[2017 New] Free Lead2pass Cisco 400-251 PDF Exam Questions And Answers Download (101-125)

2017 August Cisco Official New Released 400-251 Dumps in Lead2pass.com!

100% Free Download! 100% Pass Guaranteed!

Our dumps have been reviewed and approved by industry experts and individuals who have taken and passed 400-251 exam. Lead2pass will have you prepared to take 400-251 test with high confidence and pass easily. Whether you are looking for 400-251 study guide, 400-251 exam questions, 400-251 exam dump or 400-251 test, Lead2pass.com has you covered.

Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/400-251.html

QUESTION 101
Refer to the exhibit. Which effect of this configuration is true?

 

A.    Host_1 learns about R2 and only and prefers R2 as its default router
B.    Host_1 selects R2 as its default router and load balances between R2 and R3
C.    Host_1 learns about R2 and R3 only and prefers R3 as its default router
D.    Host_1 learns about R1,R2 and R3 and load balances between them
E.    Host_1 learns about R1, R2 and R3 and prefers R2 as its default router

Answer: E

QUESTION 102
Which statement regarding the routing functions of the Cisco ASA is true running software version 9.2?

A.    In a failover pair of ASAs, the standby firewall establishes a peer relationship with OSPF neighbors
B.    The ASA supports policy-based routing with route maps
C.    Routes to the Null0 interface cannot be configured to black-hole traffic
D.    The translations table cannot override the routing table for new connections

Answer: C

QUESTION 103
Which two statement about router Advertisement message are true? (Choose two)

A.    Local link prefixes are shared automatically.
B.    Each prefix included in the advertisement carries lifetime information f Or that prefix.
C.    Massage are sent to the miscast address FF02::1
D.    It support a configurable number of retransmission attempts for neighbor solicitation massage.
E.    Flag setting are shared in the massage and retransmitted on the link.
F.    Router solicitation massage are sent in response to router advertisement massage

Answer: AE
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/xe-3s/ip6b-xe-3s-book/ip6-neighb-disc-xe.html#GUID-1C16B07D-4464-4506-9E0B-DA6AA7743E83

QUESTION 104
Refer to the exhibit. Which effect of this configuration is true?

 

A.    NUD retransmits 1000 Neighbor solicitation messages every 4 hours and 4 minutes.
B.    NUD retransmits Neighbor Solicitation messages after 4, 16, 64 and 256 seconds.
C.    NUD retransmits Neighbor Solicitation messages every 4 seconds.
D.    NUD retransmits unsolicited Neighbor advertisements messages every 4 hours.
E.    NUD retransmits f our Neighbor Solicitation messages every 1000 seconds.
F.    NUD retransmits Neighbor Solicitation messages after 1, 4, 16, and 64 seconds.

Answer: E

QUESTION 105
What are two features of cisco IOS that can help mitigate Blaster worm attack on RPC ports? (Choose two)

A.    FPM
B.    DCAR
C.    NBAR
D.    IP source Guard
E.    URPF
F.    Dynamic ARP inspection

Answer: DE

QUESTION 106
Which two statement about the multicast addresses query message are true?(Choose two)

A.    They are solicited when a node initialized the multicast process.
B.    They are used to discover the multicast group to which listeners on a link are subscribed
C.    They are used to discover whether a specified multicast address has listeners
D.    They are send unsolicited when a node initializes the multicast process
E.    They are usually sent only by a single router on a link
F.    They are sent when a node discover a multicast group

Answer: BC

QUESTION 107
Refer to the exhibit. What IPSec function does the given debug output demonstrate?

 

A.    DH exchange initiation
B.    setting SPIs to pass traffic
C.    PFS parameter negotiation
D.    crypto ACL confirmation

Answer: D
Explanation:
This Cisco IPSec troubleshooting guide explains details about every packet exchange during IPSec phase 1 and 2. Take a look at the section about QM2. It is exact match of the above exhibit.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113574-tg-asa-ipsec-ike-debugs-main-00.html

QUESTION 108
Drag and Drop Question
Drag each MACsec term on the left to the right matching statement on the right.

 

Answer:

 

QUESTION 109
IANA is responsible for which three IP resources? (Choose three.)

