Approved of 400-251 training materials and bundle for Cisco certification for client, Real Success Guaranteed with Updated 400-251 pdf dumps vce Materials. 100% PASS CCIE Security Written Exam exam Today!


2026 New 400-251 Exam Dumps with PDF and VCE Free: https://www.2passeasy.com/dumps/400-251/

Q1. DRAG DROP

Drag each IP transmission and fragmentation term on the left to the matching statement on the right?

Answer:

Explanation: DF bit: A value in the IP header that indicates whether packet fragmentation is permitted.

Fragment offset: A value in the IP packet that indicates the location of a fragment in the datagram.

MF bit: Indicates that this is last packet with the biggest offset.

MSS: The amount of data that the receiving host can accept in each TCP segment. MTU: A value representing the maximum acceptable length of a packet to be transmitted over a link. PMTUD: A technology used to prevent fragmentation as data travels between two end points.

Tunnel: A logical interface allows packet to be encapsulated inside a passenger protocol for transmission across a

different carrier protocol.

Q2. Which three IP resources is IANA responsible for? (Choose three.)

A. IP address allocation

B. detection of spoofed address

C. criminal prosecution of hackers

D. autonomous system number allocation

E. root zone management in DNS

F. BGP protocol vulnerabilities

Answer: A,D,E

Q3. Which two statements about DTLS are true?(Choose two)

A. It uses two simultaneous IPSec tunnels to carry traffic.

B. If DPD is enabled, DTLS can fall back to a TLS connection.

C. Because it requires two tunnels, it may experience more latency issues than SSL connections.

D. If DTLS is disabled on an interface, then SSL VPN connections must use SSL/TLS tunnels.

E. It is disabled by default if you enable SSL VPN on the interface.

Answer: B,C

Q4. You have configured an authenticator switch in access mode on a network configured with NEAT.

WhatRADIUS attribute must the ISE sever return to change the switch's port mode to trunk?

A. device-traffic-class=switch

B. device-traffic-class=trunk

C. Framed-protocol=1

D. EAP-message=switch

E. Acct-Authentic=RADIUS

F. Authenticate=Administrative

Answer: A

Q5. Which two statements about SOX are true? (Choose two.)

A. SOX is an IEFT compliance procedure for computer systems security.

B. SOX is a US law.

C. SOX is an IEEE compliance procedure for IT management to produce audit reports.

D. SOX is a private organization that provides best practices for financial institution computer systems.

E. Section 404 of SOX is related to IT compliance.

Answer: B,E

Q6. Which statement about the Cisco Secure ACS Solution Engine TACACS+ AV pair is true?

A. AV pairs are only required to be enabled on Cisco Secure ACS for successful implementation.

B. The Cisco Secure ACS Solution Engine does not support accounting AV pairs.

C. AV pairs are only string values.

D. AV pairs are of two types: string and integer.

Answer: C

Q7. DRAG DROP

Drag each SSI encryption algorithm on the left to the encryption and hashing values it uses on the Right?

Answer:

Explanation: 3DES-sha1: 168 bit encryption with 160 bit hash DES-sha1: 56 bit encryption with 160 bit hash Null sha1: 160 bit hash without encryption

RC4-md5: 128 bit with 128 bit hash RC4-sha1: 128 bit with 160 bit hash.

Q8. What command specifies the peer from which MSDP SA message are accepted?

A. IP msdpsa-filter in <peer>[list<acl>] [route-map <map> ]

B. Ipmsdp default-peer <peer>

C. Ipmsdp mesh-group

D. Ipmsdp originator-id <interface>

Answer: B

Q9. Refer to the exhibit . What is the meaning of the given error message?

A. The PFS groups are mismatched.

B. The pre-shared keys are mismatched.

C. The mirrored crypto ACLs are mismatched.

D. IKE is disabled on the remote peer.

Answer: B

Q10. You have configured a DMVPN hub and spoke a follows (assume the IPsec profile “dmvpnprofile” is configured correctly):

With this configuration, you notice that the IKE and IPsec SAs come up between the spoke and the hub, but NHRP registration fails. Registration will continue to fail until you do which of these?

A. Configure the ipnhrp cache non-authoritative command on the hub’s tunnel interface

B. Modify the NHRP hold times to match on the hub and spoke

C. Modify the NHRP network IDs to match on the hub and spoke

D. Modify the tunnel keys to match on the hub and spoke

Answer: D