The latest Cisco CCIE 400-251 exam dumps and exercises test questions and answers,These free exercises will help you improve 400-251 CCIE test skills,
We share 400-251 pdf for free to download and learn, and you can also watch 400-251 YouTube videos online! We share 40 real effective exam questions and answers for free if you want to get the full 400-251 exam dumps: https://www.leads4pass.com/400-251.html (Total questions:519 Q&A)->> updated throughout the year! Make sure you pass the exam easily!

[PDF] Free Cisco 400-251 pdf dumps download from Google Drive: https://drive.google.com/open?id=1izuLzJAFClLatQZtmzmy_cnCuTi-mfLy

[PDF] Free Full Cisco pdf dumps download from Google Drive: https://drive.google.com/open?id=1CMo2G21nPLf7ZmI-3_hBpr4GDKRQWrGx

400-251 CCIE Security – Cisco: https://www.cisco.com/c/en/us/training-events/training-certifications/exams/current-list/400-251-ccie-security.html

Latest effective Cisco 400-251 Exam Practice Tests

QUESTION 1
In which type of multicast does the Cisco ASA forward IGMP messages to the upstream router?
A. clustering
B. PIM multicast routing
C. stub multicast routing
D. multicast group concept
Correct Answer: C

QUESTION 2
What does NX-API use as its transport?
A. SCP
B. FTP
C. SSH
D. SFTP
E. HTTP/HTTPS
Correct Answer: E

QUESTION 3
Which statement about Health Monitoring on the Firepower System is true?
A. When you delete a health policy that is applied to a device, the device reverts to the default health policy.
B. If you apply a policy without active modules to a device, the previous health policy remains in effect unless you delete
it.
C. Health events are generated even when the health monitoring status is disabled.
D. Descendant domains in a multi-domain deployment can view, edit, and apply policies from ancestor domains.
E. The administrator of a descendant domain is unable to edit or delete blacklists applied by the administrator of an
ancestor domain.
F. The default health policy is automatically applied to all managed devices.
Correct Answer: C


QUESTION 4
Which command sequence can you enter to enable IP multicast for WCCPv2?
A. Router(config)#ip wccp web-cache group-address 224.1.1.100 Router(config)# interface FastEthernet0/0
Router(config-if)#ip wccp web-cache redirect out
B. Router(config)#ip wccp web-cache group-list Router(config)# interface FastEthernet0/0 Router(config)# ip wccp web-
cache group-listen
C. Router(config)#ip wccp web-cache service-list Router(config)# interface FastEthernet0/0 Router(config)# ip wccp
web-cache group-listen
D. Router(config)#ip wccp web-cache group-address 224.1.1.100 Router(config)# interface FastEthernet0/0
Router(config)# ip wccp web-cache redirect in
E. Router(config)#ip wccp web-cache group-address 224.1.1.100 Router(config)# interface FastEthernet0/0
Router(config)# ip wccp web-cache group-listen
Correct Answer: E

QUESTION 5
Which three statements about VRF-Aware Cisco Firewall are true? (Choose three)
A. It supports both global and per-VRF commands and DoS parameters.
B. It enables service providers to deploy firewalls on customer devices.
C. It can generate syslog messages that are visible only to individual VPNs.
D. It can support VPN networks with overlapping address ranges without NAT.
E. It enables service providers to implement firewalls on PE devices.
F. It can run as more than one instance.
Correct Answer: CEF

QUESTION 6
What are the most common methods that security auditors use to access an organization\\’s security processes? (Two)
A. physical observation
B. social engineering attempts
C. penetration testing
D. policy assessment
E. document review
F. interviews
Correct Answer: AF


QUESTION 7
Select and Place:Correct Answer:

QUESTION 8
How does a Cisco ISE server determine whether a client supports EAP chaining?
A. It sends an identity-type TLV to the client and analyzes the response.
B. It analyzes the options field in the TCP header of the first packet it receives from the client
C. It analyzes the X.509 certificate it received from the client through the TLS tunnel.
D. It sends an MD5 challenge to the client and analyzes the response
E. It analyzes the EAPoL message the client sends during the initial handshake
Correct Answer: A
Reference

QUESTION 9
What are the most common methods that security auditors use to access an organizations security processes? (Choose
two)
A. physical observation
B. social engineering attempts
C. penetration testing
D. policy assessment
F. interviews
Correct Answer: AF

QUESTION 10
Which three of these make use of a certificate as part of the protocol? (Choose three)
A. LEAP
B. EAP-MD5
C. EAP-TTLS
D. EAP-PEAP
E. EAP-FAST
F. EAP-TLS
Correct Answer: CEF
Reference

