Questions And Answers PDF
Cisco 350-018 CCIE Security written (Version 4.0)
Version: DEMO
http://www.TestWarrior.com/350-018-practice-exam.html
FOR 350-018 Candidates: We offer Two Products: 1st - We have Practice Tests Software with Actual Exam Questions 2nd - Questions and Answers in PDF Format. Try a Free DEMO of these Exam Products via below Link:
http://www.TestWarrior.com/350-018-practice-exam.html
TestWarrior.com
1
Questions And Answers PDF
Version: 34.0 Question 1 Which statement is valid regarding SGACL? A. SGACL mapping and policies can only be manually confgured. B. Dynamically downloaded SGACL does not override manually confgured conficcng policies. C. SGACL is access-list bound with a range of SGTs and DGTs. D. SGACL is not a role-based access list.
Aoswern C Explanaconn A role-based access control list bound to a range of SGTs and DGTs forms an SGACL Referencen htpn::www.cisco.com:c:en:us:td:docs:switches:lan:trustsec:confguracon:guide:trustsec:sgaclaco nfg.html
Question 2 Of which IPS applicacon is Event Store a component? A. InterfaceApp B. AuthenccaconApp C. SensorApp D. NocfcaconApp E. MainApp
Aoswern E Explanaconn Cisco IPS sofware includes the following applicaconsn • MainApp—Inicaliies the system, starts and stops the other applicacons, confgures the OS, and performs upgrades. It contains the following componentsn – ctlTransSource (Control Transaccon server)—Allows sensors to send control transaccons. This is used to enable the master blocking sensor capability of Atack Response Controller (formerly known as Network Access Controller). – Event Store—An indexed store used to store IPS events (error, status, and alert system messages) that is accessible through the CLI, IDM, IME, ASDM, or SDEE. Referencen htpn::www.cisco.com:c:en:us:td:docs:security:ips:/0:confguracon:guide:cli:cliguide/:cliasystemaarchitecture.htmlmwp1000090
Question 3 Refer to the exhibit.
TestWarrior.com
2
Questions And Answers PDF
Which two statements about this debug output are true? (Choose two.) A. The request is from NHC to NHS. B. The request is from NHS to NNC. C. 102.168.10.2 is the remote NBMA address. D. 102.168.10.1 is the local VPN address. E. 60.1.1.2 is the local non-routable address. F. This debug output represents a failed NHRP request.
Aoswern A, D Question 4 Which statement describes RA? A. The RA is not responsible to verify users request for digital cercfcates. B. The RA is part of private key infrastructure. C. The RA has the power to accept registracon requests and to issue cercfcates. D. The RA only forwards the requests to the CA to issue cercfcates.
Aoswern D Question 5 Refer to the exhibit.
Against which type of atack does the given confguracon protect? A. pharming B. a botnet atack C. phishing D. DNS hijacking E. DNS cache poisoning
TestWarrior.com
0
Questions And Answers PDF
Aoswern B Referencen htpsn::supporrorums.cisco.com:document:00011:asa-botnet-confguracon
Question 6 DRAG DROP Drag and drop the descripcon on the lef onto the associated items on the right.
Aoswern Colleccon of similar programs that work together to execute specifc tasks – botnet Independent malicious program copies itself from one host to another host over a network and carries other programs – Viruses Programs that appear to have one funccon but actually perform a diferent funccon – Trojan horse Programs that modify other programs and that atach themselves to other programs on execucon Worms Referencen htpn::www.cisco.com:web:about:security:intelligence:virus-worm-difs.html
Question 7 Refer to the exhibit.
Which opcon describes the behavior of this confguracon? A. The switch inicates the authenccacon. B. The client inicates the authenccacon. C. The device performs subsequent IEEE 802.1X authenccacon if it passed MAB authenccacon. If the device fails IEEE 802.1X, it will start MAB again. D. Devices that perform IEEE 802.1X should be in the MAC address database for successful
TestWarrior.com
4
Questions And Answers PDF
authenccacon. E. IEEE 802.1x devices must frst authenccate via MAB to perform subsequent IEEE 802.1X authenccacon. If 802.1X fails, the device is assigned to the default guest VLAN.
Aoswern C Referencen htpn::www.cisco.com:c:en:us:products:collateral:ios-nx-os-sofware:idencty-based-networkingservice:applicaconanoteac2/-9/028/.html
Question 8 Which two statements about the RC4 algorithm are true? (Choose two.) A. The RC4 algorithm is an asymmetric key algorithm. B. In the RC4 algorithm, the 40-bit key represents four characters of ASCII code. C. The RC4 algorithm is faster in computacon than DES. D. The RC4 algorithm uses variable-length keys. E. The RC4 algorithm cannot be used with wireless encrypcon protocols.
