(2019-December)New Braindump2go 400-251 PDF and VCE Dumps Free Share

December/2019 Braindump2go 400-251 Exam Dumps with PDF and VCE New Updated Today! Following are some new 400-251 Exam Questions,

New Question
Which of the following is true regarding failover link when ASAs are configured in the failover mode?

A. It is not recommended to use secure communication over failover link when ASA is terminating the VPN tunnel
B. Only the configuration replication sent across the link can be secured using a failover key
C. The information sent over the failover link can only be in clear text
D. The information sent over the failover link can be send in clear text, or it could be secured communication using a failover key
E. Failover key is not required for the secure communication over the failover link
F. The information sent over the failover link can only be sent as a secured communication

Answer: D

New Question
Which statement is true about Remote Triggered Black Hole Filtering feature (RTBH)?

A. It drops malicious traffic at the customer edge router by forwarding it to a Null0 interface
B. In RTBH filtering the trigger device redistributes static route to the iBGP peers
C. The Null0 interface used for filtering is able to receive the traffic, but never forwards it
D. It works in conjunction with QoS to drop the traffic that has less priority
E. It helps mitigate DDoS attack based only on source address
F. In FTBH filtering the trigger device is always an ISP edge router

Answer: B

New Question
ASA at 150.1.7.43 is configured to receive IP address to SGT mapping from ISE at 161.1.7.14. Which of the following is true regarding packet capture from wireshark?

A. SXP keepalive message using TCP originated from ISE
B. ISE keepalive message for NDAC connection using TCP originated from ASA
C. TACACS connection keepalive using UDP originated from ASA
D. RADIUS connection keepalive using TCP originated from ISE
E. NTP keepalive message using UDP originated from ISE
F. SXP keepalive message for SXP connection using UDP originated from ASA

Answer: A

New Question
What could be the reason for Dot1x session failure?

A. Incorrect identity source referenced
B. Incorrect authorization permission
C. Incorrect authentication rule
D. Identity source has the user present but not enabled
E. Incorrect authorization condition
F. Incorrect user group
G. Incorrect user string

Answer: D

New Question
Which of the following correctly describes NVGRE functionality?

A. In NVGRE network the endpoints are not responsible for the NVGRE encapsulation removal
B. It allows to create physical layer-2 topologies on physical layer-3 network
C. It tunnels PPP frames inside an IP packet over a physical network
D. In NVGRE network VSID does not need to be unique
E. It tunnels Ethernet frames inside an IP packet over a virtual network
F. It allows to create physical layer-2 topologies on virtual layer-3 network
G. In NVGRE network VSID is used to identify tenant’s address space

Answer: G

New Question
Which statement correctly describes Botnet attack?

A. It is launched by a single machine controlled by command and control system
B. It is a form of a fragmentation attack to evade an intrusion prevention security device
C. It is a form of a man-in-the-middle attack where the compromised machine is controlled remotely
D. It is launched by a collection of machines controlled by command and control system
E. It is a form of a wireless attack where attacker installs an access point to create backdoor to a network
F. It is launched by a collection of machines to execute DDoS against the attacker

Answer: D

New Question
R3
ip vrf mgmt
!c
rypto keyring CCIE vrf mgmt
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!c
rypto isakmp policy 33
encr 3des
authentication pre-share
group 2
lifetime 600
!c
rypto ipsec transform-set site_ab esp-aes-256 esp-sha-hmac mode tunnel
!c
rypto ipsec profile site_a
set security-association lifetime seconds 600
set transform-set site_ab
!c
rypto gdoi group group_a
identity number 100
server local
rekey algorithm aes 256
rekey lifetime seconds 300
rekey retransmit 10 number 3
rekey authentication mypubkey rsa cciekey
rekey transport unicast
sa ipsec 1
profile site_a
match address ipv4 site_a
replay counter window-size 64
no tag
address ipv4 10.1.20.3
!i
nterface GigabitEthernet3
ip address 10.1.20.3 255.255.255.0
!i
p access-list extended site_a
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
R3 is the Key Server in GETVPN VRF-Aware implementation. The Group Members for the site_a register with Key Server via interface address 10.1.20.3/24 in the management VRF “mgmt.”. The Group ID for the siste_a is 100 to retrieve group policy and keys from the key server. The traffic to be encrypted by the site_a Group Members is between 1921.68.4.0/24 and 192.168.5.0/24.
Preshared-key used by the Group Members to authenticate with Key Server is “cissco”. It has been reported that Group Members are unable to perform encryption for the traffic defined in the group policy of site_

