CCIE Security Written 400-251 Free Dumps

Share CCIE Security Written 400-251 Free Dumps as following:

Which two statements about the MACsec security protocol are true? (Choose two)
A. Stations broadcast an MKA heartbeat the contains the key server priority.
B. The SAK is secured by 128-bit AES-GCM by default.
C. When switch-to-switch link security is configured in manual mode, the SAP operation mode must be set to GCM.
D. MACsec is not supported in MDA mode.
E. MKA heartbeats are sent at a default interval of 3 seconds.
Answer: A B

Which two options are benefits of network summarization? (Choose two)
A. It can summarize discontiguous IP addresses.
B. It can easily be added to existing networks.
C. It can increase the convergence of the network.
D. It prevents unnecessary routing updates at the summarization boundary if one of the routes in the summary is unstable
E. It reduces the number of routes.
Answer: D E

Which two statements about uRPF are true?(Choose two)
A. The administrator can configurethe allow-defaultcommand to force the routing table to use only the default .
B. It is not supported on the Cisco ASA security appliance.
C. The administrator can configure the ip verify unicast source reachable-via any command to enable the RPF check to work through HSRP touting groups.
D. The administrator can use thes how cef interface command to determine whether uRPF is enabled.
E. In strict mode, only one routing path can be available to reach network devices on a subnet..
Answer: D E

Which type of header attack is detected by Cisco ASA basic threat detection?
A. Connection limit exceeded.
B. Denial by access list.
C. Failed application inspection.
D. Bad packet format.
Answer: D

Which WEP configuration can be exploited by a weak IV attack?
A. When the static WEP password has been stored without encryption.
B. When a per-packet WEP key is in use.
C. When a 64-bit key is in use.
D. When the static WEP password has been given away.
E. When a 40-bit key is in use.
F. When the same WEP key is used to create every packet.
Answer: E

Which two statements about Botnet Traffic Filter snooping are true?(Choosetwo)
A. It requires DNS packet inspection to be enabled to filter domain names in the dynamic database.
B. It requires the Cisco ASA DNS server to perform DNS lookups.
C. It can inspect both IPV4 and IPV6 traffic.
D. It can log and block suspicious connections from previously unknown bad domains and IP addresses.
E. It checks inbound traffic only.
F. It checks inbound and outbound traffic.
Answer: A F

Which three statements about SXP are true?(Choose three)
A. It resides in the control plane, where connections can be initiated from a listener.
B. Packets can be tagged with SGTs only with hardware support.
C. Each VRF supports only one CTS-SXP connection.
D. To enable an access device to use IP device tracking to learn source device IP addresses,DHCP snooping must be configured.
E. The SGA ZBPF uses the SGT to apply forwarding decisions.
F. SeparateVRFs require different CTS-SXP peers, but they can use the same source IP addresses.
Answer: A B C

Which file extensions are supported on the Firesight Management Center 6.1(3.1)file policies that can be analyzed dynamically using the Threat Grid Sandbox integration?
Answer: A

Which effect of the crypto pki authenticate commend is true?
A. It sets the certificate enrollment method.
B. It retrievers and authentication a CA certificate.
C. It configures a CA trustpoint.
D. It displays the current CA certificate.
Answer: B

Which effect of theip nhrp map multicast dynamic command is true?
A. It configures a hub router to automatically add spoke routers to multicast replication list of the hub.
B. It enables a GRE tunnel to operate without the IPsec peer or crypto ACLs.
C. It enables a GRE tunnel to dynamically update the routing tables on the devices at each end of the tunnel.
D. It configures a hub router to reflect the routes it learns from a spoke back to other spoke back to other spokes through the same interface.
Answer: A

Which statement about VRF-aware GDOI group members is true?
A. IPsec is used only to secure data traffic.
B. The GM cannot route control traffic through the same VRF as data traffic.
C. Multiple VRFs are used to separate control traffic and data traffic.
D. Registration traffic and rekey traffic must operate on different on different VRFs.
Answer: A

Which two statements about Cisco URL Filtering on Cisco IOS Software are true?(Choose two)
A. It supports Websense and N2H2 filtering at the same time.
B. It supports local URL lists and third-party URL filtering servers.
C. By default, it uses ports 80 and 22.
D. It supports HTTP and HTTP traffic.
E. By default, it allows all URLs when the connection to the filtering server is down.
F. It requires minimal CPU time.
Answer: A B

Which two options are benefits of the Cisco ASA transparent firewall mode?(Choose two)
A. It can establish routing adjacencies.
B. It can perform dynamic routing.
C. It can be added to an existing network without significant reconfiguration.
D. It supports extended ACLs to allow Layer 3 traffic to pass from higher lower security interfaces.
E. It provides SSL VPN support.
Answer: C D

How does Scavenger-class QOS mitigate DOS and worm attacks?
A. It monitors normal traffic flow and drops burst traffic above the normal rate for a single host.
B. It matches traffic from individual hosts against the specific network characteristics of known attack types.
C. It sets a specific intrusion detection mechanism and applies the appropriate ACL when matching traffic is detected.
D. It monitors normal traffic flow and aggressively drops sustained abnormally high traffic streams from multiple hosts.
Answer: D

If want to get more CCIE Security Written 400-251 Free Dumps, please contact

Leave a Reply

Your email address will not be published. Required fields are marked *