Get Full Version of the Exam
http://www.EnsurePass.com/400-251.html
Question No.31
Refer to the exhibit. Which effect of this configuration is true?
-
If the RADIUS server is unreachable, SSH users cannot authenticate.
-
Users must be in the RADIUS server to access the serial console.
-
Users accessing the device via SSH and those accessing enable mode are authenticated against the RADIUS server
-
All commands are validated by the RADIUS server before the device executes them.
-
Only SSH users are authenticated against the RADIUS server.
Correct Answer: C
Question No.32
Refer to the exhibit. You applied this VPN cluster configuration to a Cisco ASA and the cluster failed to form. How do you edit the configuration to correct the problem?
-
Define the maximum allowable number of VPN connections.
-
Define the master/slave relationship.
-
Configure the cluster IP address.
-
Enable load balancing.
Correct Answer: C
Question No.33
Refer to the exhibit. Which effect of this configuration is true?
-
Users attempting to access the console port are authenticated against the TACACS server.
-
The device tries to reach the server every 24 hours and falls back to the LOCAL database if it fails.
-
If TACACS authentication fails, the ASA uses Cisco 123 as its default password.
-
The servers in the TACACS group are reactivated every 1440 seconds.
-
Any VPN user with a session timeout of 24 hours can access the device.
Correct Answer: A
Question No.34
Which option best describes RPL?
-
RPL stands for Routing over low priority links that use link-state LSAs to determine the best route
between two root border routers.
-
RPL stands for Routing over low priority links that use distance vector DOGAG to determine the best route between two root border routers.
-
RPL stands for Routing over Low-power Lossy Networks that use link-state LSAs to determine the best route between leaves and the root border router.
-
RPL stands for Routing over Low-power Lossy Networks that use distance vector DOGAG to determine the best route between leaves and the root border router.
Correct Answer: D
Question No.35
Which three statements about SCEP are true? (Choose three.)
-
It supports online certification revocation.
-
Cryptographically signed and encrypted messages are conveyed using PKCS#7
-
It supports multiple cryptographic algorithms including RSA.
-
The certificate request format uses PKCS#10.
-
CRL retrieval is supported through CDP(Certificate Distribution Point) queries.
-
It supports synchronous granting.
Correct Answer: BDE
Explanation:
Simple Certificate Enrollment Protocol
http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167- technotescep-00.html
Question No.36
Which statement about deploying policies with the Firepower Management Center is true?
-
All policies are deployed on-demand when the administrator triggers them.
-
Deploy tasks can be scheduled to deploy policies automatically.
-
The leaf domain can deploy changes to all subdomains simultaneously.
-
The global domain can deploy changes to individual subdomains.
-
Policies are deployed automatically when the administrator saves them.
Correct Answer: B
Question No.37
What are three features that are enabled by generating Change of Authorization (CoA) requests in a push model? (Choose three.)
-
session reauthentication
-
session identification
-
host reauthentication
-
MAC identification
-
session termination
-
host termination
Correct Answer: BCE
Question No.38
Which two options are benefits of network summarization? (Choose two.)
-
It prevents unnecessary routing updates at the summarization boundary if one of the routes in the summary is unstable.
-
It can increase the convergence of the network.
-
It can summarize discontiguous IP addresses.
-
It can easily be added to existing networks.
-
It reduces the number of routes.
Correct Answer: AE
Question No.39
Which three statement about SXP are true? (Choose three)
-
It resides in the control plane, where connections can be initiated from a listener.
-
Packets can be tagged with SGTs only with hardware support.
-
Each VRF support only one CTS-SXP connection.
-
To enable an access device to use IP device tracking to learn source device IP addresses, DHCP snooping must be configured.
-
The SGA ZBFW uses the SGT to apply forwarding decisions.
-
Separate VRFs require different CTS-SXP peers , but they can use the same source IP addresses.
Correct Answer: BCE
Question No.40
When TCP Intercept is enabled in its default mode, how does it react to a SYN request?
-
It monitors the sequence of SYN, SYN-ACK, and ACK messages until the connection is fully established.
-
It monitors the attempted connection and drops it if it fails to establish within 30 seconds.
-
It allows the connection without inspection.
-
It intercepts the SYN before it reaches the server and responds with a SYN-ACK.
-
It drops the connection.
Correct Answer: D
Get Full Version of the Exam
400-251 Dumps
400-251 VCE and PDF