Cisco 400-251 Certification Exam Syllabus

400-251 Syllabus, CCIE Security Exam Questions PDF, Cisco 400-251 Dumps Free, CCIE Security PDF, 400-251 Dumps, 400-251 PDF, CCIE Security VCE, 400-251 Questions PDF, Cisco CCIE Security Questions PDF, Cisco 400-251 VCEA great way to start the Cisco Certified Internetwork Expert Security (CCIE S) preparation is to begin by properly appreciating the role that syllabus and study guide play in the Cisco 400-251 certification exam. This study guide is an instrument to get you on the same page with Cisco and understand the nature of the Cisco CCIE Security exam.

Our team of experts has composed this Cisco 400-251 exam preparation guide to provide the overview about Cisco CCIE Security Written Exam exam, study material, sample questions, practice exam and ways to interpret the exam objectives to help you assess your readiness for the Cisco CCIE S exam by identifying prerequisite areas of knowledge. We recommend you to refer the simulation questions and practice test listed in this guide to determine what type of questions will be asked and the level of difficulty that could be tested in the Cisco CCIE Security certification exam.

Cisco 400-251 Exam Overview:

Exam Name
CCIE Security Written Exam
Exam Number 400-251 CCIE S
Exam Price $450 USD
Duration 120 minutes
Number of Questions 90-110
Passing Score Variable (750-850 / 1000 Approx.)
Exam Registration PEARSON VUE
Sample Questions Cisco 400-251 Sample Questions
Practice Exam Cisco Certified Internetwork Expert Security Practice Test

Cisco 400-251 Exam Topics:

Section Weight
Written
Weight
Lab
Objectives
Perimeter Security and Intrusion Prevention 21% 23%
1 Describe, implement, and troubleshoot HA features on Cisco ASA and Cisco FirePOWER Threat Defense (FTD)
 
2 Describe, implement, and troubleshoot clustering on Cisco ASA and Cisco FTD
 
3 Describe, implement, troubleshoot, and secure routing protocols on Cisco ASA and Cisco FTD
 
4 Describe, implement, and troubleshoot different deployment modes such as routed, transparent, single, and multicontext on Cisco ASA and Cisco FTD
 
5 Describe, implement, and troubleshoot firewall features such as NAT (v4,v6), PAT, application inspection, traffic zones, policy-based routing,  traffic redirection to service modules, and identity firewall on Cisco ASA and Cisco FTD
 
6 Describe, implement, and troubleshoot IOS security features such as Zone-Based Firewall (ZBF), application layer inspection, NAT (v4,v6), PAT and  TCP intercept on Cisco IOS/IOS-XE
 
7 Describe, implement, optimize, and troubleshoot policies and rules for traffic control on Cisco ASA, Cisco FirePOWER and Cisco FTD
 
8 Describe, implement, and troubleshoot Cisco Firepower Management Center (FMC) features such as alerting, logging, and reporting
 
9 Describe, implement, and troubleshoot correlation and remediation rules on Cisco FMC
 
10 Describe, implement, and troubleshoot Cisco FirePOWER and Cisco FTD deployment such as in-line, passive, and TAP modes
 
11 Describe, implement, and troubleshoot Next Generation Firewall (NGFW) features such as SSL inspection, user identity, geolocation, and AVC  (Firepower appliance)
 
12 Describe, detect, and mitigate common types of attacks such as DoS/DDoS, evasion techniques, spoofing, man-in-the-middle, and botnet
Advanced Threat Protection and Content Security 17% 19%
1 Compare and contrast different AMP solutions including public and private cloud deployment models
 
2 Describe, implement, and troubleshoot AMP for networks, AMP for endpoints, and AMP for content security (CWS, ESA, and WSA)
 
