improves the processing time of CGMP leave messages Hosts send leave group messages to all-router multicast address when they want to stop receiving data for that group
Answer: A,B 35) Which two statements about the TTL value in an IPv4 header are true? (Choose two) A. B. C. D. E.
It is a 4-bit value Its maximum value is 128 It is a 16-bit value It can be used for traceroute operations When it reaches 0, the router sends an ICMP Type 11 messages to the originator
Answer: D,E
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
36) Refer to the exhibit. Which effect of this configuration is true? A. B. C. D. E.
Any VPN user with a session time out of 24 hours can access the device Users attempting to access the console port are authenticated against the TACACS+ server If the TACACAS+ authentication fails, the ASA uses cisco 123 as its default password The device tries to reach the server every 24 hours and falls back to the LOCAL database if it fails The servers in the TACACS+ group0 are reactivated every 1440 seconds
Answer: D 37) Which of the following is AMP Endpoints for windows? A. B. C. D.
ClamAV ClamAMP TETRA TETRAAMP
Answer: C
38) Which two characteristics of DTLS are true? (Choose two) A. B. C. D. E. F.
It includes a retransmission method because it uses an unreliable datagram transport It cannot be used if NAT exists along the path It completes key authentication and bulk data transfer over a single channel It includes a congestion control mechanism It supports long data transfers and connections data transfers It is used mostly by applications that use application layer object-security protocols
Answer: A,D
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
39) A new computer is not getting its IPv6 address assigned by the router. While running WireShark to try to troubleshoot the problem, you find a lot of data that is not helpful to nail down the problem. What two filters would you apply to WireShark to filter the data that you are looking for? (Choose Two) A. B. C. D. E.
Icmpv6.type== 136 Icmpv6.type== 135 Icmp5.type== 135 Icmpv6type== 136 Icmp6type== 135
Answer: A,B
40) Which two options are benefits of network summarization? (Choose two) A. It can summarize discontiguous IP addresses B. It can easily be added to existing networks C. It prevents unnecessary routing updates at the summarization boundary if one of the routes in the summary is unstable D. It reduces the number of routes E. It can increase the convergence of the network
Answer: C,D
41) Which statement about VRF-aware GDOI group members is true? A. B. C. D.
IPsec is used only to secure data traffic Registration traffic and rekey traffic must operate on different VRFs Multiple VRFs are used to separate control traffic and data traffic The GM cannot route control traffic through the same VRF as Data traffic
Answer: A
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
42) Which file extensions are supported on the Firesight Management Center 6.1 file policies that can be analyzed dynamically using the Threat Grid Sandbox integration? A. B. C. D.
MSEXE, MSOLE2, NEW-OFFICE, PDF DOCX, WAV, XLS, TXT DOC, MSOLE2, WAV, PDF TXT, MSOLE2, WAV, PDF
Answer: A
43) Refer to the exhibit. Which data format is used in this script? A. B. C. D. E.
API JSON JavaScript YANG XML
Answer: E 44) In which type of multicast does the Cisco ASA forward IGMP messages to the upstream router? A. B. C. D.
Multicast group concept PIM multicast routing Stub multicast routing clustering
Answer: C
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
45) Which option is a data modeling language used to model configuration and state data of network elements? A. B. C. D.
NETCONF RESTCONF YANG SNMPv4
Answer: C 46) Which three ESMTP extensions are supported by the Cisco ASA? (Choose three) A. B. C. D. E. F.
8BITMIME STARTTLS NOOP PIPELINING SAML ATRN
Answer: B,D,E 47) In OpenStack, which two statements about the NOVA component are true? (Choose two) A. B. C. D. E.
It is considered the cloud computing fabric controller It provides the authentication and authorization services It tracks cloud usage statistics for billing purposes It launches virtual machine instances It provides persistent block storage to running instances of virtual machines
Answer: A,D 48) Which three types of addresses can the Botnet Filter feature of the Cisco ASA monitor? (Choose three) A. B. C. D. E. F.
