100% Valid CCIE Security 400-251 Exam Dumps

Cisco CCIE Security certification is for individuals who have skills to implement and maintain extensive Network Security Solutions using industry best practices. Get 100% valid CCIE Security 400-251 exam dumps for passing. There are many ways by which you can easily prepare CCIE Security 400-251 exam like you can watch online training videos for Cisco 400-251 exam preparation. You can get success in the 400-251 exam by choosing the 100% Valid CCIE Security 400-251 Exam Dumps.

Free Cisco 400-251 CCIE Security Dumps Questions

1. Refer to the exhibit.

Which reason for the Dot1x session failure is true?

 
 
 
 
 
 
 

2. What is the best description of a docker file?

 
 
 
 

3. Which of the following is used by WSA to extract session information from ISE and use that in access policies?

 
 
 
 
 
 

4. When an organization is choosing a cloud computing model to adopt, many considerations are studied to determine the most suitable model.

To which model is cloud interdependency mainly attributed?

 
 
 
 

5. How does a Cisco ISE server determine whether a client supports EAP chaining?

 
 
 
 
 

6. Which three statements about EAP-Chaining are true? (Choose three)

 
 
 
 
 
 
 
 

7. Which of the following four traffic should be allowed during an unknown posture state? (Choose four)

 
 
 
 
 
 
 
 

8. What would describe Cisco Virtual Topology System?

 
 
 
 

9. Drag LDAP queries used by ESA to query LDAP server on the left to its functionality on the right

10. Your environment has a large number of network devices that are configured to use AAA for authentication. Additionally, your security policy requires use of two Factor Authentication or Multi-Factor Authentication for all device administrators, which you have integrated with ACS. To simplify device management your organization has purchased Prime Infrastructure.

What is the best way to get Prime Infrastructure to authenticate to all your network of devices?

 
 
 
 
 

11. Drag the network scan type on the left to its definition on the right

12. In your ISE design, there are two TACACS profiles that are created for a device administration:

lOS_HelpDesk_Profile, and IOS_Admin_Profile. The HelpDesk profile should login the user with privilege 1, with ability to change privilege level to 15. The Admin profile should login the user with privilege 15 by default.

Which two commands must the help Desk enter on the los device to access privilege level 15?

(Choose two

 
 
 
 
 
 
 

13. Which statement about the pxGrid connection agent is true?

 
 
 
 
 
 

14. Which criteria does ASA use for packet classification if multiple contexts share an ingress interface MAC address?

 
 
 
 
 
 
 

15. Refer to the exhibit.

What could be the reason of Dot.1x session failure?

 
 
 
 
 
 
 

16. For your enterprise ISE deployment, you want to use certificate-based authentication for all your Windows machines you have already pushed the machine and user certificates out to all the machines using GPO. By default, certificate-based authentication does not check the certificate against Active Directory or requires credentials from the user. This essentially means that no groups are returned as part of the authentication request.

In which way can the user be authorized based on Active Directory group membership?

 
 
 
 
 
 

17. Refer to the exhibit.

R3

ip vrf mgmt

!

crypto keyring CCIE vrf mgmt

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco

!

crypto isakmp policy 33

encr 3des

authentication pre-share

group 2

lifetime 600

!

crypto ipsec transform-set site_ab esp-aes-256 esp-sha-hmac

mode tunnel

!

crypto ipsec profile site_a

set security-association lifetime seconds 600

set transform-set site_ab

!

crypto gdoi group group_a

identity number 100

server local

rekey algorithm aes 256

rekey lifetime seconds 300

rekey retransmit 10 number 3

rekey authentication mypubkey rsa cciekey

rekey transport unicast

sa ipsec 1

profile site_a

match address ipv4 site_a

replay counter window-size 64

no tag

address ipv4 10.1.20.3

!

interface GigabitEthernet3

ip address 10.1.20.3 255.255.255.0

!

ip access-list extended site_a

permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

R3 is the Key Server in GETVPN VR-Aware implementation. The Group Members for the site_ a registers with key server via interface address 10.1.20.3/24 in the management VRF "mgmt.“.

The GROUP ID for the site_a is 100 to retrieve group policy and keys from the key server.

The traffic to be encrypted by the site- a Group Members is between 192.186.4.0/24 and 192.186.5.0/24.

Preshared-key used by the Group members to authenticate with Key servers is "cisco". It has been reported that group Members are unable to perform encryption for the traffic defined in the group policy of site a. what could be the issue? (Choose two)

 
 
 
 
 
 
 

18. VARIATION 2

Refer to the exhibit.

R3

ip vrf mgmt

!

crypto keyring CCIE vrf mgmt

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco

!

crypto isakmp policy 33

encr 3des

authentication pre-share

group 2

lifetime 600

!

crypto ipsec transform-set site_ab esp-aes-256 esp-sha-hmac

mode tunnel

!

crypto ipsec profile site_a

set security-association lifetime seconds 600

set transform-set site_ab

!

crypto gdoi group group_a

identity number 100

server local

rekey algorithm aes 256

rekey lifetime seconds 300

rekey retransmit 10 number 3

rekey authentication mypubkey rsa cciekey

rekey transport unicast

sa ipsec 1

profile site_a

match address ipv4 site_a

replay counter window-size 64

no tag

address ipv4 10.1.20.3

!

interface GigabitEthernet3

ip address 10.1.20.3 255.255.255.0

!

ip access-list extended site_a

permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

R3 is the key server in a GETVPN VRF-Aware implementation. The group members for the site a register with key server via interface address 10.1.20.3/24 in the management VRF “mgmt”.

The GROUP ID for the site_ a is 100 to retrieve group policy and keys from the key server.

The traffic to be encrypted by the site_a group members is between 192.186.4.0/24 and 192.186.5.0/24.

The preshared key used by the group members to authenticate with the key server is “cisco”.

It has been reported that group members cannot perform encryption for the traffic defined in the group policy of site_a.

Which two possible issues are true? Choose two

 
 
 
 
 
 

19. Which of the following Cisco products gives ability to interact with malware for its behavior analysis?

 
 
 
 
 
 

20. Which of the following is part of DevOps virtuous Cycle?

 
 
 
 

21. How would you best describe Jenkins?

 
 
 
 

22. Refer to the exhibit.

R15

crypto pki trustpoint ccier15

enrollment url http://172.16.100.17:8080

serial-number

ip-address 172.16.100.15

subject-name CN=r15 O=cisco.com

revocation-check none

source interface Loopback0

rsakeypair ccier15

!

crypto isakmp policy 1516

encr aes

hash md5

group 2

!

crypto ipsec transform-set ts1516 esp-aes esp-sha-hmac

mode tunnel

!

crypto map r15r16 1516 ipsec-isakmp

set peer 10.1.7.16

set transform-set ts1516

match address 110

!

interface Loopback0

ip address 172.16.100.15 255.255.255.255

!

interface Loopback1

ip address 192.168.15.15 255.255.255.0

!

interface GigabiEthernet1

ip address 20.1.6.15 255.255.255.0

netgotiation auto

crypto map r15r16

!

router bgp 6

bgp log-neighbor-changes

network 172.16.100.15 mask 255.255.255.255

neighbor 20.1.6.18 remote-as 678

neighbor 20.1.6.18 password cisco

!

ip route 192.168.16.0 255.255.255.0 20.1.7.16

access-list 110 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255

!

ntp authentication-key 11 md5 ccie

ntp authenticate

ntp trusted-key 12

ntp server 150.1.7.131 key 12

!

ip domain name cisco.com

R15 is trying to initiate Site-to-Site IPsec certificate based VPN tunnel with the peer at 20.1.7.16. The CA is running at port 80 on address 172.16.100.18. R15 has a BGP peer at 20.1.6.18 doing an authenticated session to establish reachability with the VPN remote site.

The VPN tunnel will secure traffic between 192.168.15.0/24 and 192.168.16.0/24 networks.

It has been reported that VPN tunnel is not coming up with remote site, what could be the issue? (Choose two)

 
 
 
 
 
 
 
 

23. Refer to the exhibit.

AMP cloud is configured to report AMP Connector scan events from windows machine belong to "Audit" group to FMC but the scanned events are not showing up in FMC, what could be the possible cause?

 
 
 
 
 
 

24. Refer to the exhibit.

R1(config)#parameter-map type inspect param-map

R1(config-profile)#sessions maximum 10000

R1(config-profile)#

R1(config-profile)#class-map type inspect match-any class

R1(config-cmap)#match protocol tcp

R1(config-cmap)#match protocol udp

R1(config-cmap)#match protocol icmp

R1(config-cmap)#match protocol ftp

R1(config-cmap)#

R1(config-cmap)#policy-map type inspect policy

R1(config-cmap)#class type inspect class

R1(config-cmap-c)#inspect param-map

R1(config-cmap-c)#

R1(config-cmap-c)#zone security z1

R1(config-sec-zone)#zone security z2

R1(config-sec-zone)#

R1(config-sec-zone)#zone-pair security zp source z1 destination z2 R1(config-sec-zone-pair)#service-policy type inspect policy

Which two statements about the given iPv6 ZBF configuration are true? (Choose two)

 
 
 
 
 
 

25. On Nexus 9000, in Python interactive mode, which command is correctly used to disable an interface?

 
 
 
 

26. Which statement about SMTP authentication in a Cisco ESA deployment is true?

 
 
 
 
 
 

27. In FMC the correlation rule could be based on which two elements? (Choose two)

 
 
 
 
 
 
 
 

28. Refer to the exhibit.

ASA1

router ospf 12

network 10.1.11.0 255.255.255.0 area 1

area 1 authentication message-digest

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.11.1 255.25.255.0 standby 10.1.11.2

ospf message-digest-key 12 md5 cisco

R2

router ospf 12

area 0 authentication message-digest

area 1 authentication message-digest

network 10.1.11.0 0.0.0.255 area 1

network 10.1.12.0 0.0.0.255 area 0

network 172.16.100.0 0.0.0.255 area 0

!

interface GigabitEthernet2

ip address 10.1.11.22 255.255.255.0

ip ospf message-digest-key 21 md5 cisco

Firewall ASA1 and router R2 are running OSPF routing process in area 1 connected via 10.1.11.0/24 subnet in the inside zone.

It has been reported that ASA1 is unable to see any OSPF learned routes, what could be the reason? (Choose two)

 
 
 
 
 
 
 

29. A user attempts to browse the Internet through a CWS-integrated router and the HTTP 403 forbidden error messages is returned.

Which reason for the problem is the most likely?

 
 
 
 
 
 

30. What does NX-APl use as its transport?

 
 
 
 
 

31. All your remote users use Any Connect VPN to connect into your corporate network, with an ASA providing the VPN services. Authentication is through ISE using Radius as the protocol ISE uses Active Directory as the identity Source. You want to be able to assign different policies to users depending on their group membership in Active Directory.

Which is one possible way of doing that?

 
 
 
 
 

32. What are the two different modes in which Private AMP cloud can be deployed? (Choose two)

 
 
 
 
 
 

33. Refer to the exhibit.

aaa authentication login default group radius

aaa authentication login NO_AUTH none

aaa authentication login vty local

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting update newinfo

aaa accounting dot1x default start-stop group radius

!

ip dhcp excluded-address 60.1.1.11

ip dhcp excluded-address 60.1.1.2

!

ip dhcp pool mabpc-pool

network 60.1.1.0 255.255.255.0

default-router 60.1.1.2

!

cts sxp enable

cts sxp default source-ip 10.9.31.22

cts sxp default password ccie

cts sxp connection peer 10.9.31.1 password default mode peer listener hold-time0

!

dot1x system-auth-control

!

interface GigabitEthernet1/0/9

switchport mode access

ip device tracking maximum 10

authentication host-mode multi-auth

authentication port-control auto

mab

!

radius-server host 161.1.7.14 key cisco

radius-server timeout 60

!

interface VLAN10

ip address 10.9.31.22 255.255.255.0

!

interface Vlan50

no ip address

!

interface Vlan60

ip address 60.1.1.2 255.255.255.0

!

interface Vlan150

ip address 150.1.7.2.255.255.255.0

Looking at the configuration what may cause the MAB authentication to fail for a supplicant?

 
 
 
 
 
 
 

34. Which statement describes a pure SDN framework environment?

 
 
 
 
 

35. Nexus 9000 Platform supports the following configuration management tools?

 
 
 
 
 

36. Refer to the exhibit.

Which two effects of this configuration are true? (Choose two)

 
 
 
 
 
 

37. Which three statements about SXP are true? (Choose three)

 
 
 
 
 
 

38. Refer to the exhibit.

Which two effects of this configuration are true? (Choose two)

 
 
 
 
 
 

39. Refer to the exhibit.

Switch-A (config)# cgmp leave-processing

Which two effects of this configuration are true? (Choose two)

 
 
 
 
 
 

40. Which three types of addresses can the Botnet Filter feature of the Cisco ASA monitor? (Choose three)

 
 
 
 
 
 

41. Which two statements about 802.lx components are true? (Choose two)

 
 
 
 
 

42. Refer to the exhibit.

Which two effects of this configuration are true? (Choose Two)

 
 
 
 
 
 

43. In a Cisco ASA multiple-context mode of operation configuration, which three session types are resource-limited by default when their context is a member of the default class? (Choose three)

 
 
 
 
 
 
 
 

44. A Network architect has been tasked to migrate a customer’s legacy infrastructure switches from Nexus 9000 platform.

Which peers will help him achieve his milestone?

 
 
 
 

45. In your Corporate environment, you have various Active Directory groups based o the organizational structure and would like to ensure that users are only able to access certain resources depending on which groups(s)they belong to This policy should apply across the network. You have ISE, ASA and WSA deployed, and would like to ensure the appropriate policies are present to ensure access is only based on the users group membership. Addionally, you don’t want the user to authenticate multiple times to get access.

Which two ploicies are used to set this up? (Choose two)

 
 
 
 
 
 

46. Refer to the exhibit.

R9

crypto ikev2 keyring ccier10

peer r10

address 20.1.4.11

pre-shared-key local ccier10

pre-shared-key remote ccier10

!

crypto ikev2 profile ccier10

match identity remote address 20.1.4.10 255.255.255.255

authentication local pre-share

authentication remote pre-share

keyring local ccier10

!

crypto ipsec profile ccier10

set ikev2-profile ccier10

!

interface Loopback1

ip address 192.168.9.9 255.255.255.0

!

interface Tunnel34

ip address 172.16.2.9 255.255.255.0

tunnel source GigabitEthernet1

tunnel destination 20.1.4.10

tunnel protection ipsec profile ccier10

!

interface GigabitEthernet1

ip address 20.1.3.9 255.255.255.0

negotiation auto

!

router eigrp 34

network 172.16.2.0 0.0.0.255

network 192.168.9.0

!

router bgp 3

bgp log-neighbor-changes

network 20.1.3.0 mask 255.255.255.0

neighbor 20.1.3.12 remote-as 345

neighbor 20.1.3.12 password cisco

R9 is running FLEXVPN with peer R10 at 20.1.4.10 using a pre- shared key "ccier10”. The IPsec tunnel is sourced from 172.16.2.0/24 network and is included in EIGRP routing process.

BGP nexthop is AS 345 with address 20.1.3.12. It has been reported that FLEXVPN is down.

What could be the issue?



 
 
 
 
 
 

47. All your employees are required to authenticate their devices to the network, be it company owned or employee owned assets, with ISE as the authentication server. The primary identity store used is Microsoft Active directory, with username and password authentication. To ensure the security of your enterprise, your security policy dictates that only company owned assets should be able to get access to the enterprise network, while personal assets should have restricted access.

Which option would allow you to enforce this policy using only ISE and Active Directory?

 
 
 
 
 

48. VARIATION 1

Which statement is correct regarding the Sender Base functionality?

 
 
 
 
 
 

49. VARIATION 2

Which statement is correct regarding the Sender Base functionality?

 
 
 
 
 

50. In your network, you require all guests to authenticate to the network before getting access, However, you don’t want to be stuck creating or approving accounts. It is preferred that this is all taken care by the user, as long as their device is registered.

Which two mechanisms can be used to provide this functionality? (Choose two)

 
 
 
 
 
 

51. You have an ISE deployment with two nodes that are configured as PAN and MnT (Primary and Secondary), and 4 Policy Services Nodes.

How many additional PSNs can you add to this deployment?

 
 
 
 
 

52. A device on your internal network is hard-coded with two DNS server on the Internet (1.1.1.53, 2.2.2.53) However, you want to send all requests to your Open DNS server (208.67.222.222)

Which set of commands do you run on the ASA to achieve this goal?

 
 
 
 
 
 
 
 

53. The purpose of an authentication proxy is to force the user to authenticate to a network device before users are allowed access through the device. This is primarily used for Http based services but also can be used for other services.

In the case of an ASA, what does ISE have to send to enforce this access policy?

 
 
 
 
 
 

54. What are the advantages of using LDAP over AD?

 
 
 
 
 

55. In a large organization, with thousands of employees scattered across the globe, it is difficult to provision and onboard new employee devices with the correct profiles and certificates.

With ISE, it is possible to do client provided which four conditions are met. (Choose four)

 
 
 
 
 
 
 
 
 

56. The SAML Single Sign-On on ISE is supported by which four portals? (Choose four)

 
 
 
 
 
 
 
 

57. Which protocol does ISE use to secure connection through a Cisco IronPort tunnel Infrastructure?

 
 
 
 
 
 

58. There is no ICMP connectivity from VPN_PC to Server 1 and Server 2.

What could be the possible cause?

 
 
 
 
 
 

59. For you enterprise ISE deployment, you are locking to use certificate-based authentication for all your Windows machines. You have already gone through the exercise of pushing the machine and user certificates out to all the machines using GPO. Since certificate based authentication, by default, doesn’t check the certificate against Active Directory or requires credentials from the user.

This essentially, means that no groups are returned as a part of the authentication request what are the possible ways to authorize the user based on Active Directory group membership?

 
 
 
 
 
 

60. Which statement describes a hybrid SDN framework?

 
 
 
 

Cisco 840-450 DTBAD Exam Dumps Questions
Updated Cisco MCAM 700-105 Exam Dumps Questions

Add a Comment

Your email address will not be published. Required fields are marked *