Aoswern C, D Question 9 Refer to the exhibit.
Afer setng the replay window siie on your Cisco router, you received the given system message. What is the reason for the message? A. The replay window siie is set too low for the number of packets received. B. The IPSec anc-replay feature is enabled, but the window siie feature is disabled. C. The IPSec anc-replay feature is disabled. D. The replay window siie is set too high for the number of packets received.
Aoswern A Explanaconn If your replay window siie has not been set to a number that is high enough for the number of packets received, you will receive a system message such as the followingn *Nov 1/ 10n2/n02.2/0n %CRYPTO-4-PKTaREPLAYaERRn decryptn replay check failed conneccon id=1 The above message is generated when a received packet is judged to be outside the anc-replay window. Referencen htpn::www.cisco.com:c:en:us:td:docs:ios-xml:ios:secaconnadplane:confguracon:12-4t:secipsec-data-plane-12-4t-book:sec-ipsec-ancreplay.html
TestWarrior.com
9
Questions And Answers PDF
Question 10 Which two statements about IPv6 path MTU discovery are true? (Choose two.) A. If the descnacon host receives an ICMPv6 Packet Too Big message from a router, it reduces its path MTU. B. It can allow fragmentacon when the minimum MTU is below a confgured value. C. The discovery packets are dropped if there is congescon on the link. D. If the source host receives an ICMPv6 Packet Too Big message from a router, it reduces its path MTU. E. During the discovery process, the DF bit is set to 1. F. The inical path MTU is the same as the MTU of the original node’s link layer interface.
Aoswern D, F Explanaconn IPv6 routers do not support fragmentacon or the Don't Fragment opcon. For IPv6, Path MTU Discovery works by inically assuming the path MTU is the same as the MTU on the link layer interface where the trafc originates. Then, similar to IPv4, any device along the path whose MTU is smaller than the packet will drop the packet and send back an ICMPv6 Packet Too Big (Type 2) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated uncl the MTU is small enough to traverse the encre path without fragmentacon. Referencen htpsn::en.wikipedia.org:wiki:PathaMTUaDiscovery
Question 11 An RSA key pair consists of a public key and a private key and is used to set up PKI. Which statement applies to RSA and PKI? A. The public key must be included in the cercfcate enrollment request. B. The RSA key-pair is a symmetric cryptography. C. It is possible to determine the RSA key-pair private key from its corresponding public key. D. When a router that does not have an RSA key pair requests a cercfcate, the cercfcate request is sent, but a warning is shown to generate the RSA key pair before a CA signed cercfcate is received.
Aoswern A Explanaconn An RSA key pair consists of a public key and a private key. When setng up your PKI, you must include the public key in the cercfcate enrollment request. Afer the cercfcate has been granted, the public key will be included in the cercfcate so that peers can use it to encrypt data that is sent to the router. The private key is kept on the router and used both to decrypt the data sent by peers and to digitally sign transaccons when negocacng with peers. Referencen htpn::www.cisco.com:c:en:us:td:docs:ios-xml:ios:secaconnapki:confguracon:xe-0s:sec-pki-xe0s-book:sec-pki-overview.html
Question 12
TestWarrior.com
6
Questions And Answers PDF
For what reason has the IPv6 Type 0 Roucng Header been recommended for deprecacon? A. When Type 0 trafc is blocked by a frewall policy, all other trafc with roucng headers is dropped automaccally. B. It can confict with ingress fltering. C. It can create a black hole when used in combinacon with other roucng headers. D. Atackers can exploit its funcconality to generate DoS atacks.
Aoswern D Explanaconn The funcconality provided by IPv6's Type 0 Roucng Header can be exploited in order to achieve trafc amplifcacon over a remote path for the purposes of generacng denial-of-service trafc. This document updates the IPv6 specifcacon to deprecate the use of IPv6 Type 0 Roucng Headers, in light of this security concern. Referencen htpsn::tools.ier.org:html:rfc9009
Question 13 Refer to the exhibit.
