[Lead2pass New] Lead2pass Free 400-251 Exam Questions Download 100% Pass 400-251 Exam (301-325)

2017 October Cisco Official New Released 400-251 Dumps in Lead2pass.com!

100% Free Download! 100% Pass Guaranteed!

As a professional IT exam study material provider, Lead2pass gives you more than just 400-251 exam questions and answers. We provide our customers with the most accurate study material about the 400-251 exam and the guarantee of pass. We assist you to prepare for 400-251 certification which is regarded valuable the IT sector.

Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/400-251.html

QUESTION 301
Which of the following two statements apply to EAP-FAST? (Choose two.)

A.    EAP-FAST is useful when a strong password policy cannot be enforced and an 802.1X EAP type that does not require digital certificates can be deployed.
B.    EAP-FAST was developed only for Cisco devices and is not compliant with 802.1X and 802.11i.
C.    EAP-FAST provides protection from authentication forging and packet forgery (replay attack).
D.    EAP-FAST is a client/client security architecture.

Answer: AC

QUESTION 302
On an ASA firewall in multiple context mode running version8.X.
What is the default number of VPN site-to site tunnels per context?

A.    0 sessions
B.    2 sessions
C.    1 sessions
D.    4 sessions

Answer: A
Explanation:
VPN support fpr multiple contexts came with ASA software version 9.x

QUESTION 303
Which two statements about WPA 2 in enterprise mode are true? (Choose two)

A.    TKIP generates a MCI to provide data integrity for the wireless frame.
B.    The PMK is generated dynamically by the servers and passed to the access point.
C.    802.1x authentication is performed in the second of two authentication phases.
D.    It is commonly used in home environments as well as enterprises.
E.    802.1x authentication is performed in the first of two authentication phases.
F.    Session keys can be shared with multiple clients.

Answer: BE

QUESTION 304
Drag and Drop Question
Drag and drop the description on the left onto the associated items on the right.

 

Answer:

 

QUESTION 305
Which two statement about the Cisco ASA in a transparent-mode deployment are true? (Choose two)

A.    It block all ARP packets by default.
B.    It supports QoS.
C.    It supports iBGP.
D.    It can act as a DHCP server.
E.    It performs a MAC address look to forward traffic f) It performs a route lookup to forward traffic.

Answer: DE

QUESTION 306
What functionality does SXP provide to enhance security?

A.    It supports secure communication between cisco ironport Cisco and Microsoft Exchange.
B.    It supports Cisco’s trustsec solution by transporting information over network that are unable to support SGT propagation.
C.    It support secure communications between cisco ironport and cloud-based email servers.
D.    It support cisco’s trustsec implementation on virtual machines.

Answer: B

QUESTION 307
Drag each IPSec term on the left to the definition on the right.

 

Answer:

 

QUESTION 308
Which two statements about the RC4 algorithm are true? (Choose two.)

A.    The RC4 algorithm is an asymmetric key algorithm.
B.    The RC4 algorithm is a symmetric key algorithm.
C.    The RC4 algorithm is slower in computation than DES.
D.    The RC4 algorithm is used with wireless encryption protocols.
E.    The RC4 algorithm uses fixed-length keys.

Answer: BD

QUESTION 309
Which two statement about PVLAN port types are true? (Choose two)

A.    A community port can send traffic to community port in other communities on its broadcast domain.
B.    An isolated port can send and receive traffic only to and from promiscuous ports.
C.    An isolated port can receive traffic from promiscuous port in an community on its broadcast domain, but can send traffic only to port in its own community.
D.    A promiscuous port can send traffic promiscuous port in other communities on its broadcast domain.
E.    A community port can send traffic to promiscuous port in other communities on its broadcast domain.
F.    A Promiscuous port can send traffic to all ports within a broadcast domain.

Answer: BF

QUESTION 310
Which three of these are security properties that TLS v1.2 provides?(Choose three)?

A.    Availability
B.    integrity
C.    non-repudiation
D.    authentication
E.    authorization
F.    confidentiality

Answer: BDF

QUESTION 311
Refer to the exhibit. Which statement about this debug output is true?

 

A.    It was generated by a LAN controller when it responded to a join request from an access point
B.    It was generated by a LAN controller when it generated a join request to an access point
C.    It was generated by an access point when it sent a join reply message to a LAN controller
D.    It was generated by an access point when it received a join request message from a LAN controller

Answer: A

QUESTION 312
Drag and Drop Question
Drag each ISE probe on the left to the matching statement on the right.

 

Answer:

 

QUESTION 313
What is an example of a WEP cracking attack ?

