This page was exported from 100% Valid Exam Dumps on Lead2pass [ ] Export date:Tue Feb 18 10:48:28 2020 / +0000 GMT ___________________________________________________ Title: [2017 New] Lead2pass Free 400-251 Exam Questions Download 100% Pass 400-251 Exam (101-125) --------------------------------------------------- 2017 August Cisco Official New Released 400-251 Dumps in! 100% Free Download! 100% Pass Guaranteed! Our dumps have been reviewed and approved by industry experts and individuals who have taken and passed 400-251 exam. Lead2pass will have you prepared to take 400-251 test with high confidence and pass easily. Whether you are looking for 400-251 study guide, 400-251 exam questions, 400-251 exam dump or 400-251 test, has you covered. Following questions and answers are all new published by Cisco Official Exam Center: QUESTION 101Refer to the exhibit. Which effect of this configuration is true?   A.    Host_1 learns about R2 and only and prefers R2 as its default routerB.    Host_1 selects R2 as its default router and load balances between R2 and R3C.    Host_1 learns about R2 and R3 only and prefers R3 as its default routerD.    Host_1 learns about R1,R2 and R3 and load balances between themE.    Host_1 learns about R1, R2 and R3 and prefers R2 as its default routerAnswer: E QUESTION 102Which statement regarding the routing functions of the Cisco ASA is true running software version 9.2? A.    In a failover pair of ASAs, the standby firewall establishes a peer relationship with OSPF neighborsB.    The ASA supports policy-based routing with route mapsC.    Routes to the Null0 interface cannot be configured to black-hole trafficD.    The translations table cannot override the routing table for new connections Answer: C QUESTION 103Which two statement about router Advertisement message are true? (Choose two) A.    Local link prefixes are shared automatically.B.    Each prefix included in the advertisement carries lifetime information f Or that prefix.C.    Massage are sent to the miscast address FF02::1D.    It support a configurable number of retransmission attempts for neighbor solicitation massage.E.    Flag setting are shared in the massage and retransmitted on the link.F.    Router solicitation massage are sent in response to router advertisement massage Answer: AEExplanation: QUESTION 104Refer to the exhibit. Which effect of this configuration is true?   A.    NUD retransmits 1000 Neighbor solicitation messages every 4 hours and 4 minutes.B.    NUD retransmits Neighbor Solicitation messages after 4, 16, 64 and 256 seconds.C.    NUD retransmits Neighbor Solicitation messages every 4 seconds.D.    NUD retransmits unsolicited Neighbor advertisements messages every 4 hours.E.    NUD retransmits f our Neighbor Solicitation messages every 1000 seconds.F.    NUD retransmits Neighbor Solicitation messages after 1, 4, 16, and 64 seconds. Answer: E QUESTION 105What are two features of cisco IOS that can help mitigate Blaster worm attack on RPC ports? (Choose two) A.    FPMB.    DCARC.    NBARD.    IP source GuardE.    URPFF.    Dynamic ARP inspection Answer: DE QUESTION 106Which two statement about the multicast addresses query message are true?(Choose two) A.    They are solicited when a node initialized the multicast process.B.    They are used to discover the multicast group to which listeners on a link are subscribedC.    They are used to discover whether a specified multicast address has listenersD.    They are send unsolicited when a node initializes the multicast processE.    They are usually sent only by a single router on a linkF.    They are sent when a node discover a multicast group Answer: BC QUESTION 107Refer to the exhibit. What IPSec function does the given debug output demonstrate?   A.    DH exchange initiationB.    setting SPIs to pass trafficC.    PFS parameter negotiationD.    crypto ACL confirmation Answer: DExplanation:This Cisco IPSec troubleshooting guide explains details about every packet exchange during IPSec phase 1 and 2. Take a look at the section about QM2. It is exact match of the above exhibit. QUESTION 108Drag and Drop QuestionDrag each MACsec term on the left to the right matching statement on the right.   Answer:   QUESTION 109IANA is responsible for which three IP resources? (Choose three.) A.    IP address allocationB.    Detection of spoofed addressC.    Criminal prosecution of hackersD.    