Download CCIE Security Written Exam v5-1.pass4sures.400-251.2018-08-02.1e.123q.vcex

Download Dump

File Info

Exam CCIE Security Written Exam v5.1
Number 400-251
File Name CCIE Security Written Exam v5-1.pass4sures.400-251.2018-08-02.1e.123q.vcex
Size 1.86 Mb
Posted August 02, 2018
Downloads 46


How to open VCEX & EXAM Files?

Files with VCEX & EXAM extensions can be opened by ProfExam Simulator.

Download
ProfExam Simulator

Purchase
Coupon: EXAMFILESCOM

Coupon: EXAMFILESCOM
With discount: 20%


ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator


Demo Questions

Question 1
Which two statements about the MACsec security protocol are true? (Choose two.)

  • A: MACsec is not supported in MDA mode.
  • B: Stations broadcast an MKA heartbeat that contains the key server priority.
  • C: When switch-to-switch link security is configured in manual mode, the SAP operation mode must be set to GCM.
  • D: MKA heartbeats are sent at a default interval of 3 seconds.
  • E: The SAK is secured by 128-bit AES-GCM by default.
Correct Answer: BE



Question 2
Which type of header attack is detected by Cisco ASA basic threat detector?

  • A: failed application inspection
  • B: connection limit exceeded
  • C: bad packet format
  • D: denial by access list
Correct Answer: C
Using basic threat detection statistics, the ASA monitors the rate of dropped packets and security events due to the following reasons:
Denial by access lists 
Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length) 
Connection limits exceeded (both system-wide resource limits, and limits set in the configuration) 
DoS attack detected (such as an invalid SPI, Stateful Firewall check failure) 
Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet drops in this bulleted list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.) 
Suspicious ICMP packets detected 
Packets failed application inspection 
Interface overload 
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_threat.html#wp1067533



Question 3
Which two statements about SCEP are true? (Choose two.)

  • A: The GetCACaps response message supports DES encryption and the SHA-128 hashing algorithm.
  • B: CA servers must support GetCACaps response message in order to implement extended functionality.
  • C: The GetCert exchange is signed and encrypted only in the response direction.
  • D: It is vulnerable to downgrade attacks on its cryptographic
  • E: The GetCRL exchange is signed and encrypted only in the response direction.
Correct Answer: BD
Reference:http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00.html#anc21



Question 4
Which effect of the ip nhrp map multicast dynamic command is true?

  • A: It configures a hub router to reflect the routes it learns from a spoke back to other spokes through the same interface.
  • B: It enables a GRE tunnel to dynamically update the routing tables on the devices at each end of the tunnel.
  • C: It configures a hub router to automatically add spoke routers to the multicast replication list of the hub.
  • D: It enables a GRE tunnel to operate without the IPsec peer or crypto ACLs.
Correct Answer: C



Question 5
View the Exhibit. 

 
 
Refer to the exhibit. A user authenticates to the NAS, which communicates to the TACACS+ server for authentication. The TACACS+ server then accesses the Active Directory Server through the ASA firewall to validate the user credentials. 
Which protocol-port must be allowed access through the ASA firewall?

  • A: DNS over TCP 53
  • B: global catalog over UDP 3268
  • C: LDAP over UDP 389
  • D: DNS over UDP 53
  • E: TACACS+ over TCP 49
  • F: SMB over TCP 455
Correct Answer: C



Question 6
Which effect of the crypto pki authenticate command is true?

  • A: It sets the certificate enrollment method.
  • B: It retrieves and authenticates a CA certificate.
  • C: It displays the current CA certificate.
  • D: It configures a CA trustpoint.
Correct Answer: B
Reference:https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c5.pdf



Question 7
View the Exhibit. 

  

Refer to the exhibit. What is the maximum number of site-to-site VPNs allowed by this configuration?

  • A: 10
  • B: 15
  • C: unlimited
  • D: 5
  • E: 0
  • F: 1
Correct Answer: A
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_contexts.html#pgfId-1142960



Question 8
How does Scavenger-class QoS mitigate DoS and worm attacks?

  • A: It matches traffic from individual hosts against the specific network characteristics of known attack types.
  • B: It sets a specific intrusion detection mechanism and applies the appropriate ACL when matching traffic is detected.
  • C: It monitors normal traffic flow and drops burst traffic above the normal rate for a single host.
  • D: It monitors normal traffic flow and aggressively drops sustained abnormally high traffic streams from multiple hosts.
Correct Answer: D
Reference: https://www.cisco.com/en/US/technologies/tk543/tk759/technologies_white_paper0900aecd80295ac7.pdf



Question 9
Which three statements about SXP are true? (Choose three.)

  • A: To enable an access device to use IP device tracking to learn source device IP addresses, DHCP snooping must be configured.
  • B: Each VRF supports only one CTS-SXP connection.
  • C: It resides in the control plane, where connections can be initiated from a listener.
  • D: Separate VRFs require different CTS-SXP peers, but they can use the same source IP addresses.
  • E: The SGA ZBPF uses the SGT to apply forwarding decisions.
  • F: Packets can be tagged with SGTs only with hardware support.
Correct Answer: BCF



Question 10
View the Exhibit. 

  

Refer to the exhibit. Which two effects of this configuration are true? (Choose two.)

  • A: Configuration commands in the router are authorized without checking the TACACS+ server.
  • B: When a user logs in to privilege EXEC mode, the router will track all user activity.
  • C: Requests to establish a reverse AUX connection to the router will be authorized against the TACACS+ server.
  • D: When a user attempts to authenticate on the device, the TACACS+ server will be prompt the user to enter the username stored in the router’s database.
  • E: If a user attempts to log in as a level 15 user, the local database will be used for authentication and TACACS+ server will be used for authorization.
  • F: It configures the router’s local database as the backup authentication method for all TTY, console, and aux logins.
Correct Answer: AD









CONNECT US


ProfExam
PROFEXAM WITH A 20% DISCOUNT

You can buy ProfExam with a 20% discount..

Get Now!


HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files
ProfExam Screen



HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset