Actual 400-251 Cisco Certified Internetwork Expert Security (CCIE Security) Exam Question Answer

New Updated 400-251 Exam Questions from DumpsSchool 400-251 PDF dumps! Welcome to download the newest DumpsSchool 400-251 VCE dumps:

Keywords: 400-251 exam dumps, CCIE Security exam questions, 400-251 exam questions, 400-251 VCE dumps, 400-251 PDF dumps, 400-251 practice tests, 400-251 study guide, 400-251 braindumps, CCIE Security

Cisco Certified Internetwork Expert Security certification exam as a profession has an extraordinary evolution over the last few years. Cisco 400-251 CCIE Security exam is the forerunner in validating credentials against. Here are updated Cisco 400-251 exam questions, which will help you to test the quality features of DumpsSchool exam preparation material completely free. You can purchase the full product once you are satisfied with the product.

Version: 11.0
Question: 1

Which two statements about SCEP are true? (Choose two)

A. CA Servers must support GetCACaps response messages in order to implement extended functionality.
B. The GetCRL exchange is signed and encrypted only in the response direction.
C. It is vulnerable to downgrade attacks on its cryptographic capabilities.
D. The GetCert exchange is signed and encrypted only in the response direction.
E. The GetCACaps response message supports DES encryption and the SHA-128 hashing algorithm.

Answer: A C

Question: 2

Which two events can cause a failover event on an active/standby setup? (Choose two)

A. The active unit experiences interface failure above the threshold.
B. The unit that was previously active recovers.
C. The stateful failover link fails.
D. The failover link fails
E. The active unit fails.

Answer: A E

Question: 3

Which two statements about the MACsec security protocol are true? (Choose two)

A. Stations broadcast an MKA heartbeat the contains the key server priority.
B. The SAK is secured by 128-bit AES-GCM by default.
C. When switch-to-switch link security is configured in manual mode, the SAP operation mode must be set to GCM.
D. MACsec is not supported in MDA mode.
E. MKA heartbeats are sent at a default interval of 3 seconds.

Answer: A B

Question: 4

Which two options are benefits of network summarization? (Choose two)

A. It can summarize discontiguous IP addresses.
B. It can easily be added to existing networks.
C. It can increase the convergence of the network.
D. It prevents unnecessary routing updates at the summarization boundary if one of the routes in the summary is unstable
E. It reduces the number of routes.

Answer: D E

Question: 5

Refer to the exhibit.

Which meaning of this error message on a Cisco ASA is true?

A. The route map redistribution is configured incorrectly.
B. The default route is undefined.
C. A packet was deniedand dropped by an ACL.
D. The host is connected directly to the firewall.

Answer: B

Question: 6

Which two statements about uRPF are true?(Choose two)

A. The administrator can configurethe allow-defaultcommand to force the routing table to use only the default.
B. It is not supported on the Cisco ASA security appliance.
C. The administrator can configure the ip verify unicast source reachable-via any command to enable the RPF check to work through HSRP touting groups.
D. The administrator can use thes how cef interface command to determine whether uRPF is enabled.
E. In strict mode, only one routing path can be available to reach network devices on a subnet..

Answer: D E

Question: 7

Which type of header attack is detected by Cisco ASA basic threat detection?

A. Connection limit exceeded.
B. Denial by access list.
C. Failed application inspection.
D. Bad packet format.

Answer: D

Question: 8

Refer to the exhibit.

A user authenticates to the NAS, which communicates to the VACAS+server authentication. The TACACS+SERVERthen accesses the Active Directory Server through the ASA firewall to validate the user credentials. Which protocol-Port pair must beallowed access through the ASA firewall?

A. SMB over TCP 455.
B. DNS over UDP 53.
C. LDAP over UDP 389.
D. global catalog over UDP 3268.
E. TACACS+over TCP 49.
F. DNS over TCP 53.

Answer: C

Question: 9

Which WEP configuration can be exploited by a weak IV attack?

A. When the static WEP password has been stored without encryption.
B. When a per-packet WEP key is in use.
C. When a 64-bit key is in use.
D. When the static WEP password has been given away.
E. When a 40-bit key is in use.
F. When the same WEP key is used to create every packet.

Answer: E