Known allowed addresses Dynamic addresses Internal addresses Ambiguous addresses Known malware addresses Listed addresses
Answer: A,D,E
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
49) Which three authorization technologies does Cisco TrustSec support? (Choose three) A. B. C. D. E. F.
SGT SGACL MAB 802.1x DACL VLAN
Answer: A,E,F
50) Which two statements about 802.1x components are true? (Choose two) A. B. C. D. E.
The certificates that are used in the client-server authentication process are stored on the access switch The access layer switch is the policy enforcement point The RADIUS server is the policy enforcement point The RADIUS server is the policy information point An LDAP server can serve as the policy enforcement point
Answer: B,D
51) Which statements about the cisco AnyConnect VPN Client are true? (Choose two) A. B. C. D. E.
It enables users to manage their own profiles By default, DTLS connections can fall back to TLS It can be configured to download automatically without prompting the user To improve security, keepalives are disabled by default It can use an SSL tunnel and a DTLS tunnel simultaneously
Answer: C,E
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
52) Which three transports have been defined for SNMPv3? (Choose three) A. B. C. D. E. F.
IPsec secured tunnel SSL TLS SSH GET DTLS
Answer: C,D,F
53) Which two statements about SPAN sessions are true? (Choose two) A. B. C. D. E. F.
A single switch stack can support up to 32 source and RSPAN destination sessions They can monitor sent and received packets in the same session Multiple SPAN sessions can use the same destination port Source ports and source VLANS can be mixed in the same session They can be configured on ports in the disabled state before enabling the port Local SPAN and RSPAN can be mixed in the same session
Answer: D,E
54) Which three ISAKMP SA Message States can be output from the device that initiated an IPsec tunnel? (Choose three) A. B. C. D. E. F.
MM_WAIT_MSG3 MM_WAIT_MSG2 MM_WAIT_MSG1 MM_WAIT_MSG4 MM_WAIT_MSG6 MM_WAIT_MSG5
Answer: A,C,F
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
55) Which three EAP protocols are supported in WPA and WPA2? (Choose three) A. B. C. D. E. F.
EAP-FAST EAP-AKA EAP-EKE EAP-EEE EAP-SIM EAP-PSK
Answer: A,B,E
56) Which three Cisco attributes for LDAP authorization are supported on the ASA? (Choose three) A. B. C. D. E. F.
Authenticated-User-Idle-Timeout Web-VPN-ACL-Filters L2TP-Encryption IPsec-Default-Domain Authorized-Type IPsec-Client-Firewall-Filter-Name
Answer: A,B,D
57) AMP for Endpoints is supported on which of these platforms? A. B. C. D.
Windows, ANDROID, Linux (REDHAT, CentOS), MAC Windows, MAC, ANDROID Windows, MAC, LINUX (SuSE, UBUNTU), ANDROID Windows, ANDROID, LINUX ( SuSE, REDHAT)
Answer: A
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
58) Which two statements about MAB are true? (Choose two) A. B. C. D. E. F.
MAC addresses stored in the MAB database can be spoofed It operates at Layer 2 and Layer 3 of the OSI protocol stack It can be used to authenticate network devices and users It serves at the primary authentication mechanism when deployed in conjunction with 802.1x It requires the administrator to create and maintain an accurate database of MAC addresses It is a strong authentication method
Answer: A,E
59) Drag and drop the protocols on the left onto their descriptions on the right
Answer: 1-B , 2-D , 3-A , 4-C
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
60) Refer to the exhibit. Which meaning of this error message on a Cisco ASA is true? A. B. C. D.
The route map redistribution is configured incorrectly The host is connected directly to the firewall A packet was denied and dropped by an ACL The default route is undefined
Answer: D
61) Which three statements about WCCP are true? (Choose three) A. The minimum WCCP-Fast Timers messages interval is 500 ms B. If a specific capability is missing from the capabilities Info Component, the router is assumed to support the default capability C. If the packet return method is missing form a packet return method advertisement, the web cache uses the Layer 2 rewrite method D. The router must receive a valid receive ID before it negotiates capabilities E. The assignment method supports GRE encapsulation for sending traffic F. The web cache transmits its capabilities as soon as it receives a receive ID form a router Answer: A,B,E 62) Which two options are important considerations when you use wsa for to obtain the full picture of network traffic? (Choose two) A. B. C. D. E.