Which opcon is the reason for the failure of the DMVPN session between R1 and R2? A. incorrect tunnel source interface on R1 B. IPsec phase-1 policy mismatch C. tunnel mode mismatch D. IPsec phase-2 policy mismatch E. IPsec phase-1 confguracon missing peer address on R2
Aoswern B
TestWarrior.com
/
Questions And Answers PDF
Question 14 For which reason would an RSA key pair need to be removed? A. The CA is under DoS atack B. The CA has sufered a power outage C. The exiscng CA is replaced, and the new CA requires newly generated keys D. PKI architecture would never allow the RSA key pair removal
Aoswern C Explanaconn An RSA key pair may need to be removed for one of the following reasonsn During manual PKI operacons and maintenance, old RSA keys can be removed and replaced with new keys. An exiscng CA is replaced and the new CA requires newly generated keys; for example, the required key siie might have changed in an organiiacon so you would have to delete the old 1024-bit keys and generate new 2048-bit keys. The peer router's public keys can be deleted in order to help debug signature verifcacon problems in IKEv1 and IKEv2. Keys are cached by default with the lifecme of the cercfcate revocacon list (CRL) associated with the trustpoint. Referencen htpn::www.cisco.com:c:en:us:td:docs:ios-xml:ios:secaconnapki:confguracon:xe-0s:sec-pki-xe0s-book:sec-deploy-rsa-pki.html
Question 15 Which encapsulacon technique does VXLAN use? A. MAC in TCP B. MAC in MAC C. MAC in UDP D. MAC in GRE
Aoswern C Explanaconn VXLAN is a MAC in IP:UDP(MAC-in-UDP) encapsulacon technique with a 24-bit segment idencfer in the form of a VXLAN ID. Referencen htpn::www.cisco.com:c:en:us:td:docs:switches:datacenter:sw:nxos:vxlan:confguracon:guide:baNX-OSaVXLANaConfguraconaGuide:overview.pdf
Question 16 What are two limitacons of the Atomic IP Advanced Engine? (Choose two.) A. It has limited ability to check the fragmentacon header. B. It is unable to fre high-severity alerts for known vulnerabilices. C. It is unable to detect IP address anomalies, including IP spoofng
TestWarrior.com
8
Questions And Answers PDF
D. It is unable to inspect a packet’s length felds for bad informacon. E. It is unable to detect Layer 4 atacks if the packets were fragmented by IPv6.
Aoswern A, E Explanaconn The Atomic IP Advanced engine contains the following restricconsn • Cannot detect the Layer 4 feld of the packets if the packets are fragmented so that the Layer 4 idencfer does not appear in the frst packet. • Cannot detect Layer 4 atacks in fows with packets that are fragmented by IPv6 because there is no fragment reassembly. • Cannot detect atacks with tunneled fows. • Limited checks are provided for the fragmentacon header. • There is no support for IPv6 on the management (command and control) interface. With ASA 8.2(1), the ASA 9900 AIP SSM support IPv6 features. • If there are illegal duplicate headers, a signature fres, but the individual headers cannot be separately inspected. • Anomaly deteccon does not support IPv6 trafc; only IPv4 trafc is directed to the anomaly deteccon processor. • Rate limicng and blocking are not supported for IPv6 trafc. If a signature is confgured with a block or rate limit event accon and is triggered by IPv6 trafc, an alert is generated but the accon is not carried out. Referencen htpn::www.cisco.com:c:en:us:td:docs:security:ips:/1:confguracon:guide:ime:imeguide/1:imeasignatureaengines.pdf
Question 17 What are two advantages of SNMPv0 over SNMPv2c? (Choose two.) A. integrity, to ensure that data has not been tampered with in transit B. no source authenccacon mechanism for faster response cme C. Packet replay proteccon mechanism removed for efciency D. GetBulkRequest capability, to retrieve large amounts of data in a single request E. confdencality via encrypcon of packets, to prevent man-in-the-middle atacks
Aoswern A, E Explanaconn SNMPv0 contains all the funcconality of SNMPv1 and SNMPv2, but SNMPv0 has signifcant enhancements to administracon and security. SNMPv0 is an interoperable standards-based protocol. SNMPv0 provides secure access to devices by authenccacng and encrypcng packets over the network. The security features provided in SNMPv0 are as followsn • Message integrity—Ensuring that a packet has not been tampered with in transit • Authenccacon—Determining that the message is from a valid source • Encrypcon—Scrambling contents of a packet to prevent it from being seen by an unauthoriied source Referencen htpn::www.cisco.com:c:en:us:td:docs:switches:lan:catalyst4000:8-
TestWarrior.com
0
Questions And Answers PDF
2glx:confguracon:guide:snmp.pdf
Question 18 Refer to the exhibit.
Which two statements correctly describe the debug output? A. The remote VPN address is 180.10.10.1 B. The message is observed on the NHS C. The message is observed on the NHC. D. The remote routable address 01.01.01.1. E. The local non-routable address is 20.10.10.0. F. The NHRP hold cme is 0 hours.
Aoswern A, C
TestWarrior.com
10
Questions And Answers PDF
Thank You for Trying Our Product Visit Our Site to Purchase the Full Set of Actual 350-018 Exam Questions With Answers.
http://www.TestWarrior.com/350-018-practice-exam.html We Also Provide Practice Exam Software That Simulates Real Exam Environment And Has Many Self-Assessment Features. Download Free Product Demo From:
Download Free Product Demo from: http://www.TestWarrior.com/350-018-practice-exam.html
Check Out Our Customer Testimonials
TestWarrior.com
11