3 Detect, analyze, and mitigate malware incidents
 
4 Describe the benefit of threat intelligence provided by AMP Threat GRID
 
5 Perform packet capture and analysis using Wireshark, tcpdump, SPAN, and RSPAN
 
6 Describe, implement, and troubleshoot web filtering, user identification, and Application Visibility and Control (AVC)
 
7 Describe, implement, and troubleshoot mail policies, DLP, email quarantines, and SenderBase on ESA
 
8 Describe, implement, and troubleshoot SMTP authentication such as SPF and DKIM on ESA
 
9 Describe, implement, and troubleshoot SMTP encryption on ESA
 
10 Compare and contrast different LDAP query types on ESA
 
11 Describe, implement, and troubleshoot WCCP redirection
 
12 Compare and contrast different proxy methods such as SOCKS, Auto proxy/WPAD, and transparent
 
13 Describe, implement, and troubleshoot HTTPS decryption and DLP
 
14 Describe, implement, and troubleshoot CWS connectors on Cisco IOS routers, Cisco ASA, Cisco AnyConnect, and WSA
 
15 Describe the security benefits of leveraging the OpenDNS solution.
 
16 Describe, implement, and troubleshoot SMA for centralized content security management
 
17 Describe the security benefits of leveraging Lancope
Secure Connectivity and Segmentation 17% 19%
1 Compare and contrast cryptographic and hash algorithms such as AES, DES, 3DES, ECC, SHA, and MD5
 
2 Compare and contrast security protocols such as ISAKMP/IKEv1, IKEv2, SSL, TLS/DTLS, ESP, AH, SAP, and MKA
 
3 Describe, implementc and troubleshoot remote access VPN using technologies such as FLEXVPN, SSL-VPN between Cisco firewalls, routers, and end hosts
 
4 Describe, implement, and troubleshoot the Cisco IOS CA for VPN authentication
 
5 Describe, implement, and troubleshoot clientless SSL VPN technologies with DAP and smart tunnels on Cisco ASA and Cisco FTD
 
6 Describe, implement, and troubleshoot site-to-site VPNs such as GETVPN, DMVPN and IPsec
 
7 Describe, implement, and troubleshoot uplink and downlink MACsec (802.1AE)
 
8 Describe, implement, and troubleshoot VPN high availability using Cisco ASA VPN clustering and dual-hub DMVPN deployments
 
9 Describe the functions and security implications of cryptographic protocols such as AES, DES, 3DES, ECC, SHA, MD5, ISAKMP/IKEv1, IKEv2, SSL,  TLS/DTLS, ESP, AH, SAP, MKA, RSA, SCEP/EST, GDOI, X.509, WPA, WPA2, WEP, and TKIP
 
10 Describe the security benefits of network segmentation and isolation
 
11 Describe, implement, and troubleshoot VRF-Lite and VRF-Aware VPN
 
12 Describe, implement, and troubleshoot microsegmentation with TrustSec using SGT and SXP
 
13 Describe, implement, and troubleshoot infrastructure segmentation methods such as VLAN, PVLAN, and GRE
 
14 Describe the functionality of Cisco VSG used to secure virtual environments
 
15 Describe the security benefits of data center segmentation using ACI, EVPN, VXLAN, and NVGRE
Identity Management, Information Exchange, and Access Control 22% 24%
1 Describe, implement, and troubleshoot various personas of ISE in a multinode deployment
 
2 Describe, implement, and troubleshoot network access device (NAD), ISE, and ACS configuration for AAA
 
3 Describe, implement, and troubleshoot AAA for administrative access to Cisco network devices using ISE and ACS
 
4 Describe, implement, verify, and troubleshoot AAA for network access with 802.1X and MAB using ISE.
 
5 Describe, implement, verify, and troubleshoot cut-through proxy/auth-proxy using ISE as the AAA server
 
6 Describe, implement, verify, and troubleshoot guest life cycle management using ISE and Cisco network infrastructure
 
7 Describe, implement, verify, and troubleshoot BYOD on-boarding and network access flows with an internal or external CA
 
8 Describe, implement, verify, and troubleshoot ISE and ACS integration with external identity sources such as LDAP, AD, and external RADIUS
 
9 Describe ISE and ACS integration with external identity sources such as RADIUS Token, RSA SecurID, and SAML
 
10 Describe, implement, verify, and troubleshoot provisioning of AnyConnect with ISE and ASA
 
11 Describe, implement, verify, and troubleshoot posture assessment with ISE
 
12 Describe, implement, verify, and troubleshoot endpoint profiling using ISE and Cisco network infrastructure including device sensor
 
13 Describe, implement, verify, and troubleshoot integration of MDM with ISE
 
14 Describe, implement, verify, and troubleshoot certificate based authentication using ISE
 
15 Describe, implement, verify, and troubleshoot authentication methods such as EAP Chaining and Machine Access Restriction (MAR)
 
16 Describe the functions and security implications of AAA protocols such as RADIUS,  TACACS+, LDAP/LDAPS, EAP (EAP-PEAP, EAP-TLS, EAP-TTLS, EAP-FAST,  EAP-TEAP, EAP- MD5, EAP-GTC), PAP, CHAP, and MS-CHAPv2
 
17 Describe, implement, and troubleshoot identity mapping on ASA, ISE, WSA and FirePOWER
 
18 Describe, implement, and troubleshoot pxGrid between security devices such as WSA, ISE, and Cisco FMC
Infrastructure Security, Virtualization, and Automation 13% 15%
1 Identify common attacks such as Smurf, VLAN hopping, and SYNful knock, and their mitigation techniques
 
2 Describe, implement, and troubleshoot device hardening techniques and control plane protection methods, such as CoPP and IP Source routing.
 