It monitors only routed traffic It is unable to monitor over time It monitors only ingress traffic on the interface on which it is deployed It monitors all traffic on the interface on which it is deployed It monitors only TCP connections
Answer: B,D
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
63) Which three VSA attributes are present in a RADIUS WLAN Access-accept packet? (Choose three) A. B. C. D. E. F.
EAP-Message Tunnel-Type LEAP Session-Key Tunnel-Private-Group-ID Authorization-Algorithm-Type SSID
Answer: C,E,F
64) Which two options are unicast address types for IPv6 addressing? (Choose two) A. B. C. D. E.
Global Established Link-local Static Dynamic
Answer: A,C
65) A client computer at 10.10.7.4 is trying to access a Linux server (11.0.1.9) that is running a Tomcat Server application. What TCP dump filter would be best to verify that traffic is reaching the Linux Server eth0 interface? A. B. C. D.
tcpdump –i eth0 host 10.10.7.4 and host 11.0.1.9 and port 8080 tcpdump –i eth0 host 10.10.7.4 and 11.0.1.9 tcpdump –i eth0 dst 11.0.1.9 and dst port 8080 tcpdump –i eth0 src 10.10.7.4 and dst 11.0.1.9 and dst port 8080
Answer: D
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
66) Which two statements about uRPF are true? (Choose two) A. The administrator can configure the allow-default command to force the routing table to use only the default route B. In strict mode, only one routing path can be available to reach network devices on a subnet C. The administrator can use the show cef interface command to determine whether uRPF is enabled D. The administrator can configure the ip verify unicast source reachable-via any command to enable the RPF check to work through HSRP routing groups E. It is not supported on the Cisco ASA security appliance
Answer: B,C
67) Which three options are fields in a CoA Request code packet? (Choose three) A. B. C. D. E. F.
Length Calling-station-ID Authenticator Acct-session-ID State Identifier
Answer: B,D,E
68) When TCP Intercept is enabled in its default mode, how does it react to a SYN request? A. B. C. D. E.
It drops the connection It intercepts the SYN before it reaches the server and responds with a SYN-ACK It allows the connection without inspection It monitors the attempted connection and drops it if it fails to establish within 30 seconds It monitors the sequence of SYN, SYN-ACK, and ACK message until the connection is fully established
Answer: B
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
69) Refer to the exhibit. What are two functionalities of this configuration? (Choose two) A. B. C. D. E.
The encapsulation command is used to do deep scan on dot1q encapsulation traffic Traffic will not be able to pass on gigabitEthernet 0/1 The ingress command is used for an IDS to send a reset on Vlan 3 only Traffic will only be sent to gigabitEthernt 0/20 The source interface should always be a VLAN
Answer: C,D
70) Refer to the exhibit. What are two effects of the given configuration? (Choose two) A. B. C. D. E.
The connection will remain open if the PASV reply command includes 5 commas TCP connections will be completed only to TCP ports from 1 to 1024 FTP clients will be able to determine the server’s system type The client must always send the PASV reply The connection will remain open if the size of the STOR command is greater than a fixed constant
Answer: A,C
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
71) Refer to the exhibit. Which two effects of this configuration are true? (Choose two) A. B. C. D. E. F.
If the TACACS+ server is unreachable, the switch places hosts on critical ports in VLAN 50 The device allows multiple authenticated sessions for a single MAC address in the voice domain If multiple hosts have authenticated to the same port, each can be in their own assigned VLAN If the authentication priority is changed the order in which authentication is preformed also changes The switch periodically sends an EAP-Identity-Request to the endpoint supplicant The port attempts 802.1x authentication first, and then falls back to MAC authentication bypass
Answer: E,F
72) Which two options are normal functionalities for ICMP? (Choose two) A. B. C. D. E. F.
