web analytics

New 350-018 Dumps with VCE and PDF from PassLeader (Question 211 – Question 240)

New 350-018 exam questions from PassLeader 350-018 dumps! Welcome to download the newest PassLeader 350-018 VCE and PDF dumps: http://www.passleader.com/350-018.html (894 Q&As)

P.S. Free 350-018 dumps are available on Google Drive shared by PassLeader: https://drive.google.com/open?id=0B-ob6L_QjGLpfjE1cHRyNEtmX3JfdU9CUFlRZnVxNjZUbWxsSnBpNXM0QjZYZjBXZVgyOTQ

QUESTION 211
When you are configuring QoS on the Cisco ASA appliance, which four are valid traffic selection criteria? (Choose four.)

A.    VPN group
B.    tunnel group
C.    IP precedence
D.    DSCP
E.    default-inspection-traffic
F.    qos-group

Answer: BCDE

QUESTION 212
Which command is required in order for the Botnet Traffic Filter on the Cisco ASA appliance to function properly?

A.    dynamic-filter inspect tcp/80
B.    dynamic-filter whitelist
C.    inspect botnet
D.    inspect dns dynamic-filter-snoop

Answer: D

QUESTION 213
You have been asked to configure a Cisco ASA appliance in multiple mode with these settings:
(A) You need two customer contexts, named contextA and contextB.
(B) Allocate interfaces G0/0 and G0/1 to contextA.
(C) Allocate interfaces G0/0 and G0/2 to contextB.
(D) The physical interface name for G0/1 within contextA should be “inside”.
(E) All other context interfaces must be viewable via their physical interface names.

A.    context contextA
config-url disk0:/contextA.cfg
allocate-interface GigabitEthernet0/0 visible
allocate-interface GigabitEthernet0/1 inside
context contextB
config-url disk0:/contextB.cfg
allocate-interface GigabitEthernet0/0 visible
allocate-interface GigabitEthernet0/2 visible
B.    context contexta
config-url disk0:/contextA.cfg
allocate-interface GigabitEthernet0/0 visible
allocate-interface GigabitEthernet0/1 inside
context contextb
config-url disk0:/contextB.cfg
allocate-interface GigabitEthernet0/0 visible
allocate-interface GigabitEthernet0/2 visible
C.    context contextA
config-url disk0:/contextA.cfg
allocate-interface GigabitEthernet0/0 invisible
allocate-interface GigabitEthernet0/1 inside
context contextB
config-url disk0:/contextB.cfg
allocate-interface GigabitEthernet0/0 invisible
allocate-interface GigabitEthernet0/2 invisible
D.    context contextA
config-url disk0:/contextA.cfg
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1 inside
context contextB
config-url disk0:/contextB.cfg
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/2
E.    context contextA
config-url disk0:/contextA.cfg
allocate-interface GigabitEthernet0/0 visible
allocate-interface GigabitEthernet0/1 inside
context contextB
config-url disk0:/contextB.cfg
allocate-interface GigabitEthernet0/1 visible
allocate-interface GigabitEthernet0/2 visible

Answer: A

QUESTION 214
Which four configuration steps are required to implement a zone-based policy firewall configuration on a Cisco IOS router? (Choose four.)

A.    Create the security zones and security zone pairs.
B.    Create the self zone.
C.    Create the default global inspection policy.
D.    Create the type inspect class maps and policy maps.
E.    Assign a security level to each security zone.
F.    Assign each router interface to a security zone.
G.    Apply a type inspect policy map to each zone pair.

Answer: ADFG

QUESTION 215
Refer to the exhibit. The client is protected by a firewall. An IPv6 SMTP connection from the client to the server on TCP port 25 will be subject to which action?
passleader-350-018-dumps-2151

A.    pass action by the HTTP_CMAP
B.    inspection action by the TCP_CMAP
C.    inspection action by the SMTP_CMAP
D.    drop action by the default class
E.    pass action by the HTTP_CMAP

Answer: B

QUESTION 216
Which Cisco IPS appliance signature engine defines events that occur in a related manner, within a sliding time interval, as components of a combined signature?

A.    Service engine
B.    Sweep engine
C.    Multistring engine
D.    Meta engine

Answer: D

QUESTION 217
Which three options are the types of zones that are defined for anomaly detection on the Cisco IPS Sensor? (Choose three.)

A.    inside
B.    outside
C.    internal
D.    external
E.    illegal
F.    baseline

Answer: CDE

QUESTION 218
Which three statements are true regarding RFC 5176 (Change of Authorization)? (Choose three.)

A.    It defines a mechanism to allow a RADIUS server to initiate a communication inbound to a NAD.
B.    It defines a wide variety of authorization actions, including “reauthenticate”.
C.    It defines the format for a Change of Authorization packet.
D.    It defines a DM.
E.    It specifies that TCP port 3799 be used for transport of Change of Authorization packets.

Answer: ACD

QUESTION 219
Which three statements are true regarding Security Group Tags? (Choose three.)

