web analytics

[2017 New] Free Lead2pass 400-251 PDF Guarantee 100% Get 400-251 Certification (1-25)

2017 July Cisco Official New Released 400-251 Dumps in Lead2pass.com!

100% Free Download! 100% Pass Guaranteed!

Are you struggling for the 400-251 exam? Good news, Lead2pass Cisco technical experts have collected all the questions and answers which are updated to cover the knowledge points and enhance candidates’ abilities. We offer the latest 400-251 PDF and VCE dumps with new version VCE player for free download, and the new 400-251 dump ensures your 400-251 exam 100% pass.

Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/400-251.html

According to OWASP guidelines, what is the recommended method to prevent cross-site request forgery?

A.    Allow only POST requests.
B.    Mark all cookies as HTTP only.
C.    Use per-session challenge tokens in links within your web application.
D.    Always use the “secure” attribute for cookies.
E.    Require strong passwords.

Answer: C

What is the maximum pattern length supported by FPM searches within a packet?

A.    256 bytes
B.    128 bytes
C.    512 bytes
D.    1500 bytes

Answer: A

Which two statements about role-based access control are true?(Choose two)

A.    Server profile administrators have read and write access to all system logs by default.
B.    If the same user name is used for a local user account and a remote user account, the roles defined in the remote user account override the local user account.
C.    A view is created on the Cisco IOS device to leverage role-based access controls.
D.    Network administrators have read and write access to all system logs by default.
E.    The user profile on an AAA server is configured with the roles that grant user privileges.

Answer: CE

Which three global correlation feature can be enabled from cisco IPD device manager (Cisco IDM)? (Choose three)

A.    Network Reputation
B.    Global Data Interaction
C.    Signature Correlation
D.    Reputation Filtering
E.    Global Correlation Inspection
F.    Data Contribution
G.    Reputation Assignment

Answer: ADE

According to RFC 4890, which three message must be dropped at the transit firewall/router?(Choose three.)

A.    Router Renumbering (Type 138)
B.    Node Information Query (Type 139)
C.    Router Solicitation (Type 133)
D.    Node information Response (Type 140)
E.    Router Advertisement (Type 134)
F.    Neighbor Solicitation (Type 135)

Answer: ABD

What is the effect of the following command on Cisco IOS router?

ip dns spoofing

A.    The router will respond to the DNS query with its highest loopback address configured
B.    The router will respond to the DNS query with if the query id for its own hostname
C.    The router will respond to the DNS query with the IP address of its incoming interface for any hostname query
D.    The router will respond to the DNS query with the IP address of its incoming interface for its own hostname

Answer: D


Which two options are differences between automation and orchestration? (Choose two)

A.    Automation is to be used to replace human intervention
B.    Automation is focused on automating a single or multiple tasks
C.    Orchestration is focused on an end-to-end process or workflow
D.    Orchestration is focused on multiple technologies to be integrated together
E.    Automation is an IT workflow composed of tasks, and Orchestration is a technical task

Answer: BC

Refer to the exhibit. What is the effect of the given configuration?


A.    It sets the duplicate address detection interval to 60 second and sets the IPv6 neighbor reachable time to 3600 milliseconds.
B.    It sets the number of neighbor solicitation massages to 60 and sets the retransmission interval to
3600 milliseconds.
C.    It sets the number of duplicate address detection attempts to 60 and sets the duplicate address detection interval to 3600 millisecond.
D.    It sets the number of neighbor solicitation massage to 60 and set the duplicate address detection interval to 3600 second.
E.    It sets the duplicate address detection interval to 60 second and set the IPv6 neighbor solicitation interval to 3600 millisecond.

Answer: B
What are two characteristics of RPL, used in loT environments? (Choose two)

A.    It is an Exterior Gateway Protocol
B.    It is a Interior Gateway Protocol
C.    It is a hybrid protocol
D.    It is link-state protocol
E.    It is a distance-vector protocol

Answer: BE

In a Cisco ASA multiple-context mode of operation configuration, what three session types are resource-limited by default when their context is a member of the default class?(choose three).

A.    Telnet sessions
B.    ASDM sessions
C.    IPSec sessions
D.    SSH sessions
E.    TCP sessions
F.    SSL VPN sessions

Answer: ABD

Drag and Drop Question
Drag each OSPF security feature on the left to its description on the right.




Which VPN technology is based on GDOI (RFC 3547)?

A.    MPLS Layer 3 VPN
B.    MPLS Layer 2 VPN
D.    IPsec VPN

Answer: C

Which statement about the 3DES algorithm is true?

A.    The 3DES algorithm uses the same key for encryption and decryption,
B.    The 3DES algorithm uses a public-private key pair with a public key for encryption and a private key for decryption.
C.    The 3DES algorithm is a block cipher.
D.    The 3DES algorithm uses a key length of 112 bits.
E.    The 3DES algorithm is faster than DES due to the shorter key length.

