This page was exported from Free Download Lead2pass VCE And PDF Dumps [ https://www.pass4sureshared.com ] Export date:Fri Mar 29 5:44:35 2024 / +0000 GMT ___________________________________________________ Title: [2017 New] Lead2pass 400-251 Exam Questions Free Download (251-275) --------------------------------------------------- 2017 August Cisco Official New Released 400-251 Dumps in Lead2pass.com! 100% Free Download! 100% Pass Guaranteed! This dump is valid to pass Cisco 400-251 exam and don't just memorize the answer, you need to get through understanding of it because the question changed a little in the real exam. The material is to supplement your studies. Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/400-251.html QUESTION 251Which three Cisco attributes for LDAP authorization are supported on the ASA? (Choose three) A.    L2TP-EncryptionB.    Web-VPN-ACL-FiltersC.    IPsec-Client-Firewall-Filter-NameD.    Authenticated-User-Idle-TimeoutE.    IPsec-Default-DomainF.    Authorization-TypeAnswer: BDEExplanation:Something wrong with the question. All 6 options given are all supported by Cisco ASA. Check out this document for all attributes supported, they are all in the table 1-2http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ref_extserver.pdf QUESTION 252Which two options are system requirements for single sign-on on Cisco Unified Communications Manager? (Choose two) A.    OpenAM must be deployed in a different domain Microsoft Active Directory.B.    All participating entities must have their clocks synchronized.C.    The local user profile on Cisco Unified Communications must be disabled.D.    IWA and Kerberos authentication must be configured in the Windows domain.E.    Microsoft Active Directory must be deployed in a domain-based configuration. Answer: BE QUESTION 253Which of the following statement is true about the ARP attack? A.    Attackers sends the ARP request with the MAC address and IP address of a legitimate resource in the network.B.    Attackers sends the ARP request with the MAC address and IP address of its own.C.    ARP spoofing does not facilitate man-in-the middle attack of the attackers.D.    Attackers sends the ARP request with its own MAC address and IP address of a legitimate resource in the network. Answer: D QUESTION 254During a DoS attacks all of the data is lost from a user's laptop and the user must now rebuild the system.Which tool can the user use to extract the outlook PST file from the Microsoft server database? A.    Eseutil. exeB.    NTabackup.cexC.    Exmerge.exeD.    Ost2st.exe Answer: C QUESTION 255A Cisco Easy VPN software client is unable to access its local LAN devices once the VPN tunnel is established. What is the best way to solve this issue? A.    The IP address that is assigned by the Cisco Easy VPN Server to the client must be on the same network as the local LAN of the client.B.    The Cisco Easy VPN Server should apply split-tunnel-policy excludespecified with a split-tunnel-list containing the local LAN addresses that are relevant to the client.C.    The Cisco Easy VPN Server must push down an interface ACL that permits the traffic to the local LAN from the client.D.    The Cisco Easy VPN Server should apply a split-tunnel-policy tunnelall policy to the client.E.    The Cisco Easy VPN client machine needs to have multiple NICs to support this. Answer: B QUESTION 256Which two statements about IKEv2 are true? (Choose two) A.    It uses EAP authenticationB.    It uses X.509 certificates for authenticationC.    The profile is a collection of transforms used to negotiate IKE SAsD.    It supports DPD and Nat-T by defaultE.    The profile contains a repository of symmetric and asymmetric preshared keysF.    At minimum, a complete proposal requires one encryption algorithm and one integrity algorithm Answer: AD QUESTION 257Which two OSPF network types support the concept of a designated router? (Choose two.) A.    broadcastB.    NBMAC.    point-to-multipointD.    point-to-multipoint nonbroadcastE.    loopback Answer: AB QUESTION 258Given the IPv4 address 10.10.100.16, which two address are valid IPv4-compatible IPv6 addresses? (Choose twoChoose two) A.    0:0:0:0:0:10:10:100:16B.    0:0:10:10:10:16:0:0:0C.    0:0:10:10:100:16:0:0:0D.    ::10:10:100:16E.    :::A:A:64:10 Answer: AD QUESTION 259What technology can you implement on your network to allow IPv4-dependent applications to work with IPv6- capable application? A.    NAT 6to4B.    DS-liteC.    NAT-PTD.    ISATAPE.    NAT64 Answer: E QUESTION 260Which three fields are part of the AH header? (Choose three) A.    Destination addressB.    Protocol IDC.    Packet ICVD.    SPI identifying SAE.    Next headerF.    Application portG.    Source address Answer: CDE QUESTION 261What ASA feature can do use to restrict a user to a specific VPN group? A.    A webtypeACLB.    MPFC.    A VPN filterD.    Group-lock Answer: D QUESTION 262Which two statements about SGT Exchange Protocol are true? (Choose two) A.    It propagates the IP-to-SGT binding table across network devices that do not have the ability to perform SGT tagging at Layer 2 to devices that support itB.    SXP runs on UDP port 64999C.    A connection is established between a "listener" and a "speaker"D.    SXP is only supported across two hopsE.    SXPv2 introduces connection security via TLS Answer: AC QUESTION 263Which three statements are true regarding RFC 5176 (Change of Authorization)? (Choose three.) A.    It defines a mechanism to allow a RADIUS server to initiate a communication inbound to a NAD.B.    It defines a wide variety of authorization actions, including "reauthenticate."C.    It defines the format for a Change of Authorization packet.D.    It defines a DM.E.    It specifies that TCP port 3799 be used for transport of Change of Authorization packets. Answer: ACD QUESTION 264How does a wireless association flood attack create a DoS? A.    It sends a high-power RF pulse that can damage the internals of the APB.    