A.    When using the Cisco ISE solution, the Security Group Tag gets defined as a separate authorization result.
B.    When using the Cisco ISE solution, the Security Group Tag gets defined as part of a standard authorization profile.
C.    Security Group Tags are a supported network authorization result using Cisco ACS 5.x.
D.    Security Group Tags are a supported network authorization result for 802.1X, MAC Authentication Bypass, and WebAuth methods of authentication.
E.    A Security Group Tag is a variable length string that is returned as an authorization result.

Answer: ACD

QUESTION 220
Refer to the exhibit. What is the cause of the issue that is reported in this debug output?
passleader-350-018-dumps-2201

A.    The identity of the peer is not acceptable.
B.    There is an esp transform mismatch.
C.    There are mismatched ACLs on remote and local peers.
D.    The SA lifetimes are set to 0.

Answer: C

QUESTION 221
Refer to the exhibit, which shows a partial configuration for the EzVPN server. Which three missing ISAKMP profile options are required to support EzVPN using DVTI? (Choose three.)
passleader-350-018-dumps-2211

A.    match identity group
B.    trustpoint
C.    virtual-interface
D.    keyring
E.    enable udp-encapsulation
F.    isakmp authorization list
G.    virtual-template

Answer: AFG

QUESTION 222
Which two certificate enrollment methods can be completed without an RA and require no direct connection to a CA by the end entity? (Choose two.)

A.    SCEP
B.    TFTP
C.    manual cut and paste
D.    enrollment profile with direct HTTP
E.    PKCS#12 import/export

Answer: CE

QUESTION 223
Which four techniques can you use for IP data plane security? (Choose four.)

A.    Control Plane Policing
B.    interface ACLs
C.    uRPF
D.    MD5 authentication
E.    FPM
F.    QoS

Answer: BCEF

QUESTION 224
In order to implement CGA on a Cisco IOS router for SeND, which three configuration steps are required? (Choose three.)

A.    Generate an RSA key pair.
B.    Define a site-wide pre-shared key.
C.    Define a hash algorithm that is used to generate the CGA.
D.    Generate the CGA modifier.
E.    Assign a CGA link-local or globally unique address to the interface.
F.    Define an encryption algorithm that is used to generate the CGA.

Answer: ADE

QUESTION 225
As defined by Cisco TrustSec, which EAP method is used for Network Device Admission Control authentication?

A.    EAP-FAST
B.    EAP-TLS
C.    PEAP
D.    LEAP

Answer: A

QUESTION 226
Which three statements about the keying methods used by MACSec are true? (Choose three.)

A.    Key management for host-to-switch and switch-to-switch MACSec sessions is provided by MKA.
B.    A valid mode for SAP is NULL.
C.    MKA is implemented as an EAPoL packet exchange.
D.    SAP is enabled by default for Cisco TrustSec in manual configuration mode.
E.    SAP is not supported on switch SVIs.
F.    SAP is supported on SPAN destination ports.

Answer: BCE

QUESTION 227
What is the function of this command?
switch(config-if)# switchport port-security mac-address sticky

A.    It allows the switch to restrict the MAC addresses on the switch port, based on the static MAC addresses configured in the startup configuration.
B.    It allows the administrator to manually configure the secured MAC addresses on the switch port.
C.    It allows the switch to permanently store the secured MAC addresses in the MAC address table (CAM table).
D.    It allows the switch to perform sticky learning, in which the dynamically learned MAC addresses are copied from the MAC address table (CAM table) to the startup configuration.
E.    It allows the switch to dynamically learn the MAC addresses on the switch port, and the MAC addresses will be added to the running configuration.

Answer: E

QUESTION 228
When configuring a switchport for port security that will support multiple devices and that has already been configured for 802.1X support, which two commands need to be added? (Choose two.)

A.    The 802.1X port configuration must be extended with the command dot1x multiple-host.
B.    The 802.1X port configuration must be extended with the command dot1x port-security.
C.    The switchport configuration needs to include the command switchport port-security.
D.    The switchport configuration needs to include the port-security aging command.
E.    The 802.1X port configuration needs to remain in port-control force-authorized rather than port- control auto.

Answer: AC

QUESTION 229
In Cisco IOS, what is the result of the ip dns spoofing command on DNS queries that are coming from the inside and are destined to DNS servers on the outside?

A.    The router will prevent DNS packets without TSIG information from passing through the router.
B.    The router will act as a proxy to the DNS request and reply to the DNS request with the IP address of the interface that received the DNS query if the outside interface is down.
C.    The router will take the DNS query and forward it on to the DNS server with its information in place of the client IP.
D.    The router will block unknown DNS requests on both the inside and outside interfaces.

Answer: B

QUESTION 230
The Wi-Fi Alliance defined two certification programs, called WPA and WPA2, which are based on the IEEE 802.11i standard. Which three statements are true about these certifications? (Choose three.)

A.    WPA is based on the ratified IEEE 802.11i standard.
B.    WPA2 is based on the ratified IEEE 802.11i standard.
C.    WPA enhanced WEP with the introduction of TKIP.
D.    WPA2 requires the support of AES-CCMP.
E.    WPA2 supports only 802.1x/EAP authentication.