3 Describe, implement, and troubleshoot management plane protection techniques such as CPU and memory thresholding and securing device access
 
4 Describe, implement, and troubleshoot data plane protection techniques such as iACLs, uRPF, QoS, and RTBH
 
5 Describe, implement, and troubleshoot IPv4/v6 routing protocols security
 
6 Describe, implement, and troubleshoot Layer 2 security techniques such as DAI, IPDT, STP security, port security, DHCP snooping, and VACL
 
7 Describe, implement, and troubleshoot wireless security technologies such as WPA, WPA2, TKIP, and AES
 
8 Describe wireless security concepts such as FLEX Connect, wIPS, ANCHOR, Rogue AP, and Management Frame Protection (MFP)
 
9 Describe, implement, and troubleshoot monitoring protocols such as NETFLOW/IPFIX, SNMP, SYSLOG, RMON, NSEL, and eSTREAMER
 
10 Describe the functions and security implications of application protocols such as SSH, TELNET, TFTP, HTTP/HTTPS, SCP, SFTP/FTP, PGP, DNS/DNSSEC,  NTP, and DHCP
 
11 Describe the functions and security implications of network protocols such as VTP, 802.1Q, TCP/UDP, CDP, LACP/PAgP, BGP, EIGRP, OSPF/OSPFv3,  RIP/RIPng, IGMP/CGMP, PIM, IPv6, and WCCP
 
12 Describe the benefits of virtualizing security functions in the data center using ASAv, WSAv, ESAv, and NGIPSv
 
13 Describe the security principles of ACI such as object models, endpoint groups, policy enforcement, application network profiles, and contracts
 
14 Describe the northbound and southbound APIs of SDN controllers such as APIC-EM
15 Identify and implement security features to comply with organizational security policies, procedures, and standards such as BCP 38, ISO 27001, RFC 
827, and PCI-DSS
 
16 Describe and identify key threats to different places in the network (campus, data center, core, edge) as described in Cisco SAFE
 
17 Validate network security design for adherence to Cisco SAFE recommended practices
18 Interpret basic scripts that can retrieve and send data using RESTful API calls in scripting languages such as Python
 
19 Describe Cisco Digital Network Architecture (DNA) principles and components.
Evolving Technologies 10% N/A
1 Cloud
a) Compare and contrast Cloud deployment models
a) [i] Infrastructure, platform, and software services (XaaS)
a) [ii] Performance and reliability
a) [iii] Security and privacy
a) [iv] Scalability and interoperability
b) Describe Cloud implementations and operations
b) [i] Automation and orchestration
b) [ii] Workload mobility
b) [iii] Troubleshooting and management
b) [iv] OpenStack components
 
2 Network Programmability (SDN)
a) Describe functional elements of network programmability (SDN) and how they interact
a) [i] Controllers
a) [ii] APIs
a) [iii] Scripting
a) [iv] Agents
a) [v] Northbound vs. Southbound protocols
b) Describe aspects of virtualization and automation in network environments
b) [i] DevOps methodologies, tools and workflows
b) [ii] Network/application function virtualization (NFV, AFV)
b) [iii] Service function chaining
b) [iv] Performance, availability, and scaling considerations
 
3 Internet of Things (IoT)
a) Describe architectural framework and deployment considerations for Internet of Things
a) [i] Performance, reliability and scalability
a) [ii] Mobility
a) [iii] Security and privacy
a) [iv] Standards and compliance
a) [v] Migration
a) [vi] Environmental impacts on the network

Cisco CCIE S Exam Description:

The written exam validates experts who have the knowledge and skills to architect, engineer, implement, troubleshoot, and support the full suite of Cisco security technologies and solutions using the latest industry best practices to secure systems and environments against modern security risks, threats, vulnerabilities, and requirements.

Rating: 4.9 / 5 (32 votes)