CCIE Security Written Exam (v5.0) (400-251) Free Practice Test

Question 1

Cisco ISE can assign a VLAN as a result of an 802.1x authentication and authorization request. What does the switch do if the VLAN assigned by ISE does not exist?

A. Create the VLAN locally

B. Mark The 802.1x attempt as failed

C. Request creation of the VLAN on the VTP server

D. Treat the 802.1x attempt as passed and assign the default VLAN

E. Send a RADIUS CoA NACK packet to ISE

Correct Answer: D

Question 2

In order to enable the Certificate Authority (CA) server feature using Simple Certificate Enrolment Protocol (SCEP) on an IOS device, which three of the following configuration steps are required? (Choose three.)

A. Set an authoritative clock source on the device

B. Generate a self-signed certificate

C. Set the hostname of the device

D. Issue no shut under the crypto pki server command

E. Enable ip http server on the device

F. Enable auto-rollover for the pki Server

Correct Answer: A,E,F

Question 3

Which three messages are part of the SSL protocol? (Choose three)

A. Record

B. Handshake

C. DISCOVERY

D. Message Authentication

E. OFFER

F. Change Cipher Spec

G. Cipher Spec

H. Alert

Correct Answer: B,F,H

Question 4

Which three protocols are used by the management plane in a Cisco IOS device? (Choose three)

A. HTTPS

B. PAP

C. TLS

D. CHAP

E. DHCP

F. RIP

G. 3DES

H. SSH

I. Telnet

Correct Answer: A,H,I

Question 5

What us the most common IoT threat vector?

A. Insertion of invalid inputs that cause denial of service

B. Attacks against programming errors in loT devices

C. Physical access to loT devices that are installed in non-secure locations

D. Human error and social engineering to access supervisory control systems

Correct Answer: C

Question 6

Which three of the following statements are true about the Security Group Tag (SGT)? (Choose three)

A. SGT can be assigned manually at the port level

B. SGT can be mapped to IP address and downloaded to SGT-capable devices

C. Dynamic SGT is a global value binded to all the ports

D. SGT can only be assigned dynamically

E. SGT can be assigned dynamically and be downloaded as the result of an ISE authorization

F. SGT can only be assigned statically

Correct Answer: A,B,E

Question 7

Which statement is true regarding the failover link when ASAs are configured in a failover mode?

A. Configuration replication sent across the link can be secured using a failover key

B. The information sent over the failover link cannot be in clear text but it could be secured communication using a failover key

C. The information sent over the failover link cannot be in clear text

D. Failover key is not required for the secure communication over the failover link

E. The information sent over the failover link can only be sent as a secured communication

F. It is not recommended to use secure communication over failover link when ASA terminating the VPN tunnel.

Correct Answer: A

Question 8

Which statement about password encryption and integrity on a Cisco IOS device is true?

A. The "username <name> secret <password>" command encrypts the password with SHA-256 hashing

B. The enable secret is preferred over enable password because of encryption

C. When "enable secret" is missing from the configuration, the console session cannot get privilege access using console password due to missing encryption

D. The "enable secret" uses DES for the password hashing

E. The "service password-encryption" global command encrypts all the passwords except for CHAP password

F. The "service password-encryption" global command performs encryption and hashing of all the passwords

Correct Answer: B

Welcome to TestSimulate

Cisco CCIE Security Written Exam (v5.0) (400-251) Free Practice Test