A.    IP address allocation
B.    Detection of spoofed address
C.    Criminal prosecution of hackers
D.    Autonomous system number allocation
E.    Root zone management in DNS
F.    BGP protocol vulnerabilities

Answer: ADE

QUESTION 110
When you are configuring QoS on the Cisco ASA appliance.
Which four are valid traffic selection criteria? (Choose four)

A.    default-inspection-traffic
B.    qos-group
C.    DSCP
D.    VPN group
E.    tunnel group
F.    IP precedence

Answer: ACEF

QUESTION 111
Which two statements about the anti-replay feature are true? (Choose two)

A.    By default, the sender uses a single 1024-packet sliding window
B.    By default, the receiver uses a single 64-packet sliding window
C.    The sender assigns two unique sequence numbers to each clear-text packet
D.    The sender assigns two unique sequence numbers to each encrypted packet
E.    the receiver performs a hash of each packet in the window to detect replays
F.    The replay error counter is incremented only when a packet is dropped

Answer: BF
Explanation:
The sender never assigns two sequence numbers.
Check this Cisco document, especially steps 2 and 4 in the anti-replay check failure description
http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/116858-problem-replay-00.html

QUESTION 112
You have configured a DMVPN hub and spoke a follows (assume the IPsec profile “dmvpnprofile” is configured correctly):

 

With this configuration, you notice that the IKE and IPsec SAs come up between the spoke and the hub, but NHRP registration fails. Registration will continue to fail until you do which of these?

A.    Configure the ipnhrp cache non-authoritative command on the hub’s tunnel interface
B.    Modify the NHRP hold times to match on the hub and spoke
C.    Modify the NHRP network IDs to match on the hub and spoke
D.    Modify the tunnel keys to match on the hub and spoke

Answer: D
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nhrp/configuration/xe-16/nhrp-xe-16-book/config-nhrp.html

QUESTION 113
Which of the following is one of the components of cisco Payment Card Industry Solution?

A.    Virtualization
B.    Risk Assessment
C.    Monitoring
D.    Disaster Management

Answer: B

QUESTION 114
Which two statements about the DH group are true? (Choose two.)

A.    The DH group is used to provide data authentication.
B.    The DH group is negotiated in IPsec phase-1.
C.    The DH group is used to provide data confidentiality.
D.    The DH group is used to establish a shared key over an unsecured medium.
E.    The DH group is negotiated in IPsec phase-2.

Answer: BD

QUESTION 115
Your 1Pv6 network uses a CA and trust anchor to implement secure network discover.
What extension must your CA certificates support?

A.    extKeyUsage
B.    nameConstrainsts
C.    id-pe-ipAddrBlocks
D.    Id-pe-autonomousSysldsE. Ia-ad-calssuers
E.    keyUsage

Answer: A
Explanation:
Check this RFC for the source of correct information (start from section 7)
https://tools.ietf.org/html/rfc6494

QUESTION 116
A server with Ip address 209.165.202.150 is protected behind the inside of a cisco ASA or PIX security appliance and the internet on the outside interface.
User on the internet need to access the server at any time but the firewall administrator does not want to apply NAT to the address of the server because it is currently a public address, which three of the following command can be used to accomplish this? (Choose three)

A.    static (inside,outside) 209.165.202.150 209.165.202.150 netmask 255.255.255.2″
B.    nat (inside) 1 209.165.202.150 255.255.255.255
C.    no nat-control
D.    nat (inside) 0 209.16S.202.150 255.255.255.255
E.    static (outside.insid) 209.165.202.150 209.165.202.150 netmask 255.255.255.255
F.    access-tist no-nat permit ip host 209.165.202.150 any nat (inside) 0 access-list no-nat

Answer: ADF

QUESTION 117
Which three statements about RLDP are true? (Choose three)

A.    It can detect rogue Aps that use WPA encryption
B.    It detects rogue access points that are connected to the wired network
C.    The AP is unable to serve clients while the RLDP process is active
D.    It can detect rogue APs operating only on 5 GHz
E.    Active Rogue Containment can be initiated manually against rogue devices detected on the wired network
F.    It can detect rogue APs that use WEP encryption

Answer: BCE
Explanation:
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/70987-rogue-detect.html

QUESTION 118
Which Cisco ASA firewall mode supports ASDM one-time-password authentication using RSA SecurID?

A.    Network translation mode
B.    Single-context routed mode
C.    Multiple-context mode
D.    Transparent mode

Answer: B

QUESTION 119
Refer to the exhibit. A signature failed to compile and returned the given error messages.
What is a possible reason for the problem?