Autonomous system number allocationE.    Root zone management in DNSF.    BGP protocol vulnerabilities Answer: ADE QUESTION 110When you are configuring QoS on the Cisco ASA appliance.Which four are valid traffic selection criteria? (Choose four) A.    default-inspection-trafficB.    qos-groupC.    DSCPD.    VPN groupE.    tunnel groupF.    IP precedence Answer: ACEF QUESTION 111Which two statements about the anti-replay feature are true? (Choose two) A.    By default, the sender uses a single 1024-packet sliding windowB.    By default, the receiver uses a single 64-packet sliding windowC.    The sender assigns two unique sequence numbers to each clear-text packetD.    The sender assigns two unique sequence numbers to each encrypted packetE.    the receiver performs a hash of each packet in the window to detect replaysF.    The replay error counter is incremented only when a packet is dropped Answer: BFExplanation:The sender never assigns two sequence numbers. Check this Cisco document, especially steps 2 and 4 in the anti-replay check failure description QUESTION 112You have configured a DMVPN hub and spoke a follows (assume the IPsec profile "dmvpnprofile" is configured correctly):   With this configuration, you notice that the IKE and IPsec SAs come up between the spoke and the hub, but NHRP registration fails. Registration will continue to fail until you do which of these? A.    Configure the ipnhrp cache non-authoritative command on the hub's tunnel interfaceB.    Modify the NHRP hold times to match on the hub and spokeC.    Modify the NHRP network IDs to match on the hub and spokeD.    Modify the tunnel keys to match on the hub and spoke Answer: DExplanation: QUESTION 113Which of the following is one of the components of cisco Payment Card Industry Solution? A.    VirtualizationB.    Risk AssessmentC.    MonitoringD.    Disaster Management Answer: B QUESTION 114Which two statements about the DH group are true? (Choose two.) A.    The DH group is used to provide data authentication.B.    The DH group is negotiated in IPsec phase-1.C.    The DH group is used to provide data confidentiality.D.    The DH group is used to establish a shared key over an unsecured medium.E.    The DH group is negotiated in IPsec phase-2. Answer: BD QUESTION 115Your 1Pv6 network uses a CA and trust anchor to implement secure network discover. What extension must your CA certificates support? A.    extKeyUsageB.    nameConstrainstsC.    id-pe-ipAddrBlocksD.    Id-pe-autonomousSysldsE. Ia-ad-calssuersE.    keyUsage Answer: AExplanation:Check this RFC for the source of correct information (start from section 7) QUESTION 116A server with Ip address is protected behind the inside of a cisco ASA or PIX security appliance and the internet on the outside interface. User on the internet need to access the server at any time but the firewall administrator does not want to apply NAT to the address of the server because it is currently a public address, which three of the following command can be used to accomplish this? (Choose three) A.    static (inside,outside) netmask"B.    nat (inside) 1    no nat-controlD.    nat (inside) 0 209.16S.202.150    static (outside.insid) netmask    access-tist no-nat permit ip host any nat (inside) 0 access-list no-nat Answer: ADF QUESTION 117Which three statements about RLDP are true? (Choose three) A.    It can detect rogue Aps that use WPA encryptionB.    It detects rogue access points that are connected to the wired networkC.    The AP is unable to serve clients while the RLDP process is activeD.    It can detect rogue APs operating only on 5 GHzE.    Active Rogue Containment can be initiated manually against rogue devices detected on the wired networkF.    It can detect rogue APs that use WEP encryption Answer: BCEExplanation: QUESTION 118Which Cisco ASA firewall mode supports ASDM one-time-password authentication using RSA SecurID? A.    Network translation modeB.    Single-context routed modeC.    Multiple-context modeD.    Transparent mode Answer: B QUESTION 119Refer to the exhibit. A signature failed to compile and returned the given error messages.What is a possible reason for the problem?   A.    The signature belongs to the IOS IPS Basic category.B.    The signature belongs to the IOS IPS Advanced category.C.    There is insufficient memory to compile the signature.D.    The signature is retired.E.    