Download CCIE Security Written Exam v5-1.realtests.400-251.2019-10-22.1e.222q.vcex

Download Exam

File Info

Exam CCIE Security Written Exam v5.1
Number 400-251
File Name CCIE Security Written Exam v5-1.realtests.400-251.2019-10-22.1e.222q.vcex
Size 5.09 Mb
Posted October 22, 2019
Downloads 61
Download CCIE Security Written Exam v5-1.realtests.400-251.2019-10-22.1e.222q.vcex

How to open VCEX & EXAM Files?

Files with VCEX & EXAM extensions can be opened by ProfExam Simulator.

Purchase

Coupon: MASTEREXAM
With discount: 20%



 
 



Demo Questions

Question 1

View the Exhibit. 

  

Refer to the exhibit. Which two effects of this configuration are true? (Choose two.)

  • A: User five can view usernames and passwords
  • B: User superuser can view the configuration
  • C: User superuser can change usernames and passwords
  • D: User superuser can view usernames and passwords
  • E: User five can execute the show run command
  • F: User cisco can view usernames and passwords

Correct Answer: BD




Question 2

Which three commands can you use to configure VXLAN on a Cisco ASA firewall? (Choose three.)

  • A: default-mcast-group
  • B: set ip next-hop verify-availability
  • C: sysopt connection tcpmss
  • D: segment-id
  • E: inspect vxlan
  • F: nve-only

Correct Answer: ADF




Question 3

Which type of attack uses a large number of spoofed MAC addresses to emulate wireless clients?

  • A: DoS against an access point
  • B: DoS against a client station
  • C: chopchop attack
  • D: Airsnarf attack
  • E: device-probing attack
  • F: authentication-failure attack

Correct Answer: A

DoS attacks against access points are typically carried out on the basis of the following assumptions:
Access points have limited resources. For example, the per-client association state table. 
WLAN management frames and authentication protocols 802.11 and 802.1x have no encryption mechanisms. 
Wireless intruders can exhaust access point resources, most importantly the client association table, by emulating large number of wireless clients with spoofed MAC addresses. Each one of these emulated clients attempts association and authentication with the target access point but leaves the protocol transaction mid-way. When the access points resources and the client association table is filled up with these emulated clients and their incomplete authentication states, legitimate clients can no longer be serviced by the attacked access point. This creates a denial of service attack. 
Reference:http://www.cisco.com/c/en/us/td/docs/wireless/mse/8-0/MSE_wIPS/MSE_wIPS_8_0/MSE_wIPS_7_5_appendix_0110.html#concept_E6770BF8F43241919859C16AE0077137




Question 4

Which option best describes RPL?

  • A: RPL stands for Routing over Low-power Lossy Networks that use link-state LSAs to determine the best route between leaves and the root border router.
  • B: RPL stands for Routing over Low-power Lossy Networks that use distance vector DOGAG to determine the best route leaves and the root border router.
  • C: RPL stands for Routing over low priority links that use link-state LSAs to determine the best route between two root border routers.
  • D: RPL stands for Routing overlow priority links that use distance vector DOGAG to determine the best route between two root border routers.

Correct Answer: B

RPL is a distance vector protocol and supports a wide set of routing link and node metrics. RPL supports mono metric optimization—the best path is considered as the shortest (constrained) path according to a single metric (multimetric optimization is not supported). The objective is to not trade path optimality for network stability. A small path cost increase is usually smoothed out for the benefit of limiting the control plane traffic. 
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/rpl/configuration/15-mt/rpl-15-mt-book.html#concept_56393E63C4D74ABAB7A25049C2345053




Question 5

Which WEP configuration can be exploited by a weak IV attack?

  • A: When the static WEP password has been given away
  • B: When the static WEP password has been stored without encryption
  • C: When a per-packet WEP key is in use
  • D: When a 40-bit key is in use
  • E: When the same WEP key is used to create every packet
  • F: When a 64-bit key is in use

Correct Answer: D

http://www.opus1.com/www/whitepapers/whatswrongwithwep.pdf




Question 6

Which OpenStack project has orchestration capabilities?