Answer: BCD

QUESTION 231
When you are configuring the COOP feature for GETVPN redundancy, which two steps are required to ensure the proper COOP operations between the key servers? (Choose two.)

A.    Generate an exportable RSA key pair on the primary key server and export it to the secondary key server.
B.    Enable dead peer detection between the primary and secondary key servers.
C.    Configure HSRP between the primary and secondary key servers.
D.    Enable IPC between the primary and secondary key servers.
E.    Enable NTP on both the primary and secondary key servers to ensure that they are synchronized to the same clock source.

Answer: AB

QUESTION 232
A Cisco Easy VPN software client is unable to access its local LAN devices once the VPN tunnel is established. What is the best way to solve this issue?

A.    The IP address that is assigned by the Cisco Easy VPN Server to the client must be on the same network as the local LAN of the client.
B.    The Cisco Easy VPN Server should apply split-tunnel-policy excludespecified with a split- tunnel-list containing the local LAN addresses that are relevant to the client.
C.    The Cisco Easy VPN Server must push down an interface ACL that permits the traffic to the local LAN from the client.
D.    The Cisco Easy VPN Server should apply a split-tunnel-policy tunnelall policy to the client.
E.    The Cisco Easy VPN client machine needs to have multiple NICs to support this.

Answer: B

QUESTION 233
During the establishment of an Easy VPN tunnel, when is XAUTH performed?

A.    at the end of IKEv1 Phase 2
B.    at the beginning of IKEv1 Phase 1
C.    at the end of Phase 1 and before Phase 2 starts in IKEv1 and IKEv2
D.    at the end of Phase 1 and before Phase 2 starts in IKEv1

Answer: D

QUESTION 234
Which three traffic conditions can be matched when configuring single rate, dual token bucket traffic policing on Cisco routers? (Choose three.)

A.    conform
B.    normal
C.    violate
D.    peak
E.    exceed
F.    average

Answer: ACE

QUESTION 235
A frame relay PVC at router HQ has a CIR of 768 kb/s and the frame relay PVC at router branch office has a CIR of 384 kb/s. Which QoS mechanism can best be used to ease the data congestion and data loss due to the CIR speed mismatch?

A.    traffic policing at the HQ
B.    traffic policing at the branch office
C.    traffic shaping at the HQ
D.    traffic shaping at the branch office
E.    LLQ at the HQ
F.    LLQ at the branch office

Answer: C

QUESTION 236
Refer to the exhibit. A customer has an IPsec tunnel that is configured between two remote offices. The customer is seeing these syslog messages on Router B:
%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=x, sequence number=y
What is the most likely cause of this error?
passleader-350-018-dumps-2361
A.    The customer has an LLQ QoS policy that is configured on the WAN interface of Router A.
B.    A hacker on the Internet is launching a spoofing attack.
C.    Router B has an incorrectly configured IP MTU value on the WAN interface.
D.    There is packet corruption in the network between Router A and Router B.
E.    Router A and Router B are not synchronized to the same timer source.

Answer: A

QUESTION 237
In ISO 27001 ISMS, which three of these certification process phases are required to collect information for ISO 27001? (Choose three.)

A.    discover
B.    certification audit
C.    post-audit
D.    observation
E.    pre-audit
F.    major compliance

Answer: BCE

QUESTION 238
Which three statements regarding ISO 27002 and COBIT are correct? (Choose three.)

A.    COBIT and ISO 27002 both define a best practices framework for IT controls.
B.    COBIT focuses on information system processes, whereas ISO 27002 focuses on the security of the information systems.
C.    ISO 27002 addresses control objectives, whereas COBIT addresses information security management process requirements.
D.    Compared to COBIT, ISO 27002 covers a broader area in planning, operations, delivery, support, maintenance, and IT governance.
E.    Unlike COBIT, ISO 27002 is used mainly by the IT audit community to demonstrate risk mitigation and avoidance mechanisms.

Answer: ABC

QUESTION 239
The IETF is a collaborative effort by the international community of Internet professionals to improve the design, use, and management of the Internet. Which international organization charters the activity of IETF?

A.    IANA
B.    ISO
C.    ISOC
D.    RIR
E.    IEC

Answer: C

QUESTION 240
Which RFC outlines BCP 84?

A.    RFC 3704
B.    RFC 2827
C.    RFC 3030
D.    RFC 2267
E.    RFC 1918

Answer: A


New 350-018 exam questions from PassLeader 350-018 dumps! Welcome to download the newest PassLeader 350-018 VCE and PDF dumps: http://www.passleader.com/350-018.html (894 Q&As)

P.S. Free 350-018 dumps are available on Google Drive shared by PassLeader: https://drive.google.com/open?id=0B-ob6L_QjGLpfjE1cHRyNEtmX3JfdU9CUFlRZnVxNjZUbWxsSnBpNXM0QjZYZjBXZVgyOTQ