Braindump2go 400-251 Dumps,400-251 Exam Questions,400-251 PDF Dumps,400-251 VCE Dumps,Cisco [April-2018-New]100% Real 400-251 Exam PDF and VCE Dumps Free Download in Braindump2go[177-189]

[April-2018-New]100% Real 400-251 Exam PDF and VCE Dumps Free Download in Braindump2go[177-189]

2018 April New Cisco 400-251 Real Exam Dumps with PDF and VCE Just Updated Today! Following are some new 400-251 Real Exam Questions:

1.|2018 Latest 400-251 Exam Dumps (PDF & VCE) 359Q Download:

https://www.braindump2go.com/400-251.html

2.|2018 Latest 400-251 Exam Questions & Answers Download:

https://drive.google.com/drive/folders/0B75b5xYLjSSNcGJLWWtfdE96ZUU?usp=sharing

QUESTION 177
Refer to the exhibit. What is the configuration design to prevent?

A. Man in the Middle Attacks
B. Dynamic payload inspection
C. Backdoor control channels for infected hosts
D. DNS Inspection

Answer: C
Explanation:
Cisco ASA firewall is configured for botnet filtering which prevents backdoor control channels from infected hosts.

QUESTION 178
Which three statements about the Cisco IPS sensor are true? (Choose three.)

A. You cannot pair a VLAN with itself.
B. For a given sensing interface, an interface used in a VLAN pair can be a member of another inline interface pair.
C. For a given sensing interface, a VLAN can be a member of only one inline VLAN pair, however, a given VLAN can be a member of an inline VLAN pair on more than one sensing interface.
D. The order in which you specify the VLANs in a inline pair is significant.
E. A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs.

Answer: ACE
Explanation:
Inline VLAN Interface Pairs
You cannot pair a VLAN with itself.
For a given sensing interface, a VLAN can be a member of only one inline VLAN pair. However, a given VLAN can be a member of an inline VLAN pair on more than one sensing interface.
The order in which you specify the VLANs in an inline VLAN pair is not significant. A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs.

QUESTION 179
Which command sets the Key-length for the IPv6 send protocol?

A. IPv6 nd ns-interval
B. Ipv6 ndra-interval
C. IPv6 nd prefix
D. IPv6 nd inspection
E. IPv6 nd secured

Answer: E

QUESTION 180
Which two statement about MSDP ate true? (Choose three)

A. It can connect to PIM-SM and PIM-DM domains
B. It announces multicast sources from a group
C. The DR sends source data to the rendezvous point only at the time the source becomes active
D. It can connect only to PIM-DM domains
E. It registers multicast sources with the rendezvous point of a domain
F. It allows domains to discover multicast sources in the same or different domains.

Answer: BEF

QUESTION 181
What are two advantages of NBAR2 over NBAR? (Choose two)

A. Only NBAR2 support Flexible NetFlow for extracting and exporting fields from the packet header.
B. Only NBAR2 allows the administrator to apply individual PDL files.
C. Only NBAR2 support PDLM to support new protocals.
D. Only NBAR2 can use Sampled NetFlow to extract pre-defined packet headers for reporting.
E. Only NBAR2 supports custom protocols based on HTTP URLs.

Answer: AE

QUESTION 182
Which two statements about Network Edge Authentication Technology (NEAT) are true? (Choose two)

A. It requires a standard ACL on the switch port
B. It conflicts with auto-configuration
C. It allows you to configure redundant links between authenticator and supplicant switches
D. It supports port-based authentication on the authenticator switch
E. It can be configured on both access ports and trunk ports
F. It can be configured on both access ports and EtherChannel ports

Answer: DE

QUESTION 183
What are three pieces of data you should review in response to a suspected SSL MITM attack? (Choose three)

A. The IP address of the SSL server
B. The X.509 certificate of the SSL server
C. The MAC address of the attacker
D. The MAC address of the SSL server
E. The X.509 certificate of the attacker
F. The DNS name off the SSL server

Answer: ABF

QUESTION 184
From what type of server can you to transfer files to ASA’s internal memory ?

A. SSH
B. SFTP
C. Netlogon
D. SMB

Answer: D

QUESTION 186
Which feature can you implement to protect against SYN-flooding DoS attacks?

A. the ip verify unicast reverse-path command
B. a null zero route
C. CAR applied to icmp packets
D. TCP Intercept

Answer: D
Explanation:
https://www.sans.org/security-resources/idfaq/preventing-syn-flooding-with-cisco-routers/5/5

QUESTION 187
Refer to the exhibit. If R1 is connected upstream to R2 and R3 at different ISPs as shown, what action must be taken to prevent Unicast Reverse Path Forwarding (uRPF) from dropping asymmetric traffic?

A. Configure Unicast RPF Loose Mode on R2 and R3 only.
B. Configure Unicast RPF Loose Mode on R1 only.
C. Configure Unicast RPF Strict Mode on R1 only.
D. Configure Unicast RPF Strict Mode on R1,R2 and R3.
E. Configure Unicast RPF Strict Mode on R2 and R3 only.

Answer: B
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_urpf/configuration/xe-3s/sec-data-urpf-xe-3s-book/sec-unicast-rpf-loose-mode.html
http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html

QUESTION 188
Refer to the exhibit. Which effect of this Cisco ASA policy map is true?

A. The Cisco ASA is unable to examine the TLS session.
B. The server ends the SMTP session with a QUIT command if the algorithm or key length is insufficiently secure.
C. it prevents a STARTTLS session from being established.
D. The Cisco ASA logs SMTP sessions in clear text.

Answer: D
Explanation:
http://www.cisco.com/c/en/us/about/security-center/intelligence/asa-esmtp-starttls.html#interact
https://stomp.colorado.edu/blog/blog/2012/12/31/on-smtp-starttls-and-the-cisco-asa/
And in RFC 3207 that governs this TLS negotiation is said that
” If the SMTP client decides that the level of authentication or privacy is not high enough for it to continue, it SHOULD issue an SMTP QUIT command immediately after the TLS negotiation is complete.
If the SMTP server decides that the level of authentication or privacy is not high enough for it to continue, it SHOULD reply to every SMTP command from the client (other than a QUIT command) with the 554 reply code (with a possible text string such as “Command refused due to lack of security”).”
Hence it is the client that sends QUIT command, not the server
This is an example of ASA logging an SMTP session that was established using TLS:
Mar 07 2017 19:40:04: %ASA-6-108007: TLS started on ESMTP session between client outside:98.139.212.154/45850 and server inside:192.168.1.12/25

QUESTION 189
What security element must an organization have in place before it can implement a security audit and validate the audit results?

A. firewall
B. network access control
C. an incident response team
D. a security policy
E. a security operation center

Answer: D


!!!RECOMMEND!!!

1.|2018 Latest 400-251 Exam Dumps (PDF & VCE) 359Q Download:

https://www.braindump2go.com/400-251.html

2.|2018 Latest 400-251 Study Guide Video:

https://youtu.be/DH_ZfDVMWiU

Related Post