  • A: Heat
  • B: Cinder
  • C: Horizon
  • D: Sahara

Correct Answer: A

Heat is the main project in the OpenStack Orchestration program. It implements an orchestration engine to launch multiple composite cloud applications based on templates in the form of text files that can be treated like code. A native Heat template format is evolving, but Heat also endeavours to provide compatibility with the AWS CloudFormation template format, so that many existing CloudFormation templates can be launched on OpenStack. Heat provides both an OpenStack-native ReST API and a CloudFormation-compatible Query API. 
Reference: https://wiki.openstack.org/wiki/Heat




Question 7

Which two options are benefits of global ACLs? (Choose two.)

  • A: The only operate on logical interfaces.
  • B: They are more efficient because they are processed before interface access rules.
  • C: They can be applied to multiple interfaces.
  • D: They are flexible because they match source and destination IP addresses for packets that arrive on any interface.
  • E: They save memory because they work without being replicated on each interface.

Correct Answer: DE

Global access rules allow you to apply a global rule to ingress traffic without the need to specify an interface to which the rule must be applied. Using global access rules provides the following benefits:
When migrating to the adaptive security appliance from a competitor appliance, you can maintain a global access rule policy instead of needing to apply an interface-specific policy on each interface. 
Global access control policies are not replicated on each interface, so they save memory space. 
Global access rules provides flexibility in defining a security policy. You do not need to specify which interface a packet comes in on, as long as it matches the source and destination IP addresses. 
Global access rules use the same mtrie and stride tree as interface-specific access rules, so scalability and performance for global rules are the same as for interface-specific rules. 
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/access_rules.html




Question 8

Which three statements about 802.1x multiauthentication mode are true? (Choose three.)

  • A: It can be deployed in conjunction with MDA functionality on voice VLANs.
  • B: It requires each connected client to authenticate individually.
  • C: Each multiauthentication port can support only one voice VLAN.
  • D: It is recommended for auth-fail VLANs.
  • E: On non-802.1x devices, it can support only one authentication method on a single port.
  • F: It is recommended for guest VLANs.

Correct Answer: ABC

Available in Cisco IOS Release 12.2(50)SG, multiauthentication mode allows one client on the voice VLAN and multiple authenticated clients on the data VLAN. When a hub or access point is connected to an 802.1X port, multiauthentication mode provides enhanced security over multiple-hosts mode by requiring authentication of each connected client. For non-802.1X devices, you can use MAB or web-based authentication as the fallback method for individual host authentications, allowing you to authenticate different hosts through different methods on a single port.  
Multiauthentication also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the VSAs received from the authentication server. 
Reference:http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/50sg/configuration/guide/Wrapper-46SG/dot1x.html#wp1309093




Question 9

View the Exhibit. 

  

Refer to the exhibit. Which three additional configuration elements must you apply to complete a functional FlexVPN deployment? (Choose three.)

  • A:
      
  • B:
      
  • C:
      
  • D:
      
  • E:
      
  • F:
      

Correct Answer: BDE

Reference: http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html




Question 10

View the Exhibit. 

  

Refer to the exhibit Which effect of this configuration is true?

  • A: If the RADIUS server is unreachable, SSH users cannot authenticate.
  • B: All commands are validated by the RADIUS server before the device executes them.
  • C: Users accessing the device via SSH and those accessing enable mode are authenticated against the RADIUS server.
  • D: Users must be in the RADIUS server to access the serial console.
  • E: Only SSH users are authenticated against the RADIUS server.

Correct Answer: D










CONNECT US

Facebook

Twitter

PROFEXAM WITH A 20% DISCOUNT

You can buy ProfExam with a 20% discount!



HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files