QUESTION 221
Refer to the exhibit, which shows a partial configuration for the EzVPN server. Which three missing ISAKMP profile options are required to support EzVPN using DVTI? (Choose three.)
|
A. |
match identity group |
|
B. |
trustpoint |
|
C. |
virtual-interface |
|
D. |
keyring |
|
E. |
enable udp-encapsulation |
|
F. |
isakmp authorization list |
|
G. |
virtual-template |
Correct Answer: AFG
QUESTION 222
Which two certificate enrollment methods can be completed without an RA and require no direct connection to a CA by the end entity? (Choose two.)
|
A. |
SCEP |
|
B. |
TFTP |
|
C. |
manual cut and paste |
|
D. |
enrollment profile with direct HTTP |
|
E. |
PKCS#12 import/export |
Correct Answer: CE
QUESTION 223
Which four techniques can you use for IP data plane security? (Choose four.)
|
A. |
Control Plane Policing |
|
B. |
interface ACLs |
|
C. |
uRPF |
|
D. |
MD5 authentication |
|
E. |
FPM |
|
F. |
QoS |
Correct Answer: BCEF
QUESTION 224
In order to implement CGA on a Cisco IOS router for SeND, which three configuration steps are required? (Choose three.)
|
A. |
Generate an RSA key pair. |
|
B. |
Define a site-wide pre-shared key. |
|
C. |
Define a hash algorithm that is used to generate the CGA. |
|
D. |
Generate the CGA modifier. |
|
E. |
Assign a CGA link-local or globally unique address to the interface. |
|
F. |
Define an encryption algorithm that is used to generate the CGA. |
Correct Answer: ADE
QUESTION 225
As defined by Cisco TrustSec, which EAP method is used for Network Device Admission Control authentication?
|
A. |
EAP-FAST |
|
B. |
EAP-TLS |
|
C. |
PEAP |
|
D. |
LEAP |
Correct Answer: A
QUESTION 226
Which three statements about the keying methods used by MACSec are true? (Choose three.)
|
A. |
Key management for host-to-switch and switch-to-switch MACSec sessions is provided by MKA. |
|
B. |
A valid mode for SAP is NULL. |
|
C. |
MKA is implemented as an EAPoL packet exchange. |
|
D. |
SAP is enabled by default for Cisco TrustSec in manual configuration mode. |
|
E. |
SAP is not supported on switch SVIs. |
|
F. |
SAP is supported on SPAN destination ports. |
Correct Answer: BCE
QUESTION 227
What is the function of this command?
switch(config-if)# switchport port-security mac-address sticky
|
A. |
It allows the switch to restrict the MAC addresses on the switch port, based on the static MAC addresses configured in the startup configuration. |
|
B. |
It allows the administrator to manually configure the secured MAC addresses on the switch port. |
|
C. |
It allows the switch to permanently store the secured MAC addresses in the MAC address table (CAM table). |
|
D. |
It allows the switch to perform sticky learning, in which the dynamically learned MAC addresses are copied from the MAC address table (CAM table) to the startup configuration. |
|
E. |
It allows the switch to dynamically learn the MAC addresses on the switch port, and the MAC addresses will be added to the running configuration |
Correct Answer: E
QUESTION 228
When configuring a switchport for port security that will support multiple devices and that has already been configured for 802.1X support, which two commands need to be added? (Choose two.)
|
A. |
The 802.1X port configuration must be extended with the command dot1x multiple-host. |
|
B. |
The 802.1X port configuration must be extended with the command dot1x port-security. |
|
C. |
The switchport configuration needs to include the command switchport port-security. |
|
D. |
The switchport configuration needs to include the port-security aging command. |
|
E. |
The 802.1X port configuration needs to remain in port-control force-authorized rather than port- control auto. |
Correct Answer: AC
QUESTION 229
In Cisco IOS, what is the result of the ip dns spoofing command on DNS queries that are coming from the inside and are destined to DNS servers on the outside?
|
A. |
The router will prevent DNS packets without TSIG information from passing through the router. |
|
B. |
The router will act as a proxy to the DNS request and reply to the DNS request with the IP address of the interface that received the DNS query if the outside interface is down. |
|
C. |
The router will take the DNS query and forward it on to the DNS server with its information in place of the client IP. |
|
D. |
The router will block unknown DNS requests on both the inside and outside interfaces. |
Correct Answer: B
QUESTION 230
The Wi-Fi Alliance defined two certification programs, called WPA and WPA2, which are based on the IEEE 802.11i standard. Which three statements are true about these certifications? (Choose three.)
|
A. |
WPA is based on the ratified IEEE 802.11i standard. |
|
B. |
WPA2 is based on the ratified IEEE 802.11i standard. |
|
C. |
WPA enhanced WEP with the introduction of TKIP. |
|
D. |
WPA2 requires the support of AES-CCMP. |
|
E. |
WPA2 supports only 802.1x/EAP authentication. |
Correct Answer: BCD
Free VCE & PDF File for Cisco 350-018 Practice Tests
Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …