Download CCIE Security Written Exam v5-1.pass4sures.400-251.2018-08-02.1e.123q.vcex

Download Dump

File Info

Exam CCIE Security Written Exam v5.1
Number 400-251
File Name CCIE Security Written Exam v5-1.pass4sures.400-251.2018-08-02.1e.123q.vcex
Size 1.86 Mb
Posted August 02, 2018
Downloaded 22



How to open VCEX & EXAM Files?

Files with VCEX & EXAM extensions can be opened by ProfExam Simulator.

Purchase

Coupon: MASTEREXAM
With discount: 20%

 
 



Demo Questions

Question 1

Which two statements about the MACsec security protocol are true? (Choose two.)

  • A: MACsec is not supported in MDA mode.
  • B: Stations broadcast an MKA heartbeat that contains the key server priority.
  • C: When switch-to-switch link security is configured in manual mode, the SAP operation mode must be set to GCM.
  • D: MKA heartbeats are sent at a default interval of 3 seconds.
  • E: The SAK is secured by 128-bit AES-GCM by default.

Correct Answer: BE




Question 2

Which type of header attack is detected by Cisco ASA basic threat detector?

  • A: failed application inspection
  • B: connection limit exceeded
  • C: bad packet format
  • D: denial by access list

Correct Answer: C

Using basic threat detection statistics, the ASA monitors the rate of dropped packets and security events due to the following reasons:
Denial by access lists 
Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length) 
Connection limits exceeded (both system-wide resource limits, and limits set in the configuration) 
DoS attack detected (such as an invalid SPI, Stateful Firewall check failure) 
Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet drops in this bulleted list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.) 
Suspicious ICMP packets detected 
Packets failed application inspection 
Interface overload 
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_threat.html#wp1067533




Question 3

Which two statements about SCEP are true? (Choose two.)

  • A: The GetCACaps response message supports DES encryption and the SHA-128 hashing algorithm.
  • B: CA servers must support GetCACaps response message in order to implement extended functionality.
  • C: The GetCert exchange is signed and encrypted only in the response direction.
  • D: It is vulnerable to downgrade attacks on its cryptographic
  • E: The GetCRL exchange is signed and encrypted only in the response direction.

Correct Answer: BD

Reference:http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00.html#anc21




Question 4

Which effect of the ip nhrp map multicast dynamic command is true?

  • A: It configures a hub router to reflect the routes it learns from a spoke back to other spokes through the same interface.
  • B: It enables a GRE tunnel to dynamically update the routing tables on the devices at each end of the tunnel.
  • C: It configures a hub router to automatically add spoke routers to the multicast replication list of the hub.
  • D: It enables a GRE tunnel to operate without the IPsec peer or crypto ACLs.

Correct Answer: C




Question 5

View the Exhibit. 

 
 
Refer to the exhibit. A user authenticates to the NAS, which communicates to the TACACS+ server for authentication. The TACACS+ server then accesses the Active Directory Server through the ASA firewall to validate the user credentials. 
Which protocol-port must be allowed access through the ASA firewall?

  • A: DNS over TCP 53
  • B: global catalog over UDP 3268
  • C: LDAP over UDP 389
  • D: DNS over UDP 53
  • E: TACACS+ over TCP 49
  • F: SMB over TCP 455

Correct Answer: C




Question 6

Which effect of the crypto pki authenticate command is true?

  • A: It sets the certificate enrollment method.
  • B: It retrieves and authenticates a CA certificate.
  • C: It displays the current CA certificate.
  • D: It configures a CA trustpoint.

Correct Answer: B

Reference:https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c5.pdf




Question 7

View the Exhibit. 

  

Refer to the exhibit. What is the maximum number of site-to-site VPNs allowed by this configuration?

  • A: 10
  • B: 15
  • C: unlimited
  • D: 5
  • E: 0
  • F: 1

Correct Answer: A

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_contexts.html#pgfId-1142960




Question 8

How does Scavenger-class QoS mitigate DoS and worm attacks?

  • A: It matches traffic from individual hosts against the specific network characteristics of known attack types.
  • B: It sets a specific intrusion detection mechanism and applies the appropriate ACL when matching traffic is detected.
  • C: It monitors normal traffic flow and drops burst traffic above the normal rate for a single host.
  • D: It monitors normal traffic flow and aggressively drops sustained abnormally high traffic streams from multiple hosts.

Correct Answer: D

Reference: https://www.cisco.com/en/US/technologies/tk543/tk759/technologies_white_paper0900aecd80295ac7.pdf




Question 9

Which three statements about SXP are true? (Choose three.)

  • A: To enable an access device to use IP device tracking to learn source device IP addresses, DHCP snooping must be configured.
  • B: Each VRF supports only one CTS-SXP connection.
  • C: It resides in the control plane, where connections can be initiated from a listener.
  • D: Separate VRFs require different CTS-SXP peers, but they can use the same source IP addresses.
  • E: The SGA ZBPF uses the SGT to apply forwarding decisions.
  • F: Packets can be tagged with SGTs only with hardware support.

Correct Answer: BCF




Question 10

View the Exhibit. 

  

Refer to the exhibit. Which two effects of this configuration are true? (Choose two.)

  • A: Configuration commands in the router are authorized without checking the TACACS+ server.
  • B: When a user logs in to privilege EXEC mode, the router will track all user activity.
  • C: Requests to establish a reverse AUX connection to the router will be authorized against the TACACS+ server.
  • D: When a user attempts to authenticate on the device, the TACACS+ server will be prompt the user to enter the username stored in the router’s database.
  • E: If a user attempts to log in as a level 15 user, the local database will be used for authentication and TACACS+ server will be used for authorization.
  • F: It configures the router’s local database as the backup authentication method for all TTY, console, and aux logins.

Correct Answer: AD










CONNECT US

Facebook

Twitter

PROFEXAM WITH A 20% DISCOUNT

You can buy ProfExam with a 20% discount!



HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files