Act now and download your Cisco 400-251 test today! Do not waste time for the worthless Cisco 400-251 tutorials. Download Abreast of the times Cisco CCIE Security Written Exam exam with real questions and answers and begin to learn Cisco 400-251 with a classic professional.


2026 New 400-251 Exam Dumps with PDF and VCE Free: https://www.2passeasy.com/dumps/400-251/

Q1. What feature on Cisco IOS router enables user identification and authorization based on per-user policies

A. CBAC

B. IPsec

C. Authentication proxy

D. NetFlow v9

E. Zone-based firewall

F. EEM

Answer: C

Q2. Which three statements about the keying methods used by MAC Sec are true (Choose Three)

A. MKA is implemented as an EAPoL packet exchange

B. SAP is enabled by default for Cisco TrustSec in manual configuration mode.

C. SAP is supported on SPAN destination ports

D. Key management for host-to-switch and switch-to-switch MACSec sessions is provided by MKA

E. SAP is not supported on switch SVIs .

F. A valid mode for SAP is NULL

Answer: A,B,F

Q3. CCMP (CCM mode Protocol) is based on which algorithm?

A. 3DES

B. Blowfish

C. RC5

D. AES

E. IDEA

Answer: D

Q4. Which three IP resources is IANA responsible for? (Choose three.)

A. IP address allocation

B. detection of spoofed address

C. criminal prosecution of hackers

D. autonomous system number allocation

E. root zone management in DNS

F. BGP protocol vulnerabilities

Answer: A,D,E

Q5. Which two statement about router Advertisement message are true? (Choose two)

A. Local link prefixes are shared automatically.

B. Each prefix included in the advertisement carries lifetime information f Or that prefix.

C. Massage are sent to the miscast address FF02::1

D. It support a configurable number of retransmission attempts for neighbor solicitation massage.

E. Flag setting are shared in the massage and retransmitted on the link.

F. Router solicitation massage are sent in response to router advertisement massage

Answer: A,F

Q6. Which two effects of configuring the tunnel path-mtu-discovery command on a GRE tunnel interface are true?( Choose two)

A. The maximum path MTU across the GRE tunnel is set to 65534 bytes.

B. If a lower MTU link between the IPsec peers is detected , the GRE tunnel MTU are changed.

C. The router adjusts the MTU value it sends to the GRE tunnel interface in the TCP SYN packet.

D. It disables PMTUD discovery for tunnel interfaces.

E. The DF bit are copied to the GRE IP header.

F. The minimum path MTU across the GRE tunnel is set to 1476 bytes.

Answer: B,E

Q7. Which statement regarding the routing functions of the Cisco ASA is true running software version 9.2?

A. In a failover pair of ASAs, the standby firewall establishes a peer relationship with OSPF neighbors

B. The ASA supports policy-based routing with route maps

C. Routes to the Null0 interface cannot be configured to black-hole traffic

D. The translations table cannot override the routing table for new connections

Answer: C

Q8. Which two statements about header attacks are true?(Choose Two)

A. An attacker can use IPv6 Next Header attacks to steal user data and launch phishing attacks.

B. An attacker can use HTTP Header attacks to launch a DoS attack.

C. An attacker can execute a spoofing attack by populating the RH0 routing header subtype with multiple

destination addresses.

D. An attacker can leverage an HTTP response header to write malicious cookies.

E. An attacker can leverage an HTTP response header to inject malicious code into an application layer.

F. An attacker can use vulnerabilities in the IPv6 routing header to launch attacks at the application layer.

Answer: B,C

Q9. Refer to the exhibit. 

What are three effect of the given firewall configuration? (Choose three.)

A. The firewall allows Echo Request packets from any source to pass server.

B. The firewall allows time Exceeded error messages from any source to pass to the server.

C. PCs outside the firewall are unable to communicate with the server over HTTP

D. The firewall allows Echo Reply packets from any source to pass to the server.

E. The firewall allows Destination Unreachable error messages from any source to pass to the server.

F. The firewall allows Packet too big error messages from any source to pass to the server.

Answer: A,D,F

Q10. How does a wireless association flood attack create a DoS?

A. It sends a high-power RF pulse that can damage the internals of the AP

B. It spoofs disassociation frames from the access point.

C. It uses a brute force attack to crack the encryption.

D. It exhausts the access client association table.

Answer: D