Flydumps offers the first-hand Cisco 350-018 exam real questions and answers, by train the latest Cisco 350-018 PDF and VCE dumps,you will well prepare for the Cisco 350-018 exam. Visit Flydumps.com to get free new version for training.
QUESTION 75
Refer to the exhibit. On R1, encrypt counters are incrementing. On R2, packets are decrypted, but the encrypt counter is not being incremented. What is the most likely cause of this issue?
“First Test, First Pass” – www.lead2pass.com 25 Cisco 350-018 Exam
A. a routing problem on R1
B. a routing problem on R2
C. incomplete IPsec SA establishment
D. crypto engine failure on R2
E. IPsec rekeying is occurring
Correct Answer: B
QUESTION 76
Which two methods are used for forwarding traffic to the Cisco ScanSafe Web Security service? (Choose two.)
A. Cisco AnyConnect VPN Client with Web Security and ScanSafe subscription
B. Cisco ISR G2 Router with SECK9 and ScanSafe subscription
C. Cisco ASA adaptive security appliance using DNAT policies to forward traffic to ScanSafe subscription servers
D. Cisco Web Security Appliance with ScanSafe subscription
Correct Answer: BC
QUESTION 77
Which four statements about SeND for IPv6 are correct? (Choose four.)
A. It protects against rogue RAs.
B. NDP exchanges are protected by IPsec SAs and provide for anti-replay.
C. It defines secure extensions for NDP.
D. It authorizes routers to advertise certain prefixes.
E. It provides a method for secure default router election on hosts.
F. Neighbor identity protection is provided by Cryptographically Generated Addresses that are derived from a Diffie-Hellman key exchange.
G. It is facilitated by the Certification Path Request and Certification Path Response ND messages.
Correct Answer: ACDE
QUESTION 78
What is the recommended network MACSec policy mode for high security deployments?
“First Test, First Pass” – www.lead2pass.com 26 Cisco 350-018 Exam
A. should-secure
B. must-not-secure
C. must-secure
D. monitor-only
E. high-impact
Correct Answer: A
QUESTION 79
Which three statements about NetFlow version 9 are correct? (Choose three.)
A. It is backward-compatible with versions 8 and 5.
B. Version 9 is dependent on the underlying transport; only UDP is supported.
C. A version 9 export packet consists of a packet header and flow sets.
D. Generating and maintaining valid template flow sets requires additional processing.
E. NetFlow version 9 does not access the NetFlow cache entry directly.
Correct Answer: CDE QUESTION 80
Which three statements about VXLANs are true? (Choose three.)
A. It requires that IP protocol 8472 be opened to allow traffic through a firewall.
B. Layer 2 frames are encapsulated in IP, using a VXLAN ID to identify the source VM.
C. A VXLAN gateway maps VXLAN IDs to VLAN IDs.
D. IGMP join messages are sent by new VMs to determine the VXLAN multicast IP.
E. A VXLAN ID is a 32-bit value.
Correct Answer: BCD
QUESTION 81
Which two identifiers are used by a Cisco Easy VPN Server to reference the correct group policy information for connecting a Cisco Easy VPN Client? (Choose two.)
A. IKE ID_KEY_ID
B. OU field in a certificate that is presented by a client
C. XAUTH username
D. hash of the OTP that is sent during XAUTH challenge/response
E. IKE ID_IPV4_ADDR
Correct Answer: AB
QUESTION 82
Which multicast routing mechanism is optimal to support many-to-many multicast applications?
A. PIM-SM
B. MOSPF
C. DVMRP “First Test, First Pass” – www.lead2pass.com 27 Cisco 350-018 Exam
D. BIDIR-PIM
E. MSDP
Correct Answer: D
QUESTION 83
Which three statements regarding VLANs are true? (Choose three.)
A. To create a new VLAN on a Cisco Catalyst switch, the VLAN name, VLAN ID and VLAN type must all be specifically configured by the administrator.
B. A VLAN is a broadcast domain.
C. Each VLAN must have an SVI configured on the Cisco Catalyst switch for it to be operational.
D. The native VLAN is used for untagged traffic on an 802.1Q trunk.
E. VLANs can be connected across wide-area networks.
Correct Answer: BDE
QUESTION 84
Which technology, configured on the Cisco ASA, allows Active Directory authentication credentials to be applied automatically to web forms that require authentication for clientless SSL connections?
A. one-time passwords
B. certificate authentication
C. user credentials obtained during authentication
D. Kerberos authentication
Correct Answer: C QUESTION 85
In what subnet does address 192.168.23.197/27 reside?
