This page was exported from Lead2pass New Updated Exam Questions [ https://www.getfreevce.com ] Export date:Sun Dec 22 2:07:53 2024 / +0000 GMT ___________________________________________________ Title: [2017 New] Free Download Lead2pass Cisco 400-251 VCE And PDF Dumps (176-200) --------------------------------------------------- 2017 August Cisco Official New Released 400-251 Dumps in Lead2pass.com! 100% Free Download! 100% Pass Guaranteed! We Lead2pass.com are providing 400-251 exam braindumps here in both PDF file and Online Practice Test Formats. The 400-251 dumps are updated time to time having all the questions answers which cover complete course outlines of the 400-251 certification exam. Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/400-251.html QUESTION 176What are the three response types for SCEP enrollment requests? (Choose three.) A.    PKCS#7B.    RejectC.     PendingD.    PKCS#10E.    SuccessF.    RenewalAnswer: BCE QUESTION 177Refer to the exhibit. What is the configuration design to prevent?   A.    Man in the Middle AttacksB.    Dynamic payload inspectionC.    Backdoor control channels for infected hostsD.    DNS Inspection Answer: CExplanation:Cisco ASA firewall is configured for botnet filtering which prevents backdoor control channels from infected hosts. QUESTION 178Which three statements about the Cisco IPS sensor are true? (Choose three.) A.    You cannot pair a VLAN with itself.B.    For a given sensing interface, an interface used in a VLAN pair can be a member of another inline interface pair.C.    For a given sensing interface, a VLAN can be a member of only one inline VLAN pair, however, a given VLAN can be a member of an inline VLAN pair on more than one sensing interface.D.    The order in which you specify the VLANs in a inline pair is significant.E.    A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs. Answer: ACEExplanation:Inline VLAN Interface PairsYou cannot pair a VLAN with itself.For a given sensing interface, a VLAN can be a member of only one inline VLAN pair. However, a given VLAN can be a member of an inline VLAN pair on more than one sensing interface.The order in which you specify the VLANs in an inline VLAN pair is not significant. A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs. QUESTION 179Which command sets the Key-length for the IPv6 send protocol? A.    IPv6 nd ns-intervalB.    Ipv6 ndra-intervalC.    IPv6 nd prefixD.    IPv6 nd inspectionE.    IPv6 nd secured Answer: E QUESTION 180Which two statement about MSDP ate true? (Choose three) A.    It can connect to PIM-SM and PIM-DM domainsB.    It announces multicast sources from a groupC.    The DR sends source data to the rendezvous point only at the time the source becomes activeD.    It can connect only to PIM-DM domainsE.    It registers multicast sources with the rendezvous point of a domainF.    It allows domains to discover multicast sources in the same or different domains. Answer: BEF QUESTION 181What are two advantages of NBAR2 over NBAR? (Choose two) A.    Only NBAR2 support Flexible NetFlow for extracting and exporting fields from the packet header.B.    Only NBAR2 allows the administrator to apply individual PDL files.C.    Only NBAR2 support PDLM to support new protocals.D.    Only NBAR2 can use Sampled NetFlow to extract pre-defined packet headers for reporting.E.    Only NBAR2 supports custom protocols based on HTTP URLs. Answer: AE QUESTION 182Which two statements about Network Edge Authentication Technology (NEAT) are true? (Choose two) A.    It requires a standard ACL on the switch portB.    It conflicts with auto-configurationC.    It allows you to configure redundant links between authenticator and supplicant switchesD.    It supports port-based authentication on the authenticator switchE.    It can be configured on both access ports and trunk portsF.    It can be configured on both access ports and EtherChannel ports Answer: DE QUESTION 183What are three pieces of data you should review in response to a suspected SSL MITM attack? (Choose three) A.    The IP address of the SSL serverB.    The X.509 certificate of the SSL serverC.    The MAC address of the attackerD.    The MAC address of the SSL serverE.    The X.509 certificate of the attackerF.    The DNS name off the SSL server Answer: ABF QUESTION 184From what type of server can you to transfer files to ASA's internal memory ? A.    SSHB.    SFTPC.    NetlogonD.    SMB Answer: D QUESTION 185Which configuration is the correct way to change VPN key Encryption key lifetime to 10800 seconds on the key server? A.     B.     C.     D.     Answer: A QUESTION 186Which feature can you implement to protect against SYN-flooding DoS attacks? A.    the ip verify unicast reverse-path commandB.    a null zero routeC.    CAR applied to icmp packetsD.    TCP Intercept Answer: DExplanation:https://www.sans.org/security-resources/idfaq/preventing-syn-flooding-with-cisco-routers/5/5 QUESTION 187Refer to the exhibit. If R1 is connected upstream to R2 and R3 at different ISPs as shown, what action must be taken to prevent Unicast Reverse Path Forwarding (uRPF) from dropping asymmetric traffic?   A.    Configure Unicast RPF Loose Mode on R2 and R3 only.B.    Configure Unicast RPF Loose Mode on R1 only.C.    Configure Unicast RPF Strict Mode on R1 only.D.    Configure Unicast RPF Strict Mode on R1,R2 and R3.E.    Configure Unicast RPF Strict Mode on R2 and R3 only. Answer: BExplanation:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_urpf/configuration/xe-3s/sec-data-urpf-xe-3s-book/sec-unicast-rpf-loose-mode.htmlhttp://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html QUESTION 188Refer to the exhibit. Which effect of this Cisco ASA policy map is true?  A.    The Cisco ASA is unable to examine the TLS session.B.    The server ends the SMTP session with a QUIT command if the algorithm or key length is insufficiently secure.C.    it prevents a STARTTLS session from being established.D.    