QUESTION 11
Refer to the exhibit. A customer has opened a case with Cisco TAC reporting an issue that one of the Windows client
supposed to logion to the network using MAB is no longer able to access any allowed resources. Looking at the
configuration of the switch. What cloud be the possible issue?
aaa authentication login default group radiusaaa authentication login NO_AUTH noneaaa authentication login vty
localaaa authentication dot1x default group radiusaaa authentication network default group radiusaaa accounting
update newinfoaaa accounting dot1x default start-stop group radius! aaa server radius dynamic-authorclient 161.1.7.14
server key cisco! ip dhcp excluded-address 60.1.1.11ip dhcp excluded-address 60.1.1.2! ip dhcp pool mabpc-
poolnetwork 60.1.1.0 255.255.255.0 default-router 60.1.1.2
! cts sxp enablects sxp default soure-ip 10.9.31.22cts sxp connection peer 10.9.31.1 password default mode peer
listener hold time 0! interfacce G1/0/9switchport mode accessip device tracking maximum 10authentication host mode
multi-auth authentication port-control auto! radius-server host 161.1.7.14 key ciscoradius-server timeout 60 ! line con 0
login authentication NO_AUTH
A. There is an issue with the DHCP pool configuration
B. There is an issue with the CoA configuration
C. AAA authorzation is incorrectly configured
D. incorrect CTS configuration on the switch
E. Dot1x should be globally disabled for the MAB to work
F. The Switch is properly configured and the issue is on the radius server
G. Authentication port Gi1/0/9 is not configured to perform Dot1x
Correct Answer: G


QUESTION 12Refer to the exhibit. Which level of encryption is set by this configurations?
A. 1024-bit
B. 192-bit
C. 56-bit
D. 168-bit
Correct Answer: D

QUESTION 13
In your network, you require all guests to authenticate to the network before getting access, however, you don\\’t want to
be stuck creating or approving accounts. It is preferred that this is all taken care by the user, as long as their device is
registered. Which two mechanisms can be used to provide this functionality? (Choose two)
A. Social media login, with device registration
B. Guest\\’s own organization authentication service, with device registration
C. PAP based authentication, with device registration
D. Active Directory, with device registration
E. 802.1x based user registration, with device registration
F. Self-registration of user, with device registration
Correct Answer: AF

QUESTION 14
Which of the following could be an evasion technique used by the attacker?
A. Port access using Dot1x
B. ACL implementation to drop unwanted traffic
C. TELNET to launch device administration session
D. Traffic encryption to bypass IPS detection
E. URL filtering to block malicious sites
F. NAT translations on routers and switches
Correct Answer: D

QUESTION 15
Refer to the exhibit. One of the Windows machines in your network is having connectvity issues using 802.1x. Windows
machines are setup to acquire an IP address from the DHCP server configured on the switch, which is supposed to
hand over IP addresses from the 50.1.1.0/24 network, and forward AAA requests to the radius server at 161.1.7.14
using shared key “cisco”. Knowing that interface Gi0/2 on switch may receive authentication requests from other
devices and looking at the provided switch configuration, what could be the possible cause of this failure?
aaa new model aaa authentication login default group radius aaa authentication login NO_AUTH none
aaa authentication login vty local
aaa authentication dot1x default group radius
aaa authentication network default group radius
aaa accounting dot1x default start-stop group radius
!
username cisco privilege 15 password 0 cisco
!
interface GigabitEthernet0/2
switchport mode access
ip access-group Pre-Auth in
authentication host-mode multi-auth
authentication open
authentication port-control auto
dot1x pae authenticator
!
vlan 50
interface Vlan50 ip address 50.1.1.1 255.255.255.0
!
ip dhcp excluded-address 50.1.1.1
ip dhcp pool pc-pool
network 50.1.1.0 255.255.255.0
default-router 50.1.1.1
!
ip access-list extended Pre-Auth
permit udp any eq bootpc any eq bootps
deny ip any any
!
radius server ccie
address ipv4 161.1.7.14 auth-port 1645 acct-port 1646
key cisco
!
line con 0
login authentication NO_AUTH
line vty 0 4
login authentication vty
A. authentication for multiple hosts not configured on infterface Gi0/2
B. an incorrect default route is pushed on supplicant from SW1
C. an incorrect ip address is configured for SVI 50
D. 802.1X is disabled on the switch
E. There is a RADIUS key mismatch
F. 802.1x authentication is not enabled on interface Gi0/2
G. aaa network authorization is not configured
Correct Answer: D


