400-251 CCIE Security Written Exam (v5.0)

Page 1   
Question 1

Which three ISAKMP SA Message States can be output from the device that initiated an
IPSec tunnel?(Choose three)


Answer : A,B,D

Question 2

How does Scavenger-class QOS mitigate DOS and worm attacks?

  • A. It monitors normal traffic flow and drops burst traffic above the normal rate for a single host.
  • B. It matches traffic from individual hosts against the specific network characteristics of known attack types.
  • C. It sets a specific intrusion detection mechanism and applies the appropriate ACL when matching traffic is detected.
  • D. It monitors normal traffic flow and aggressively drops sustained abnormally high traffic streams from multiple hosts.

Answer : D

Question 3

Which three statements about Cisco Any Connect SSL VPN with the ASA are
true?(Choose three)

  • A. DTLS can fail back to TLS without enabling dead peer detection.
  • B. By default, the VPN connection connects with DTLS.
  • C. Real-time application performance improves if DTLS is implemented.
  • D. Cisco Any Connect connections use IKEv2 by default when it is configured as the primary protocol on the client.
  • E. By default, the ASA uses the Cisco Any Connect Essentials license.
  • F. The ASA will verify the remote HTTPS certificate.

Answer : B,C,D

Question 4

Which two options are benefits of network summarization? (Choose two)

  • A. It can summarize discontiguous IP addresses.
  • B. It can easily be added to existing networks.
  • C. It can increase the convergence of the network.
  • D. It prevents unnecessary routing updates at the summarization boundary if one of the routes in the summary is unstable
  • E. It reduces the number of routes.

Answer : D,E

Question 5

Which two design options are best to reduce security concerns when adopting loT into an
organization?(Choose two)

  • A. Ensure that applications can gather and analyze data at the edge.
  • B. Implement video analytics on IP cameras.
  • C. Encrypt sensor data in transit.
  • D. Segment the Field Area Network form the Data Center network.
  • E. Encrypt data at rest on all devices in the IOT network.

Answer : C,D

Question 6

Which three Cisco attributes for LDAP authorization are supported on the ASA? (Choose

  • A. L2TP-Encryption
  • B. Web-VPN-ACL-Filters
  • C. IPsec-Client-Firewall-Filter-Name
  • D. Authenticated-User-Idle-Timeout
  • E. IPsec-Default-Domain
  • F. Authorization-Type

Answer : B,D,E

Question 7

Refer to exhibit.

Which effect of this configuration is true?

  • A. The download able ACL and AV pair ACL are merged after three connection are made to the RADIUS server.
  • B. The download able ACL and AV pair ACL are merged immediately when the RADIUS server is active.
  • C. For all users, entries in a downloadable ACL are given priority over entries in an AV pair ACL.
  • D. The downloadable ACL and the AV pair ACL entries are merged together, one ACE at a time.
  • E. A downloadable ACL is applied after an AV pair ACL.

Answer : E

Question 8

Which two characteristics of DTLS are true?(Choose two )

  • A. It is used mostly by applications that use application layer object-protocols
  • B. It includes a congestion control mechanism
  • C. It completes key negotiation and bulk data transfer over a single channel.
  • D. It supports long data transfers and connectionless data transfers.
  • E. It cannot be used if NAT exists along the path.
  • F. It concludes a retransmission method because it uses an unreliable datagram transport

Answer : C,D

Question 9

Refer to the exhibit.

After you applied this Ether Channel configuration to a Cisco ASA, the Ether Channel failed
to come up. Which reason for the problem is the most likely?

  • A. The lacp system-priority and lacp port-priority values are the same.
  • B. The Ether Chanel requires three ports, and only two are configured.
  • C. The Ether Chanel is disabled.
  • D. The channel group modes are mismatched

Answer : D

Question 10

In which two situations is web authentication appropriate?(Choose two)

  • A. When secure connections to the network are unnecessary.
  • B. When a fallback authentication method is necessary.
  • C. When 802.1x authentication is required.
  • D. When devices outside the control of the organizations IT department are permitted to connect to the network.
  • E. When WEP encryption must be deployed on a large scale

Answer : B,C

Question 11

Which three authorization technologies does Cisco Trust Sec support?(Choose three)

  • A. 802.1x.
  • B. SGACL.
  • C. DACL.
  • D. MAB.
  • E. SGT.
  • F. VLAN.

Answer : A,D,F

Question 12

Which three commands can you use to configure VXLAN on a Cisco ASA firewall?(Choose

  • A. Sysopt connection tcpmss.
  • B. Nve-only.
  • C. Default-mcast-group.
  • D. Segment-id.
  • E. Inspect VXLAN.
  • F. Set ip next-hop verify-availability.

Answer : B,C,D

Question 13

Refer to the exhibit .

Which two effects of this configuration are true?(Choose two)

  • A. When a user logs in to privileged EXEC mode, the router will track all user activity.
  • B. It configures the routers local database as the backup authentication method for all TTY console, and aux logins
  • C. If a user attempts to log in as a level 15 user, the local database will be used for authentication and TACACS+ will be used used for authorization.
  • D. Configuration commands on the router are authorized without checking the TACACS+ server.
  • E. When a user attempts to authenticate on the device, the TACACS+ server will prompt the user to enter the username stored in the routers database.
  • F. Requests to establish a reverse AUX connection to the router will be authorize against the TACACS+ sever.

Answer : B,D

Question 14

Which OpenStack project has orchestration capabilities?

  • A. Cinder.
  • B. Heat.
  • C. Horizon.
  • D. Sahara

Answer : B

Question 15

Which three statements about PKI on Cisco IOS Software are true?(Choose three)

  • A. OCSP is well-suited for enterprise PKIs in which CRLs expire frequently.
  • B. The match certificate and allow expired-certificate commands are ignored unless the router clock is set
  • C. If a certificate-based ACL specifies more than one filed, any one successful field-to- value test is treated as a match.
  • D. OCSP enables a PKI to use a CRL without time limitations.
  • E. Certificate-based ACLs can be configured to allow expired certificates if the peer is otherwise valid.
  • F. Different OCSP servers can be configured for different groups of client certificates.

Answer : A,E,F

Page 1