CCIE Security Written Exam Dumps
These Cisco 400-251 exam dumps are authentic and help you understand topics of designing, implementing, operating, and troubleshooting complex Cisco security technologies and solutions.
Try it Latest DumpsSchool 400-251 Exam dumps. Buy Full File here: https://www.dumpsschool.com/400-251-exam-dumps.html (514 As Dumps)
Download the DumpsSchool 400-251 braindumps from Google Drive: https://drive.google.com/file/d/11FxbQgMHhmv_ZErOwWAvO2afPaSZOyQN/view (FREE VERSION!!!)
Question No. 1
Which protocol does ISE use to secure a connection through the Cisco IronPort tunne infrastructure?
Question No. 2
Which of the following is one of the requirements for the FTD high availability setup?
A. Units should not have any uncommitted changes of FMC and should be fully deployed
B. Units should have DHCP configured for the interfaces
C. Units should be configured in transparent mode
D. Units should not synchronize using the same NTP source
E. Units should be configured in routed mode
F. Units should be in different domains in FMC
G. Units should have the same major software version running on them, minor and maintenance version could be different
Question No. 3
Which description of the AES encryption algorithm is true?
A. Reapplying the same encryption key three times makes it less vulnerable than 3DES
B. Theoretically 3DES is more secure than AES
C. It uses the block of 64 bits
D. It provides only data integrity
E. It does not use the substitution and permutation principle
F. It uses three encryption keys of lengths 128, 192, and 256
Question No. 4
Which two statements about MACsec are true? (Choose two)
A. It maintains network intelligence as it applied to router uplinks and downlinks.
B. It works in conjunction with IEEE 802.1X -2010 port-based access control.
C. It uses symmetric-key encryption to protect data confidentiality.
D. It encrypts packets at Layer 3, which allows devices to handle packets in accordance with network polices.
E. It can be enabled on individual port at Layer 3 to allow MACsec devices to access the network.
F. It can use IEEE 802.1x master keys to encrypt wired and wireless links
B, C Answer:
Question No. 5
How is the Cisco IronPort email data loss prevention licensed?
A. It is a per-site license
B. It comes free with Iron Port Email server
C. It is a per-enterprise license
D. It is a per-server license
E. It is a per-user license
Question No. 6
Which of the following Cisco products gives ability to interact with malware for its behavior analysis?
E. Threat Grid
Question No. 7
Which statement about the TLS security protocol is true?
A. TLS version 1.0 is less secure then SSL version 3.0
B. The TLS and SSL versions can interoperate in the client-server handshake
C. It is always recommended to disable TLS version 1.0 in the browser so that it only supports SSL for better security
D. You need to replace SSL certificate with TLS certificate for successful TLS operation
E. There are differences between TLS and SSL version 2 and 3
F. It only supports data authentication for the client-server session using a browser
Question No. 8
Which of these command sequences will send an email to
[email protected] using SMTP?
A. HELO invalid.com
B. MAIL FROM:
C. HELO invalid.com
D. MAIL FROM:
Question No. 9
Refer to the exhibit, what is the effect of the given service policy
A. It blockscisco.com, msn.com, and facebct3k.com and permanant
B. It blocks facebook.com, msn.com, cisco.com and google.com
C. It blocks all domains except facebook.eom, msn.com, cisco
D. It blocks all domains except cisco.com, msn, com; and facebook.com
Question No. 10
In FMC, which two elements can the correlation rule be based on ? (Choose two)
A. Malware detection
B. Database type
C. Change of Authorization
D. Authorization rule
E. Security Group Tag mapping
F. Network deviation from normal profile
G. Network Device Admission Control
H. Authentication condition
A, F Answer:
Question No. 11
What would describe Cisco Virtual Topology System?
A. Package that contains an entire runtime environment
B. An agent that resides on physical devices
C. Web server hosting for NX-OS
D. Overlay provisioning and management solution
Question No. 12
Refer to the exhibit.
It has been reported that IP Phone is not able to establish connectivity after performing port authentication. Which possible issues is the reason?
A. Possible issue with the access list applied on the port
B. Due to multiple device authentication enabled on port
C. Authentication order should be reversed
D. Possible issue with dhcp pool configuration
E. Possible issue with the session OACL
F. Due to multiple domain authentication enabled on port
Question No. 13
Which attribute cannot be used in Mobile Device Management (MDM) Authorization policy?
C. NetworkAccess EAPChamingResuit
D. Day sSi rKeL astCheckin
Question No. 14
ISE can be integrated with an MDM to ensure that only registered devices are allowed on the network, and use the MDM to push policies to the device. Devices can go in and out of compliance either due to policy changes on the MDM server, or another reason. Consider a device that has already authenticated on the network, and stays connected, but fails out of compliance. Which action can you take to ensure that a noncompliant device is checked periodically and re-assessed before allowing access to the network?
A. Enable change of authorization on MDM
B. Fire-AMP consider scan can be used to relay posture information to ISE via FireAMP cloud
C. The MDM agent periodically sends a packet with compliance info that the wireless controller can be used to limit network access
D. Enable Period compliance checking on ISE
E. Enable Change of authorization on ISE
F. The MDM agent automatically discounts the device from the network when it is noncompliant
Question No. 15
What Is the main benefit perimeter firewall the IPS behind the perimeter firewall Instead of in front of the perimeter firewall?
A. Increase the number of true positive
B. Reduce the number of false positives
C. Increase the number of true negatives
D. Reduce the number of false negative
Question No. 16
Which statement is true about Remote Triggered Black Hole Filtering feature (RTBH)?
A. It drops malicious traffic at the customer edge router by forwarding it to a Null0 interface
B. In RTBH filtering the trigger device redistributes static route to the iBGP peers
C. The Null0 interface used for filtering is able to receive the traffic, but never forwards it
D. It works in conjunction with QoS to drop the traffic that has less priority
E. It helps mitigate DDoS attack based only on source address
F. In FTBH filtering the trigger device is always an ISP edge router
400-251 Dumps Google Drive: (Limited Version!!!)
Related Certification: CCIE Security dumps