QUESTION 16
Which two statements SCEP are true? (Choose two)
A. CA servers must support GetCACaps response messages in order in implement extended functionality.
B. The GetCRL exchange is signed and encrypted only in the response direction.
C. It is vulnerable to downgrade attacks on its cryptographic capabilities.
D. The GetCACaps response message supports DES encryption and the SHA 128 hashing algorithm.
Correct Answer: AC

QUESTION 17Refer to the exhibit.Which two effects of this configuration are true?(Choose two)
A. Configuration commands on the router are authorized without checking the TACACS+ server
B. When a user logs in to privileged EXEC mode, the router will track all user activity
C. Requests to establish a reverse AUX connection to the router will be authorized against the TACACS+ server
D. When a user attempts to authenticate on the device, the TACACS+ server will prompt the user to enter the username
stored in the router\\’s database
E. If a user attempts to log in as a level 15 user, the local database will be used for authentication and the TACACS+
will be used for authorization
F. It configures the router\\’s local database as the backup authentication method for all TTY, console, and aux logins
Correct Answer: AB


QUESTION 18

Refer to the exhibit. What is the maximum number of site-to-site VPNs allowed by this configuration?
A. 10
B. unlimited
C. 5
D. 0
E. 1
F. 15
Correct Answer: F

QUESTION 19
Which two statements about ping flood attacks are true? (Choose two)
A. They attack by sending ping requests to the broadcast address of the network.
B. They use SYN packets.
C. The attack is intended to overwhelm the CPU of the target victim.
D. They use UDP packets.
E. They use ICMP packets.
F. They attack by sending ping requests to the return address of the network.
Correct Answer: CE


QUESTION 20Refer to the exhibit. Which statement about router R1 is true?
A. Its NVRAM contains public and private crypto keys
B. RMON is configured
C. Its private-config is corrupt
D. Its startup configuration is missing
E. Its running configuration is missing
Correct Answer: A
Reference

QUESTION 21
Which two statements about a wireless access point configured with the guest-mode command are true? (Choose two)
A. It can support more than one guest-mode SSID.
B. It supports associations by clients that perform passive scans.
C. It allows clients configured without SSIDs to associate.
D. It allows associated clients to transmit packets using its SSID.
E. If one device on a network is configure in guest-mode, clients can use the guest-mode SSID to connect to any device
in the same network.
Correct Answer: BC

QUESTION 22
Which option is a benefit of VRF Selection Using Policy-Based Routing for routing for packets to different VPNs?
A. It supports more than one VPN per interface
B. It allows bidirectional traffic flow between the service provider and the CEs
C. It automatically enables fast switching on all directly connected interfaces
D. It can use global routing tables to forward packets if the destination address matches the VRF configure on the
interface
E. Every PE router in the service provider MPLS cloud can reach every customer network
F. It increases the router performance when longer subnet masks are in use
Correct Answer: D

QUESTION 23
Which three messages are part of the SSL protocol? (Choose three)
A. Change CipherSpec
B. Alert
C. Record
D. Message Authenication
E. CipherSpec
F. Handshake
Correct Answer: ABF


QUESTION 24
Refer to the exhibit. A customer has opened a case with Cisco TAC reporting an issue that one of the Windows client
supported to logion to the network using MAB is no longer able to access any allowed resources. Looking at the
configuration of the switch. What cloud be the possible issue?
aaa authentication login default group radiusaaa authentication login NO_AUTH noneaaa authentication login vty
localaaa authentication dotix default group radiusaaa authentication network default group radiusaaa accounting update
newinfoaaa accounting dotix default start-stop group radius! ip dhcp excluded-address 60.1.1.11ip dhcp excluded-
address 60.1.1.2!
ip dhcp pool mabpc-poolnetwork 60.1.1.0.255.255.255.0 default-router 60.1.1.2
cts sxp enablects sxp default source-ip 10.9.31.22cts sxp default password cciects sxp connection peer 10.9.31.1
password default mode peer listener hold-time 0! dotix system-auth-control! interface GigabitEthernet1/0/9switchport
mode accessip-device tracking maximum 10authentication host-mode multi-auth authentication port-control automab !
radius-server host 161.1.7.14 key ciscoradius-server timeout 60 ! interface Vlan10 ip address 10.9.31.22.255.255.255.0!
interface Vlan50 no ip address! interface Vlan60 ip address 60.1.1.2.255.255.255.0! interface Vlan150 ip address
150.1.7.2.255.255.255.0
A. CoA configuration is missing.
B. Dot1x should be globally disabled for MAB to work.
C. There is an Issue with DHCP pool configuration.
D. Incorrect CTS configuration on the switch.
E. Switch configuration is properly configured and the issue is on the radius server.
F. AAA authorization is incorrectly configured.
G. The VLAN configuration is missing on the authentication port.
Correct Answer: A