Packet filtering Host detection Relaying traffic statistics to applications Path MTU discovery Router discovery Port scanning
Answer: B,D
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
73) Which command sequence do you enter to add the host 10.2.1.0 to the CISCO object group? A. Object-group network CISCO Group-object 10.2.1.0 B. Object network CISCO Network-object object 10.2.1.0 C. Object network CISCO Group-object 10.2.1.0 D. Object-group network CISCO Network-object host 10.2.1.0 Answer: D
74) Refer to the exhibit. Which effect of this configuration is true? A. B. C. D. E.
A downloadable ACL is applied after an AV pair ACL For all users, entries in a downloadable ACL are given priority over entries in an AV pair ACL The downloadable ACL and the AV pair ACL entries are merged together, one ACE at a time The downloadable ACL and AV pair ACL are merged immediately when the RADIUS server is activated The downloadable ACL and AV pair ACL are merged after three connection attempts are made to the RADIUS server
Answer: A
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
75) Which two events can cause a failover event on an active/standby setup? (Choose two) A. B. C. D. E.
The stateful failover link fails The failover link fails The active unit experiences interface failure above the threshold The active unit fails The unit that was previously active recovers.
Answer: C,D 76) Within Platform as a Service, Which two components are managed by the customer? (Choose two) A. B. C. D. E.
Middleware Applications Data Operating system Networking
Answer: B,C
77) Refer to the exhibit. Which level of encryption is set by this configuration? A. B. C. D.
56-bit 168-bit 1024-bit 192-bit
Answer: B
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
78) From the list below, which one is the major benefit of AMP Threat GRID? A. AMP Threat Grid analyzes suspicious in your network against exactly 400 behavioral indicators B. AMP Threat Grid combines Static, and Dynamic Malware analysis with threat intelligence info one combined solution C. AMP threat Grid learns ONLY form data you pass on your network and not from anything else to monitor for suspicious behavior. This makes the system much faster and efficient D. AMP Threat Grid collects file information from customer servers and run tests on the, to see if they are infected with viruses Answer: C 79) Which three statements about PKI on Cisco IOS Software are true? (Choose three) A. B. C. D. E. F.
The match certificate and allow expired-certificate commands are ignored unless the router clock is set OSCP enables a PKI to use a CRL without time limitations Different OSCP servers can be configured for different groups of client certificates OSCP is well-suited for enterprise PKIs in which CRLs expire frequently Certificate-based ACLs can be configured to allow expired certificates if the peer is otherwise valid If a certificate-based ACL specifies more than one filed, any one successful filed-to-value test is treated as a match
Answer: C,D,E
80) Refer to the exhibit. For which type of user is this downloadable ACL appropriate? A. B. C. D. E.
Onsite contractors Management Network administrators Employees Guest users
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
Answer: E 81) In which two situations is web authentication appropriate? (Choose two) A. B. C. D.
When a fallback authentication method is necessary When 802.1x authentication is required When WEP encryption must be deployed on a large scale When devices outside the control of the organization’s It department are permitted to connect to the network E. When secure connections to the network are unnecessary Answer: A,D
82) Which two statements about Botnet traffic Filter snooping are true? (Choose two) A. B. C. D. E. F.
It can log and block suspicious connections from previously unknown bad domains and IP addresses It checks inbound and outbound traffic It can inspect both IPv4 and IPv6 traffic It requires the Cisco ASA DNS server to perform DNS lookups It checks inbound traffic only It requires DNS packet inspection to be enabled to filter domain names in the dynamic database
Answer: B,F 83) Which command on Cisco ASA you can enter to send debug messages to a syslog server? A. B. C. D.
Logging host Logging debug-trace Logging traps Logging syslog
Answer: A
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
84) Refer to the exhibit. Which effect of this configuration is true? A. B. C. D.
It creates a default class It creates a resource class It oversubscribes VPN sessions for the given class It allows each context to use all available resources
Answer: B 85) Which feature does Cisco VSG use to redirect traffic in a Cisco Nexus 1000V Series Switch ? A. B. C. D.