The Cisco ASA logs SMTP sessions in clear text. Answer: DExplanation:http://www.cisco.com/c/en/us/about/security-center/intelligence/asa-esmtp-starttls.html#interacthttps://stomp.colorado.edu/blog/blog/2012/12/31/on-smtp-starttls-and-the-cisco-asa/And in RFC 3207 that governs this TLS negotiation is said that " If the SMTP client decides that the level of authentication or privacy is not high enough for it to continue, it SHOULD issue an SMTP QUIT command immediately after the TLS negotiation is complete.If the SMTP server decides that the level of authentication or privacy is not high enough for it to continue, it SHOULD reply to every SMTP command from the client (other than a QUIT command) with the 554 reply code (with a possible text string such as "Command refused due to lack of security")." Hence it is the client that sends QUIT command, not the serverThis is an example of ASA logging an SMTP session that was established using TLS:Mar 07 2017 19:40:04: %ASA-6-108007: TLS started on ESMTP session between client outside:98.139.212.154/45850 and server inside:192.168.1.12/25 QUESTION 189What security element must an organization have in place before it can implement a security audit and validate the audit results? A.    firewallB.    network access controlC.    an incident response teamD.    a security policyE.    a security operation center Answer: D QUESTION 190Which two statements about RFC 2827 are true? (Choose two.) A.    RFC 2827 defines egress packet filtering to safeguard against IP spoofing.B.    A corresponding practice is documented by the IEFT in BCP 38.C.    RFC 2827 defines ingress packet filtering for the multihomed network.D.    RFC 2827 defines ingress packet filtering to defeat DoS using IP spoofing.E.    A corresponding practice is documented by the IEFT in BCP 84. Answer: BD QUESTION 191From the list below, which one is the major benefit of AMP Threat GRID? A.    AMP Threat Grid collects file information from customer servers and run tests on them to see if they are infected with virusesB.    AMP Threat Grid learns ONLY from data you pass on your network and not from anything else to monitor for suspicious behavior. This makes the system much faster and efficientC.    AMP Threat Grid combines Static, and Dynamic Malware analysis with threat intelligence into one combined solutionD.    AMP Threat Grid analyzes suspicious behavior in your network against exactly 400 behavioralindicators Answer: C QUESTION 192Drag and Drop QuestionDrag each field authentication Header on the left into the order in which it appears in the header on the right   Answer:   QUESTION 193Which two statement about Infrastructure ACLs on Cisco IOS software are true? (Choose two.) A.    Infrastructure ACLs are used to block-permit the traffic in the router forwarding path.B.    Infrastructure ACLs are used to block-permit the traffic handled by the route processor.C.    Infrastructure ACLs are used to block-permit the transit traffic.D.    Infrastructure ACLs only protect device physical management interface. Answer: BD QUESTION 194Which three statements about SCEP are true?(Choose three) A.    It Supports online certification revocation.B.    Cryptographically signed and encrypted message are conveyed using PKCS#7.C.    The certificate request format uses PKCS#10.D.    It supports multiple cryptographic algorithms, including RSA.E.    CRL retrieval is support through CDP (Certificate Distribution Point) queries.F.    It supports Synchronous granting. Answer: BCE QUESTION 195class-map nbar_rtp match protocol rtp payload-type "0, 1, 4 - 0x10, 10001b - 10010b, 64" The above NBAR configuration matches RTP traffic with which payload types? A.     B.     C.     D.     Answer: A QUESTION 196Refer to the exhibit. What type of attack is represented in the given Wireshark packet capture?   A.    a SYN floodB.    spoofingC.    a duplicate ACKD.    TCP congestion controlE.    a shrew attack Answer: A QUESTION 197What message does the TACACS+ daemon send during the AAA authentication process to request additional authentication information? A.    ACCEPTB.    REJECTC.    CONTINUED.    ERRORE.    REPLY Answer: C QUESTION 198Refer to the exhibit.While troubleshooting a router issue, you executed the show ntp association command and it returned this output.Which condition is indicated by the reach value of 357?   A.    The NTP continuously received the previous 8 packets.B.    The NTP process is waiting to receive its first acknowledgement.C.    The NTP process failed to receive the most recent packet, but it received the 4 packets before the most recent packet.D.    The NTP process received only the most recent packet. Answer: C QUESTION 199Which three IP resources is IANA responsible for? (Choose three.) A.    IP address allocationB.    detection of spoofed addressC.    criminal prosecution of hackersD.    autonomous system number allocationE.    root zone management in DNSF.    BGP protocol vulnerabilities Answer: ADE QUESTION 200Which three attributes may be configured as part of the Common Tasks panel of an authorization profile in the Cisco ISE solution? (Choose three.) A.    VLANB.    voice VLANC.    dACL nameD.    voice domain permissionE.    SGT Answer: ACD The 400-251 online practice test prepare you according to the real exam scenario. Free demo is available to check before buying the 400-251 study guide. 400-251 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDMERESjlYcVlZNWs 2017 Cisco 400-251 exam dumps (All 470 Q&As) from Lead2pass: https://www.lead2pass.com/400-251.html [100% Exam Pass Guaranteed] --------------------------------------------------- Images: --------------------------------------------------- --------------------------------------------------- Post date: 2017-08-09 09:50:34 Post date GMT: 2017-08-09 09:50:34 Post modified date: 2017-08-09 09:50:34 Post modified date GMT: 2017-08-09 09:50:34 ____________________________________________________________________________________________ Export of Post and Page as text file has been powered by [ Universal Post Manager ] plugin from www.gconverters.com