Additional signature must be complied during the compiling process. Answer: C QUESTION 120Which command sequence can you enter to enable IP multicast for WCCPv2? A.    Router(config)#ip wccp web-cache service-list Router(config)#interface FastEthernet0/0Router(config)#ip wccp web-cache group-listenB.    Router(config)#ip wccp web-cache group-listRouter(config)#interface FastEthernet0/0Router(config)#ip wccp web-cache group-listenC.    Router(config)#ip wccp web-cache group-address Router(config)#interface FastEthernet0/0Router(config)#ip wccp web-cache redirect inD.    Router(config)#ip wccp web-cache group-address Router(config)#interface FastEthernet0/0Router(config)#ip wccp web-cache group-listenE.    Router(config)#ip wccp web-cache group-address Router(config)#interface FastEthernet0/0Router(config)#ip wccp web-cache redirect out Answer: D QUESTION 121The computer at on your network has been infected by a botnet that directs traffic to a malware site at Assuming that filtering will be performed on a Cisco ASA.What command can you use to block all current and future connections from the infected host? A.    ip access-list extended BLOCK_BOT_OUT deny ip any host    shun 6000 80C.    ip access-list extended BLOCK_BOT_OUT deny ip host host    ip access-list extended BLOCK_BOT_OUT deny ip host host    shun 6000 80 Answer: BExplanation:The key points to consider here are “current and future connections from infected host”. If using the ACL, it will only stop the current connection but an infected host may establish a connection to a different host and it would not work. The Shun command with destination IP deals with current and future connections to any host. QUESTION 122IKEv2 provide greater network attack resiliency against a DoS attack than IKEv1 by utilizing which two functionalities?(Choose two) A.    with cookie challenge IKEv2 does not track the state of the initiator until the initiator respond with cookie.B.    Ikev2 perform TCP intercept on all secure connectionsC.    IKEv2 only allows symmetric keys for peer authenticationD.    IKEv2 interoperates with IKEv1 to increase security in IKEv1E.    IKEv2 only allows certificates for peer authenticationF.    An IKEv2 responder does not initiate a DH exchange until the initiator responds with a cookie Answer: AF QUESTION 123Which five of these are criteria for rule-based rogue classification of access points by the cisco Wireless LAN controller? (Choose five) A.    MAC address rangeB.    MAC address range number of clients it hasC.    open authenticationD.    whether it matches a user-configured SSIDE.    whether it operates on an authorized channelF.    minimum RSSIG.    time of day the rogue operatesH.    Whether it matches a managed AP SSID Answer: BCDFH QUESTION 124Which two statement about the DES algorithm are true?(Choose two) A.    It uses a 64-bit key block size and its effective key length is 65 bitsB.    It uses a 64-bits key block size and its effective key length is 56 bitsC.    It is a stream cripher that can be used with any size inputD.    It is more efficient in software implements than hardware implementations.E.    It is vulnerable to differential and linear cryptanalysisF.    It is resistant to square attacks Answer: BE QUESTION 125Which three types of addresses can the Botnet Traffic Filter feature of the Cisco ASA monitor? (Choose three) A.    Ambiguous addressesB.    Known malware addressesC.    Listed addressesD.    Dynamic addressesE.    Internal addressesF.    Known allowed addresses Answer: ABF At Lead2pass we verify that 100% of the 400-251 exam questions in exam test prep package are real questions from a recent version of the 400-251 test you are about to take. We have a wide library of 400-251 exam dumps. 400-251 new questions on Google Drive: 2017 Cisco 400-251 exam dumps (All 470 Q&As) from Lead2pass: [100% Exam Pass Guaranteed] --------------------------------------------------- Images: --------------------------------------------------- --------------------------------------------------- Post date: 2017-08-09 07:10:10 Post date GMT: 2017-08-09 07:10:10 Post modified date: 2017-08-09 07:10:10 Post modified date GMT: 2017-08-09 07:10:10 ____________________________________________________________________________________________ Export of Post and Page as text file has been powered by [ Universal Post Manager ] plugin from