[2019-April-New]Download 400-251 Exam Questions from Braindump2go
2019/April Braindump2go 400-251 Exam Dumps with PDF and VCE New Updated Today! Following are some new 400-251 Real Exam Questions:
1.|2019 Latest 400-251 Exam Dumps (PDF & VCE) Instant Download: https://www.braindump2go.com/400-251.html 2.|2019 Latest 400-251 Exam Questions & Answers Instant Download: https://drive.google.com/drive/folders/0B75b5xYLjSSNcGJLWWtfdE96ZUU?usp=sharing New Question
Refer to the exhibit. What IPSec function does the given debug output demonstrate?
A. DH exchange initiation
B. setting SPIs to pass traffic
C. PFS parameter negotiation
D. crypto ACL confirmation Answer: D
Explanation:
This Cisco IPSec troubleshooting guide explains details about every packet exchange during IPSec phase 1 and 2. Take a look at the section about QM2. It is exact match of the above exhibit.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113574-tg-asa-ipsec-ike-debugs-main-00.html New Question
Drag and Drop Question
Drag each MACsec term on the left to the right matching statement on the right.
Answer:
New Question
IANA is responsible for which three IP resources? (Choose three.) A. IP address allocation
B. Detection of spoofed address
C. Criminal prosecution of hackers
D. Autonomous system number allocation
E. Root zone management in DNS
F. BGP protocol vulnerabilities Answer: ADE New Question
When you are configuring QoS on the Cisco ASA appliance.
Which four are valid traffic selection criteria? (Choose four) A. default-inspection-traffic
B. qos-group
C. DSCP
D. VPN group
E. tunnel group
F. IP precedence Answer: ACEF New Question
Which two statements about the anti-replay feature are true? (Choose two) A. By default, the sender uses a single 1024-packet sliding window
B. By default, the receiver uses a single 64-packet sliding window
C. The sender assigns two unique sequence numbers to each clear-text packet
D. The sender assigns two unique sequence numbers to each encrypted packet
E. the receiver performs a hash of each packet in the window to detect replays
F. The replay error counter is incremented only when a packet is dropped Answer: BF
Explanation:
The sender never assigns two sequence numbers.
Check this Cisco document, especially steps 2 and 4 in the anti-replay check failure description
http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/116858-problem-replay-00.html New Question
You have configured a DMVPN hub and spoke a follows (assume the IPsec profile "dmvpnprofile" is configured correctly):
With this configuration, you notice that the IKE and IPsec SAs come up between the spoke and the hub, but NHRP registration fails. Registration will continue to fail until you do which of these? A. Configure the ipnhrp cache non-authoritative command on the hub's tunnel interface
B. Modify the NHRP hold times to match on the hub and spoke
C. Modify the NHRP network IDs to match on the hub and spoke
D. Modify the tunnel keys to match on the hub and spoke Answer: D
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nhrp/configuration/xe-16/nhrp-xe-16-book/config-nhrp.html New Question
Which of the following is one of the components of cisco Payment Card Industry Solution? A. Virtualization
B. Risk Assessment
C. Monitoring
D. Disaster Management Answer: B New Question
Which two statements about the DH group are true? (Choose two.) A. The DH group is used to provide data authentication.
B. The DH group is negotiated in IPsec phase-1.
C. The DH group is used to provide data confidentiality.
D. The DH group is used to establish a shared key over an unsecured medium.
E. The DH group is negotiated in IPsec phase-2. Answer: BD New Question
Your 1Pv6 network uses a CA and trust anchor to implement secure network discover.
What extension must your CA certificates support? A. extKeyUsage
B. nameConstrainsts
C. id-pe-ipAddrBlocks
D. Id-pe-autonomousSysldsE. Ia-ad-calssuers
E. keyUsage Answer: A
Explanation:
Check this RFC for the source of correct information (start from section 7)
https://tools.ietf.org/html/rfc6494 New Question
A server with Ip address 209.165.202.150 is protected behind the inside of a cisco ASA or PIX security appliance and the internet on the outside interface.
User on the internet need to access the server at any time but the firewall administrator does not want to apply NAT to the address of the server because it is currently a public address, which three of the following command can be used to accomplish this? (Choose three) A. static (inside,outside) 209.165.202.150 209.165.202.150 netmask 255.255.255.2"
B. nat (inside) 1 209.165.202.150 255.255.255.255
C. no nat-control
D. nat (inside) 0 209.16S.202.150 255.255.255.255
E. static (outside.insid) 209.165.202.150 209.165.202.150 netmask 255.255.255.255
F. access-tist no-nat permit ip host 209.165.202.150 any nat (inside) 0 access-list no-nat Answer: ADF
!!!RECOMMEND!!!1.|2019 Latest 400-251 Exam Dumps (PDF & VCE) Instant Download: https://www.braindump2go.com/400-251.html 2.|2019 Latest 400-251 Study Guide Video Download: YouTube Video: YouTube.com/watch?v=oIBsi67yBSA
|