Answer: C

Which significant change to PCI DSS standards was made in PCI DSS version 3.1?

A.    No version of TLS is now considered to provide strong cryptography.
B.    Storage of sensitive authentication data after authorization is now permitted when proper encryption is applied.
C.    Passwords are now required to be changed at least once every 30 days.
D.    SSL is now considered a weak cryptographic technology.
E.    If systems that are vulnerable to POODLE are deployed in an organization, a patching and audit review process must be implemented.

Answer: D

Refer to the Exhibit, what is a possible reason for the given error?


A.    One or more require application failed to respond.
B.    The IPS engine is busy building cache files.
C.    The IPS engine I waiting for a CLI session to terminate.
D.    The virtual sensor is still initializing.

Answer: D

Which three statements about the keying methods used by MAC Sec are true (Choose Three)

A.    MKA is implemented as an EAPoL packet exchange
B.    SAP is enabled by default for Cisco TrustSec in manual configuration mode.
C.    SAP is supported on SPAN destination ports
D.    Key management for host-to-switch and switch-to-switch MACSec sessions is provided by MKA
E.    SAP is not supported on switch SVIs .
F.    A valid mode for SAP is NULL

Answer: AEF
SAP is disabled by default in Cisco TrustSec manual mode

Which two statements about Cisco ASA authentication using LDAP are true? (Choose two)

A.    It uses attribute maps to map the AD memberOf attribute to the cisco ASA Group-Poilcy attribute
B.    It uses AD attribute maps to assign users to group policies configured under the WebVPN context
C.    The Cisco ASA can use more than one AD memberOf attribute to match a user to multiple group policies
D.    It can assign a group policy to a user based on access credentials
E.    It can combine AD attributes and LDP attributes to configure group policies on the Cisco ASA
F.    It is a closed standard that manages directory-information services over distributed networks

Answer: BD

Drag and Drop Question
Drag each IPS signature engine on the left to its description on the right.





With this configuration you notice that the IKE and IPsec SAs come up between the spoke and the hub, but NHRP registration fails Registration will continue to fail until you do which of these?


A.    Modify the NHRP network IDs to match on the hub and spoke.
B.    configure the ip nhrp caches non-authoritative command on the hub’s tunnel interface.
C.    modify the tunnel keys to match on the hub and spoke.
D.    modify the NHRP hold time to match on the hub and spoke.

Answer: C

Which three statements are true regarding Security Group Tags? (Choose three.)

A.    When using the Cisco ISE solution, the Security Group Tag gets defined as a separate authorization result.
B.    When using the Cisco ISE solution, the Security Group Tag gets defined as part of a standard authorization profile.
C.    Security Group Tags are a supported network authorization result using Cisco ACS 5.x.
D.    Security Group Tags are a supported network authorization result for 802.1X, MAC Authentication Bypass, and WebAuth methods of authentication.
E.    A Security Group Tag is a variable length string that is returned as an authorization result.

Answer: ACD

Refer to the exhibit which two statement about the given IPV6 ZBF configuration are true? (Choose two)


A.    It provides backward compability with legacy IPv6 inspection
B.    It inspect TCP, UDP,ICMP and FTP traffic from Z1 to Z2.
C.    It inspect TCP, UDP,ICMP and FTP traffic from Z2 to Z1.
D.    It inspect TCP,UDP,ICMP and FTP traffic in both direction between z1 and z2.
E.    It passes TCP, UDP,ICMP and FTP traffic from z1 to z2.
F.    It provide backward compatibility with legacy IPv4 inseption.

Answer: AB

In which class of applications security threads does HTTP header manipulation reside?

A.    Session management
B.    Parameter manipulation
C.    Software tampering
D.    Exception managements

Answer: B
Session management doesn’t have anything to do with HTTP header

What is the most commonly used technology to establish an encrypted HTTP connection?

A.    the HTTP/1.1 Upgrade header
B.    the HTTP/1.0 Upgrade header
C.    Secure Hypertext Transfer Protocol

Answer: D

What functionality is provided by DNSSEC?

A.    origin authentication of DNS data
B.    data confidentiality of DNS queries and answers
C.    access restriction of DNS zone transfers
D.    storage of the certificate records in a DNS zone file

Answer: A

What are the two mechanism that are used to authenticate OSPFv3 packets?(Choose two)

A.    MD5
B.    ESP
D.    AH
E.    SHA

Answer: BD

We ensure our new version 400-251 PDF and VCE dumps are 100% valid for passing exam, because Lead2pass is the top IT certification study training materials vendor. Many candidates have passed exam with the help of Lead2pass’s VCE or PDF dumps. Lead2pass will update the study materials timely to make them be consistent with the current exam. Download the free demo on Lead2pass, you can pass the exam easily.

400-251 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDbkNSWnpMam9TWWM

2017 Cisco 400-251 exam dumps (All 449 Q&As) from Lead2pass:

https://www.lead2pass.com/400-251.html [100% Exam Pass Guaranteed]