A. What could be the issue?
B. Incorrect encryption traffic defined in the group policy
C. Incorrect mode configuration in the transform set
D. Incorrect password in the keyring configuration
E. Incorrect security-association time in the IPsec profile
F. Incorrect encryption in ISAKMP policy
G. The GDOI group has incorrect local server address
H. The registration interface is not part of management VRF “mgmt.”

Answer: G

New Question
Which statement is true about VRF-lite implementation in a service provider network?

A. It requires multiple links between CE and PE for each VPN connection to enable privacy
B. It uses source address to differentiate routes for different VPNs on the CE device
C. It can only support one VRF instance per CE device
D. It can have multiple VRF instances associated with a single interface on a CE device
E. It supports multiple VPNs at a CE device but their address spaces should not overlap
F. It enables the sharing of one CE device among multiple customers

Answer: F

New Question
Which of the following Cisco products gives ability to interact with malware for its behavior analysis?

A. NGIPS
B. FMC
C. ASA
D. DNA
E. ThreatGrid
F. pxGrid

Answer: E

New Question
R1
ntp authentication-key 12 md5 cisco
ntp authenticate
ntp trusted-key 12
ntp source GigabitEthernet
ntp master 1
!i
nterface GigabitEthernet1
ip address 171.1.7.21 255.255.255.0
R2
ntp authentication-key 12 md5 cisco
ntp authentication-key 102 md5 cisco
ntp authenticate
ntp trusted-key 12
ntp trusted-key 102
ntp server 171.1.7.21 key 102
R2# ping 172.1.7.21
Type escape sequence to abort
Sending 5 100-byte ICMP Echos to 171.1.7.21, timeout is 2 seconds !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms
R2# sh ntp asso detail
171.1.7.21 configured ipv4, authenticated instance invalid, unsynced, stratum 6 ref ID INIT, time 00000000 0000000 (17:00:00.000 ccie Wed Dec 31, 2017)
R2 is getting time synchronized from NTP server R1. It has been reported that clock on R2 Is not able to associate with the NTP server R1. What could be the possible cause?

A. R2 has incorrect NTP server address
B. R1 has incorrect NTP source interface defined
C. R2 has incorrect trusted key binded with the NTP server
D. R2 does not support NTP authentication
E. R2 should not have two trusted keys for the NTP authentication
F. R2 has connectivity issue with the NTP server

Answer: C

New Question
Users are unable to access web server 192.168.101.3/24 and 1921.68.102.3/24 using Firefox web browser when initiated from 172.16.1.0/24 network. What could be the possible cause?

A. Identification profile “allow Profile” has incorrect source subnet
B. Access policy “allow policy” is pointing to incorrect identification profile
C. Identification profile “alow Profile” has incorrect protocol
D. Access policy “allow policy” has incorrect action set for the custom URL category
E. Custom URL category “allowed sites” has incorrect server addresses listed
F. Identification profile “allowed Profile” has misconfigured user agent

Answer: F

New Question
Which of the following is true regarding ASA clustering requirements?

A. Only routed mode is allowed in the single context mode
B. Units in the cluster can be running different software version as long as they have identical hardware configuration
C. Units in the cluster can have different hardware configuration as long as they are running same software version
D. Units in the cluster can be in different geographical locations
E. Units in the cluster can be in different security context modes
F. Units in the cluster can have different amount of flash memory

Answer: F

1.|2019 Latest Braindump2go 400-251 Exam Dumps (VCE & PDF) Instant Download:

https://www.braindump2go.com/400-251.html

2.|2019 Latest Braindump2go 400-251 Exam Questions & Answers Instant Download:

https://drive.google.com/drive/folders/0B75b5xYLjSSNcGJLWWtfdE96ZUU?usp=sharing