A. 192.168.23.0
B. 192.168.23.128
C. 192.168.23.160
D. 192.168.23.192
E. 192.168.23.196
Correct Answer: D QUESTION 86
Given the IPv4 address 10.10.100.16, which two addresses are valid IPv4-compatible IPv6 addresses? (Choose two.)
A. :::A:A:64:10
B. ::10:10:100:16
C. 0:0:0:0:0:10:10:100:16
D. 0:0:10:10:100:16:0:0:0 “First Test, First Pass” – www.lead2pass.com 28 Cisco 350-018 Exam
Correct Answer: BC
QUESTION 87
Refer to the exhibit. Which three fields of the IP header labeled can be used in a spoofing attack? (Choose one.)
A. 6, 7, 11
B. 6, 11, 12
C. 3, 11, 12
D. 4, 7, 11
Correct Answer: A
QUESTION 88
What is the size of a point-to-point GRE header, and what is the protocol number at the IP layer?
A. 8 bytes, and protocol number 74
B. 4 bytes, and protocol number 47
C. 2 bytes, and protocol number 71
D. 24 bytes, and protocol number 1
E. 8 bytes, and protocol number 47
Correct Answer: B
QUESTION 89
“First Test, First Pass” – www.lead2pass.com 29 Cisco 350-018 Exam
When implementing WLAN security, what are three benefits of using the TKIP instead of WEP? (Choose three.)
A. TKIP uses an advanced encryption scheme based on AES.
B. TKIP provides authentication and integrity checking using CBC-MAC.
C. TKIP provides per-packet keying and a rekeying mechanism.
D. TKIP provides message integrity check.
E. TKIP reduces WEP vulnerabilities by using a different hardware encryption chipset.
F. TKIP uses a 48-bit initialization vector.
Correct Answer: CDF
QUESTION 90
Which two statements about SHA are correct? (Choose two.)
A. Five 32-bit variables are applied to the message to produce the 160-bit hash.
B. The message is split into 64-bit blocks for processing.
C. The message is split into 512-bit blocks for processing.
D. SHA-2 and MD5 both consist of four rounds of processing.
Correct Answer: AC
QUESTION 91
Which three statements about IKEv2 are correct? (Choose three.)
A. INITIAL_CONTACT is used to synchronize state between peers.
B. The IKEv2 standard defines a method for fragmenting large messages.
C. The initial exchanges of IKEv2 consist of IKE_SA_INIT and IKE_AUTH.
D. Rekeying IKE and child SAs is facilitated by the IKEv2 CREATE_CHILD_SA exchange.
E. NAT-T is not supported.
F. Attribute policy push (via the configuration payload) is only supported in REQUEST/REPLY mode.
Correct Answer: ACD
QUESTION 92
Which three statements about LDAP are true? (Choose three.)
A. LDAP uses UDP port 389 by default.
B. LDAP is defined in terms of ASN.1 and transmitted using BER.
C. LDAP is used for accessing X.500 directory services.
D. An LDAP directory entry is uniquely identified by its DN.
E. A secure connection via TLS is established via the UseTLS operation.
Correct Answer: BCD
QUESTION 93
Which two EAP methods may be susceptible to offline dictionary attacks? (Choose two.)
“First Test, First Pass” – www.lead2pass.com 30 Cisco 350-018 Exam
A. EAP-MD5
B. LEAP
C. PEAP with MS-CHAPv2
D. EAP-FAST
Correct Answer: AB
QUESTION 94
Which PKCS is invoked during IKE MM5 and MM6 when digital certificates are used as the authentication method?
A. PKCS#7
B. PKCS#10
C. PKCS#13
D. PKCS#11
E. PKCS#3
Correct Answer: A
QUESTION 95
Which mode of operation must be enabled on CSM to support roles such as Network Administrator, Approver, Network Operator, and Help Desk?
A. Deployment Mode
B. Activity Mode
C. Workflow Mode
D. User Roles Mode
E. Administration Mode
F. Network Mode
Correct Answer: C
QUESTION 96
Which two ISE Probes would be required to distinguish accurately the difference between an iPad and a MacBook Pro? (Choose two.)
A. DHCP or DHCPSPAN
B. SNMPTRAP
C. SNMPQUERY
D. NESSUS
E. HTTP
F. DHCP TRAP
Correct Answer: AE QUESTION 97
Which configuration option will correctly process network authentication and authorization using both 802.1X and MAB on a single port?