VPC VDC VEM vPath
Answer: D
86) Which two statements about ping flood attacks are true? (Choose two) A. B. C. D. E. F.
They attack by sending ping requests to the return address of the network The use ICMP packets They attack by sending ping requests to the broadcast address of the network The attack is intended to overwhelm the CPU of the target victim They use UDP packets They use SYN packets
Answer: B,C
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
87) Which best practice can limit inbound TTL expiry attacks? A. B. C. D.
Setting the TTL value to more than the longest path in the network Setting the TTL value to zero Setting the TTL value to less than the longest path in the network Setting the TTL value equal to the longest path in the network
Answer: A
88) Which two options are benefits of the Cisco ASA transparent firewall mode? (Choose two) A. B. C. D. E.
It can perform dynamic routing It supports extended ACLs to allow Layer 3 traffic to pass form higher to lower security interfaces It provides SSL VPN support It can establish routing adjacencies It can be added to an existing network without significant reconfiguration
Answer: B,E 89) Which description of SaaS is true? A. B. C. D.
A service offering that allowing developers to build their own applications A service offering a software environment in which applications can be build and deployed A service offering on-demand licensed applications for end users A service offering on-demand software downloads
Answer: C 90) What are two characteristics of RPL, used in loT environments? (Choose two) A. B. C. D. E.
It is an Exterior Gateway Protocol It is a Interior Gateway Protocol It is a hybrid protocol It is link-state protocol It is a distance-vector protocol
Answer: B,E
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
91) Which command is required for bonnet filter on Cisco aASA to function properly A. B. C. D.
dynamic-filter inspect tcp/80 dynamic-filter whitelist inspect botnet inspect dns dynamic-filter-snoop
Answer: D 92) Which two statements about Cisco URL Filtering on Cisco IOS Software are true?(Choose Two) A.By default, it allows all URLs when the connection to the filtering server is down. B.It Supports Websense and N2H2 filtering at the same time. C.It Supports local URL lists and third-party URL filtering servers. D.By default, it uses ports 8 and 22. E.It Supports HTTP and HTTPS traffic. F.It requires minimal CPU time. Answer:C,E
93) .Which two options are open-source SDN controllers? (Choose two) A) OpenContrail B) OpenDaylight C) Big Cloud Fabric D) Virtual Application Networks SDN Controller E) Application Policy Infrastructure Controller
Answer: A,B
PASSWRITTENDUMPS.COM
400-251
20-Mar-17
ALL OUR ACTIVE CLIENTS CAN GET DIRECT SUPPORT FROM SKYPE: CCIEWRITTENDUMPS OUR CCIE WRITTEN ENGINEERS ARE AVAILABLE ON SKYPE CHAT OR LIVE SUPPORT CHAT FROM WEBSITE http://PASSWRITTEN.COM (LIVE SUPPORT) http://PASSWRITTEN.COM (UPDATED DATE) YOUR GATEWAY TO SUCCESS TOWARDS CCIE WRITTEN + LAB ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS KINDLY VISIT FOR FURTHER INFORMATION CCIE R&S --WWW.PASSRNSLABS.COM (PRL) CCIE SECURITY ---->WWW.PASSSECURITYLABS.COM (PSL) CCIE WIRELESS ---->WWW.PASSWIRELESSLABS.COM (PWL) CCIE DATACENTER ---->WWW.PASSDATACENTERLABS.COM (PDL) CCIE COLLABORATION ---->WWW.PASSCOLLABORATIONLABS.COM (PCL) CCIE SERVICEPROVIDER ----->WWW.PASSSPLABS.COM (PSL) CCDE LABS --WWW.PASSCCDELABS.COM (PCL) CCIE WRITTEN ----WWW.PASSWRITTEN.COM (PW) VCIX --WWW.VCIXLABS.COM (VL) WORLD FIRST REAL LAB RACK RENTAL FOR ALL CCIE TRACKS CCIE RACK RENTALS ----->WWW.CCIERACK.RENTALS (CRR) KINDLY CONTACT US AT
[email protected] FOR FURTHER INFORMATION ON OTHER TRACKS