A.    SQL injection attack
B.    Cafe latte attack
C.    directory traversal attack
D.    Reflected XSS attack

Answer: B

QUESTION 314
Which three options are methods of load-balancing data in an ASA cluster environment?(Choose three)

A.    HSRP
B.    spanned EtherChannel
C.    distance-vector routing
D.    PBR
E.    floating static routes
F.    ECMP

Answer: BDF

QUESTION 315
You have configured a DMVPN hub and spoke a follows (assume the IPsec profile “dmvpnprofile” is configured correctly):

 

With this configuration, you notice that the IKE and IPsec SAs come up between the spoke and the hub, but NHRP registration fails. Registration will continue to fail until you do which of these?

A.    Modify the tunnel keys to match on the hub and spoke
B.    Configure the ipnhrp cache non-authoritative command on the hub’s tunnel interface
C.    Modify the NHRP hold times to match on the hub and spoke
D.    Modify the NHRP network IDs to match on the hub and spoke

Answer: A
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nhrp/configuration/xe-16/nhrp-xe-16-book/config-nhrp.html

QUESTION 316
Which two types of DNS attacks are associated with DoS and DDoS attacks?(Choose Two)

A.    DNS reflection attacks
B.    Resource utilization attacks
C.    DNS open resolver attack
D.    DNS cache poisoning attacks
E.    DNS amplification attacks

Answer: DE
Explanation:
http://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html#13
The question itself is confusing and ambiguous though as normally whatever is DoS that can be easily DDoS (distributed DoS). According to this Cisco guide “Resource utilization attack” is still on the list of possible attacks on DNS
http://www.cisco.com/c/en/us/about/security-center/dns-best-practices.html

QUESTION 317
What are three features that are enabled by generating Change of Authorization (CoA) requests in a push model? (Choose three.)

A.    session termination
B.    host reauthentication
C.    session identification
D.    MAC identification
E.    session reauthentication
F.    host termination

Answer: ABC
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-rad-coa.html

QUESTION 318
Which of the following are OSPFv3 authentication options? (choose two)

A.    AH
B.    ESP
C.    MD5
D.    SHA
E.    IP
F.    GRE

Answer: AB

QUESTION 319
Two routers are trying to establish an OSPFv3 adjacency over an Ethernet link, but the adjacency is not forming. Which two options are possible reasons that prevent OSPFv3 to form between these two routers? (Choose two.)

A.    mismatch area types
B.    mismatch of subnet masks
C.    mismatch of network types
D.    mismatch of authentication types
E.    mismatch of instance IDs

Answer: CD
Explanation:
https://supportforums.cisco.com/document/98581/troubleshooting-ospfv3-neighbor-adjacencies

QUESTION 320
Which of the following are true regarding same security level interface inter-traffic communication on a Cisco ASA? (Choose three)

A.    ASA support 101 security levels and more than 101 interfaces (include sub-interface)
B.    ASA canassign different interfaces to the same security level
C.    by default, same security level port inter-traffic is not allowed
D.    ASA should activate inter-interface communication by default

Answer: ABC

QUESTION 321
Which three statements about RLDP are true? (Choose three)

A.    It can detect rogue Aps that use WPA encryption
B.    It detects rogue access points that are connected to the wired network
C.    The AP is unable to s^jrve clients while the RLDP process is active
D.    Active Rogue Containment can be initiated manually against rogue devices detected the wired network
E.     It can detect rogue APs that use WEP encryption

Answer: BCD

QUESTION 322
Refer to the exhibit. Which statement about the effect of this configuration is true?

 

A.    It prevents man-in-the-middle attacks.
B.    Replay protection is disabled.
C.    Out-of-order frames are dropped.
D.    The replay window size is set to infinity.

Answer: C

QUESTION 323
All of these are available from cisco IPS Manager (cisco IDM) except which one?

A.    Top Signatures
B.    Sensor Information
C.    Interface Status
D.    Global Correlation Reports
E.    CPU Memory and Load

Answer: A

QUESTION 324
Which statement regarding the routing function of the Cisco ASA is true?

A.    the ASA supports policy-based routing with route maps
B.    The translation table can override the routing table for new connections
C.    In a failover paire of ASAs, thestanby firewall establishes a peer relationship with OSPF neighbors
D.    Routes to the Null0 interface can be configured to black-hole traffic

Answer: B

QUESTION 325
What is an RFC 2827 recommendation for protecting your network against Dos attack with IP address spoofing?

A.    Browser based application should be filtered on the source to protect your network from known advertised prefixes
B.    Advertiseonly assigned global IP address to the internet
C.    Use ingress filtering to limit traffic from downstream network to known advertised prefixes
D.    Use the TLS protocol to secure the network against eavesdropping

Answer: C

Lead2pass.com has been the world leader in providing online training solutions for 400-251 Certification. You use our training materials that have been rigorously tested by international experts.

400-251 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDU1JrNmttR1dfUm8

2017 Cisco 400-251 exam dumps (All 636 Q&As) from Lead2pass:

https://www.lead2pass.com/400-251.html [100% Exam Pass Guaranteed]

admin