“First Test, First Pass” – www.lead2pass.com 31
A.
B. Cisco 350-018 Exam
C.
D.
Correct Answer: B QUESTION 98
Which statement regarding the routing functions of the Cisco ASA is true?
A. The translation table can override the routing table for new connections.
B. The ASA supports policy-based routing with route maps?.
C. In a failover pair of ASAs, the standby firewall establishes a peer relationship with OSPF neighbors.
D. Routes to the Null0 interface can be configured to black-hole traffic.
Correct Answer: A
QUESTION 99
Which three statements are true about the Cisco ASA object configuration below? (Choose three.)
object network vpnclients range 10.1.100.4 10.1.100.10 object network vpnclients nat (outside,outside) dynamic interface
A. The NAT configuration in the object specifies a PAT rule?
B. This configuration requires the command same-security-traffic inter-interface for traffic that matches this NAT rule to pass through the Cisco ASA appliance.
C. The NAT rule of this object will be placed in Section 1 (Auto-NAT) of the Cisco ASA NAT table?
D. This configuration is most likely used to provide Internet access to connected VPN clients.
E. Addresses in the range will be assigned during config-mode.
Correct Answer: ACD
QUESTION 100
Which three attributes may be configured as part of the Common Tasks panel of an authorization profile in the Cisco ISE solution? (Choose three.)
A. VLAN
B. voice VLAN
C. dACL name
D. voice domain permission
E. SGT
Correct Answer: ACD
QUESTION 101
Which two statements describe the Cisco TrustSec system correctly? (Choose two.)
A. The Cisco TrustSec system is a partner program, where Cisco certifies third-party security products as extensions to the secure infrastructure.
B. The Cisco TrustSec system is an approach to certifying multimedia and collaboration applications as secure.
C. The Cisco TrustSec system is an Advanced Network Access Control System that leverages enforcement intelligence in the network infrastructure.
D. The Cisco TrustSec system tests and certifies all products and product versions that make up the system as working together in a validated manner.
Correct Answer: CD
QUESTION 102
Which option is the correct definition for MAB?
A. MAB is the process of checking the mac-address-table on the local switch for the sticky address. If the mac-address of the device attempting to access the network matches the configured sticky “First Test, First Pass” – www.lead2pass.com 34 Cisco 350-018 Exam address, it will be permitted to bypass 802.1X authentication.
B. MAB is a process where the switch will send an authentication request on behalf of the endpoint that is attempting to access the network, using the mac-address of the device as the credentials. The authentication server evaluates that MAC address against a list of devices permitted to access the network without a stronger authentication.
C. MAB is a process where the switch will check a local list of MAC addresses to identify systems that are permitted network access without using 802.1X.
D. MAB is a process where the supplicant on the endpoint is configured to send the MAC address of the endpoint as its credentials.
Correct Answer: B
QUESTION 103
Which three statements are true about the Cisco NAC Appliance solution? (Choose three.)
A. In a Layer 3 OOB ACL deployment of the Cisco NAC Appliance, the discovery host must be configured as the untrusted IP address of the Cisco NAC Appliance Server.
B. In a Cisco NAC Appliance deployment, the discovery host must be configured on a Cisco router using the “NAC discovery-host” global configuration command.
C. In a VRF-style OOB deployment of the Cisco NAC Appliance, the discovery host may be the IP address that is on the trusted side of the Cisco NAC Appliance Server.
D. In a Layer 3 IB deployment of the Cisco NAC Appliance, the discovery host may be configured as the IP address of the Cisco NAC Appliance Manager.
Correct Answer: ACD
QUESTION 104
Refer to the exhibit, which shows a partial output of the show command. Which statement best describes the problem?
A. Context vpn1 is not inservice.
B. There is no gateway that is configured under context vpn1.
C. The config has not been properly updated for context vpn1.
D. The gateway that is configured under context vpn1 is not inservice.
Correct Answer: A QUESTION 105
Review the exhibit. Which three statements about the Cisco IPS sensor are true? (Choose three.)
“First Test, First Pass” – www.lead2pass.com 35 Cisco 350-018 Exam
A. A
B. B
C. C
D. D
E. E
Correct Answer: ACE
PDF format– Printable version, print Cisco 350-018 exam dumps out and study anywhere.Software format– Simulation version, test yourself like Cisco 350-018 exam real test.Credit Guarantee– Passtcert never sell the useless Cisco 350-018 exam dumps out.You will receive our Cisco 350-018 exam dumps in time and get CCIE Certified easily.