 

A.    The signature belongs to the IOS IPS Basic category.
B.    The signature belongs to the IOS IPS Advanced category.
C.    There is insufficient memory to compile the signature.
D.    The signature is retired.
E.    Additional signature must be complied during the compiling process.

Answer: C

QUESTION 120
Which command sequence can you enter to enable IP multicast for WCCPv2?

A.    Router(config)#ip wccp web-cache service-list
Router(config)#interface FastEthernet0/0
Router(config)#ip wccp web-cache group-listen
B.    Router(config)#ip wccp web-cache group-list
Router(config)#interface FastEthernet0/0
Router(config)#ip wccp web-cache group-listen
C.    Router(config)#ip wccp web-cache group-address 224.1.1.100
Router(config)#interface FastEthernet0/0
Router(config)#ip wccp web-cache redirect in
D.    Router(config)#ip wccp web-cache group-address 224.1.1.100
Router(config)#interface FastEthernet0/0
Router(config)#ip wccp web-cache group-listen
E.    Router(config)#ip wccp web-cache group-address 224.1.1.100
Router(config)#interface FastEthernet0/0
Router(config)#ip wccp web-cache redirect out

Answer: D

QUESTION 121
The computer at 10.10.10.4 on your network has been infected by a botnet that directs traffic to a malware site at 168.65.201.120. Assuming that filtering will be performed on a Cisco ASA.
What command can you use to block all current and future connections from the infected host?

A.    ip access-list extended BLOCK_BOT_OUT deny ip any host 10.10.10.4
B.    shun 10.10.10.4 168.65.201.120 6000 80
C.    ip access-list extended BLOCK_BOT_OUT deny ip host 10.10.10.4 host 168.65.201.120
D.    ip access-list extended BLOCK_BOT_OUT deny ip host 168.65.201.120 host 10.10.10.4
E.    shun 168.65.201.120 10.10.10.4 6000 80

Answer: B
Explanation:
The key points to consider here are “current and future connections from infected host”. If using the ACL, it will only stop the current connection but an infected host may establish a connection to a different host and it would not work. The Shun command with destination IP deals with current and future connections to any host.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s15.html

QUESTION 122
IKEv2 provide greater network attack resiliency against a DoS attack than IKEv1 by utilizing which two functionalities?(Choose two)

A.    with cookie challenge IKEv2 does not track the state of the initiator until the initiator respond with cookie.
B.    Ikev2 perform TCP intercept on all secure connections
C.    IKEv2 only allows symmetric keys for peer authentication
D.    IKEv2 interoperates with IKEv1 to increase security in IKEv1
E.    IKEv2 only allows certificates for peer authentication
F.    An IKEv2 responder does not initiate a DH exchange until the initiator responds with a cookie

Answer: AF

QUESTION 123
Which five of these are criteria for rule-based rogue classification of access points by the cisco Wireless LAN controller? (Choose five)

A.    MAC address range
B.    MAC address range number of clients it has
C.    open authentication
D.    whether it matches a user-configured SSID
E.    whether it operates on an authorized channel
F.    minimum RSSI
G.    time of day the rogue operates
H.    Whether it matches a managed AP SSID

Answer: BCDFH

QUESTION 124
Which two statement about the DES algorithm are true?(Choose two)

A.    It uses a 64-bit key block size and its effective key length is 65 bits
B.    It uses a 64-bits key block size and its effective key length is 56 bits
C.    It is a stream cripher that can be used with any size input
D.    It is more efficient in software implements than hardware implementations.
E.    It is vulnerable to differential and linear cryptanalysis
F.    It is resistant to square attacks

Answer: BE

QUESTION 125
Which three types of addresses can the Botnet Traffic Filter feature of the Cisco ASA monitor? (Choose three)

A.    Ambiguous addresses
B.    Known malware addresses
C.    Listed addresses
D.    Dynamic addresses
E.    Internal addresses
F.    Known allowed addresses

Answer: ABF

At Lead2pass we verify that 100% of the 400-251 exam questions in exam test prep package are real questions from a recent version of the 400-251 test you are about to take. We have a wide library of 400-251 exam dumps.

400-251 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDMERESjlYcVlZNWs

2017 Cisco 400-251 exam dumps (All 470 Q&As) from Lead2pass:

https://www.lead2pass.com/400-251.html [100% Exam Pass Guaranteed]