QUESTION 25
If an ASA device is configured as a remote access IPsec server with RADIUS authentication and password
management enabled, which type of authentication will it use?
A. RSA
B. MS-CHAPv2
C. MS-CHAPv1
D. NTLM
E. PAP
Correct Answer: B

QUESTION 26
What are three features that are enabled by generating Change of Authorization (CoA) requests in a push model?
(Choose three)
A. session reauthentication
B. session identification
C. host reauthentication
D. MAC identification
E. session termination
F. host termination
Correct Answer: BCE

QUESTION 27
Which statement regarding the routing functions of the Cisco ASA is true running software version 9.2?
A. The translation table cannot override the routing table for new connections.
B. Routes to the NuLL0 interface cannot be configured to black-hole traffic.
C. In a failover pair of ASAs, the standby firewall establishes a peer relationship with OSPF neighbors.
D. The ASA supports policy-based routing with route maps.
Correct Answer: A
No correct answer

QUESTION 28
Which two statements about MACsec are true? (Choose two)
A. It maintains network intelligence as it applied to router uplinks and downlinks.
B. It works in conjunction with IEEE 802.1X -2010 port-based access control.
C. It uses symmetric-key encryption to protect data confidentiality.
D. It encrypts packets at Layer 3, which allows devices to handle packets in accordance with network polices.
E. It can be enabled on individual port at Layer 3 to allow MACsec devices to access the network.
F. It can use IEEE 802.1x master keys to encrypt wired and wireless links
Correct Answer: BC

QUESTION 29
Which statement about the Cisco AMP Virtual Private Cloud Appliance is true for deployments in air-gap mode?
A. The amp-sync tool syncs the threat-intelligence repository on the appliance directly with the AMP public cloud.
B. The appliance can perform disposition lookup against either the Protect DB or the AMP public cloud.
C. The appliance can perform disposition lookups against the Protect DB without an Internet connection.
D. The appliance evaluates files against the threat intelligence and disposition information residing on the Update Host.
E. The Update Host automatically downloads updates and deploys them to the Protect DB on a daily basis.
Correct Answer: C

QUESTION 30
Refer to the exhibit. One of the Windows machines in your network is experiencing a Dot1x authentication failure.
Windows machines are setup to acquire an IP address from the DHCP server configured on the switch, which is
supposed to hand over IP address from the 50.1.1.0/24 network, and forward AAA requests to the radius server at
161.1.7.14. Knowing that interface Gi0/2 on the switch may receive authentication requests from other devices and
looking at the provided switch configuration, what could be the possible cause of this failure?
aaa new model
aaa authentication login default group radius
aaa authentication login NO_AUTH none
aaa authentication login vty local
aaa authenticatio dot1x default group radius
aaa authentication network default group radius
aaa accounting dot1x default start-stop group radius
!
username cisco privilege 15 password 0 cisco
dot1x system-auth-control
!
interface GigabitEthernet0/2
switchport mode access
ip access-group Pre-Auth in
authentication host-mode multi-auth
authentication open
authentication port-control auto
dot1x pae authenticator
!
vlan 50
interface Vlan50 ip address 50.1.1.1 255.255.255.0
!
ip dhcp excluded-address 50.1.1.1
ip dhcp pool pc-pool
network 50.1.1.0 255.255.255.0
default-router 50.1.1.1
!
ip access-list extended Pre-Auth
deny udp any eq bootpc any eq bootps
deny ip any any
!
radius server ccie
address ipv4 161.1.7.4 auth-port 1645 acct-port 1646
key cisco
!
line con 0
login authentication NO_AUTH
line vty 0 4
login authentication vty
A. An incorrect dhcp pool is configured.
B. Authentication is not enabled on interface gi0/2.
C. Aaa dot1x authentication is not configured.
D. Authentication port-control is not set on interface gi0/2.
E. An incorrect pre-authentication acl is configured.
Correct Answer: E


QUESTION 31
Refer to the exhibit. What feature does the given configuration implement?
Router(config)# ip dhcp poll SALESRouter(dhcp-config)# update arpRouter(dhcp-config)# renew deny
unknownRouter(dhcp-config)# end
A. DHCP Secured IP Address Assignment
B. DHCP snooping
C. dynamic ARP learning
D. ARP probing
Correct Answer: A


QUESTION 32Refer the exhibit. Which Cisco Firepower policy has detected a “CnC connected” indicator of compromise event?
A. DNS policy
B. Network analysis policy
C. Identify policy
D. SSL policy
E. File policy
F. Intrusion policy
Correct Answer: F
Reference