It spoofs disassociation frames from the access point.C.    It uses a brute force attack to crack the encryption.D.    It exhausts the access client association table. Answer: DExplanation:This question is very confusing because it doesn't state if it is DoS against access point or the client. If DoS is run against the AP then the right answer is D. Check the section “Denial of Service attacks against access points”http://www.cisco.com/c/en/us/td/docs/wireless/mse/3350/7-2/wIPS_Configuration/Guide/wIPS_72/msecg_appA_wIPS.htmlIf the attack targets wireless clients then the correct answer is B. Check the section “Denial of service attacks against client station” in the same document QUESTION 265Refer to the exhibit, you have configured two route-map instances on R1 which passes traffic from switch 1 on both VLAN 1 and VLAN 2.You wish to ensure that the first route-map instance matches packets from VLAN 1 and sets next hop to 3232::2/128. The second route-map instance matches packets from VLAN 2 and sets the next hop to 3232::3/128.What feature can you implement on R1 to make this configuration possible?   A.    PBRB.    BGP local-preferenceC.    BGP next-hopD.    VSSPE.    GLBP Answer: AExplanation:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-3s/iri-xe-3s-book/ip6-pbr-xe.html QUESTION 266What are two feature that can be used to drop incoming traffic with spoofed bogon address? (Choose two) A.    Unicast RPFB.    ingress ACLsC.    flexible ACLsD.    egress ACLsE.    reflexive ACLsF.    Source Specific Multicast Answer: AB QUESTION 267Refer to the exhibit, what is the effect of the given command sequence?   A.    The router telnet to the on port 2002B.    The AP console port is shut down.C.    A session is opened between the router console and the AP.D.    The router telnet to the router on port 2002. Answer: C QUESTION 268Which two statements about IPsec in a NAT-enabled environment are true? (Choose two) A.    The hashes of each peer's IP address and port number are compared to determine whether NAT-T is requiredB.    NAT-T is not supported when IPsec Phase 1 is set to Aggressive ModeC.    The first two messages of IPsec Phase 2 are used to determine whether the remote host supports NAT-TD.    NAT-T is not supported when IPsec Phase 1 is set to Main ModeE.    IPsec packets are encapsulated in UDP 500 or UDP 10000 packetsF.    To prevent translations from expiring, NAT keepalive messages that include a payload are sent between the peers Answer: AFExplanation:http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dplane/configuration/15-1mt/sec-ipsec-nat-transp.html#GUID-54C3D921-581F-48B8-9641-5942C19DEA1F QUESTION 269Which statement about the Cisco Secure ACS Solution Engine TACACS+ AV pair is true? A.    AV pairs are only required to be enabled on Cisco Secure ACS for successful implementation.B.    The Cisco Secure ACS Solution Engine does not support accounting AV pairs.C.    AV pairs are only string values.D.    AV pairs are of two types: string and integer. Answer: C QUESTION 270Which statement about Sarbanes-Oxley (SOX) is true? A.    SOX is an IEFT compliance procedure for computer systems security.B.    SOX is a US law.C.    SOX is an IEEE compliance procedure for IT management to produce audit reports.D.    SOX is a private organization that provides best practices for financial institution computer systems.E.    Section 404 of SOX is only related to IT compliance. Answer: BE QUESTION 271Which Cisco ASA firewall mode supports ASDM one-time-password authentication using RSA SecurID? A.    Network translation modeB.    Single-context routed modeC.    Multiple-context modeD.    Transparent mode Answer: B QUESTION 272What protocol is responsible for issuing certificates? A.    SCEPB.    DTLSC.    ESPD.    AHE.    GET Answer: A QUESTION 273Which category to protocol mapping for NBAR is correct? A.    Category: internetProtocol: FTP, HTTP, TFTPB.    Category: Network managementProtocol: ICMP, SNMP, SSH, telentC.    Category: network mail servicesProtocol: mapi, pop3, smtpD.    Category: Enterprise applicationsProtocal: citrixICA, PCAnywhere, SAP, IMAP Answer: A QUESTION 274You have discovered unwanted device with MAC address 001c.0f12.badd on port FastEthernet1/1 on VLAN 4.What command or command sequence can you enter on the switch to prevent the MAC address from passing traffic on VLAN 4? A.     B.     C.     D.     E.     Answer: EExplanation:In order for VLAN access-map to drop a specific MAC address it has to use access-list with permit entry.http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3550-series-switches/64844-mac-acl-block-arp.html QUESTION 275Which two options are benefits the Cisco ASA Identity Firewall?(Choose two) A.    It supports an AD server module to verify identity data.B.    It can operate completely independently of other servers.C.    It decouples security policies from the network topology.D.    It can apply security policies on an individual user or user-group basisE.    It can identify threats quickly based on their URLs. Answer: CD About 90% questions are from this 400-251 dump. One thing you need to pay attention is the questions are rephrased in the real 400-251 exam. And btw selections are jumbled so you must remember the answer itself not the letter of choice. 400-251 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDMERESjlYcVlZNWs 2017 Cisco 400-251 exam dumps (All 470 Q&As) from Lead2pass: https://www.lead2pass.com/400-251.html [100% Exam Pass Guaranteed] --------------------------------------------------- Images: --------------------------------------------------- --------------------------------------------------- Post date: 2017-08-10 06:26:00 Post date GMT: 2017-08-10 06:26:00 Post modified date: 2017-08-10 06:26:00 Post modified date GMT: 2017-08-10 06:26:00 ____________________________________________________________________________________________ Export of Post and Page as text file has been powered by [ Universal Post Manager ] plugin from www.gconverters.com