QUESTION 33
Which statement about MDM is true?
A. It can support endpoints without requiring them to register
B. If an authorized user refreshes the web browser, the session must be reauthorized with the LDAP server
C. Cisco ISE communicates with the MDM server by way of REST API calls
D. MDM policies can be configured with as few as two attributes
E. It reports the IP address of the enpoint to the Cisco ISE as the input parameter of the endpoint
F. Each cisco ISE node required its own MDM server
Correct Answer: D
Reference

QUESTION 34
Which three of these make use of a certificate as part of the protocol?(three)
A. EAP-MDS
B. EAP-PEAP
C. EAP-TLS
D. LEAP
E. EAP-FAST
F. EAP-TTLS
Correct Answer: BCF


QUESTION 35
Which statements is true regarding SSL policy implementation in a Firepower system?
A. Access control policy is optional for the SSL policy implementation
B. If Firepower system cannot decrypt the traffic, it allows the connection
C. Intrusion policy is mandatory to configure the SSL inspection
D. Access control policy is responsible to handle all the encrypted traffic if SSL policy is tried to it
E. Access control policy is invoked first before the SSL policy tied to it
F. If SSL policy is not supported by the system then access control policy handles all the encrypted traffic
Correct Answer: E

QUESTION 36
An organization is deploying FTD in the data center. Productions tests are performed after applications have been
connected; however, ping tests to resources behind the firewall are falling. This firewall has two interfaces, INSIDE and
OUTSIDE. The problem might be in either direction. The failed testing scenario is from the OUTSIDE. Which two
commands can be used as an initial step to troubleshoot the situation and determine where the issue might be?
(Choose two)
A. Packet-tracer input Outside
B. Packet-tracer input Outside
C. Packet-tracer input Inside
D. Packet-tracer input Inside
E. Packet-tracer input Outside
F. Packet-tracer input Inside
Correct Answer: BF
Reference

QUESTION 37

Refer to the exhibit. R2 is getting time synchronized from NTP server R1. It has been reported that clock on R2 is not
able to associate with the NTP server R1. What could be the possible cause?
A. R2 has incorrect NTP server address
B. R1 has incorrect NTP source interface defined
C. R2 has incorrect trusted key binded with the NTP server
D. R2 does not support NTP authentication
E. R2 should not have two trusted keys for the NTP authentication
F. R2 has connectivity issue with the NTP server
Correct Answer: C

QUESTION 38
Drag each ESP header field on the left into corresponding field -length category on the right?
Select and Place:Correct Answer:

 

QUESTION 39
Which file extensions are supported on the Firesight Management Center 6.1 file policies that can be analyzed
dynamically using the Threat Grid Sandbox integration?
A. MSEXE MSOLE2 NEW-OFFICE PDF
B. DOCX WAV XLS TXT
C. TXT MSOLE2 WAV PDF
D. DOC MSOLE2 XML PDF
Correct Answer: A


QUESTION 40
Which statement is true a SMURF attack?
A. The attacker uses spoofed destination address to launch the attack
B. It sends ICMP Echo Requests to a broadcast address of a subnet
C. In order to mitigate the attack you need to enable IP directed broadcast on the router interface
D. It sends ICMP Echo Replies to Known ip addresses in a subnet
E. It is used by the attackers to check if destination addresses are alive
F. It exhausts the victim machine resources with large number of ICMP Echo Requests from a subnet
Correct Answer: B

We offer more ways to make it easier for everyone to learn, and YouTube is the best tool in the video.Follow channels: https://www.youtube.com/channel/UCXg-xz6fddo6wo1Or9eHdIQ/videos get more useful exam content.

Latest Cisco 400-251 YouTube videos:

Share 40 Authentic Cisco CCIE 400-251 Exam questions and answers for free to help you improve your skills and master some of the knowledge you cover! If you want to pass the exam easily, please select the full 400-251 exam dumps: https://www.leads4pass.com/400-251.html (Total questions:519 Q&A)->> updated throughout the year! Make sure you pass the exam easily!

[PDF] Free Cisco 400-251 pdf dumps download from Google Drive: https://drive.google.com/open?id=1izuLzJAFClLatQZtmzmy_cnCuTi-mfLy

[PDF] Free Full Cisco pdf dumps download from Google Drive: https://drive.google.com/open?id=1CMo2G21nPLf7ZmI-3_hBpr4GDKRQWrGx

Lead4pass Promo Code 12% Off

We share more practical and effective exam dumps
(Cisco,Microsoft,Oracle,Citrix,Comptia…) The latest Microsoft Microsoft Office 365 70-346 exam dumps help you improve your skills