Ensurepass

QUESTION 301

Which four functionalities are built into the ISE? (Choose four.)

 

A.

Profiling Server

B.

Profiling Collector

C.

RADIUS AAA for Device Administration

D.

RADIUS AAA for Network Access

E.

TACACS+ for Device Administration

F.

TACACS+ for Network Access

G.

Guest Lifecycle Management

 

Correct Answer: ABDG

 

 

QUESTION 302

Which statement is correct about the Cisco IOS Control Plane Protection feature?

 

A.

Control Plane Protection is restricted to the IPv4 or IPv6 input path.

B.

Traffic that is destined to the router with IP options will be redirected to the host control plane.

C.

Disabling CEF will remove all active control-plane protection policies. Aggregate control-plane policies will continue to operate.?

D.

The open-port option of a port-filtering policy allows access to all TCP/UDP based services that are configured on the router.

 

Correct Answer: C

 

 

QUESTION 303

Which Category to Protocol mapping for NBAR is correct?

 

A.

Category: Enterprise Applications

Protocol: Citrix ICA, PCAnywhere, SAP, IMAP

B.

Category: Internet

Protocol: FTP, HTTP, TFTP

C.

Category: Network Management

Protocol: ICMP, SNMP, SSH, Telnet

D.

Category: Network Mail Services

Protocol: MAPI, POP3, SMTP

 

Correct Answer: B

 

 

 

 

 

QUESTION 304

Which two options correctly describe Remote Triggered Black Hole Filtering (RFC 5635)? (Choose two.)

 

A.

RTBH destination based filtering can drop traffic destined to a host based on triggered entries in the FIB.

B.

RTBH source based filtering will drop traffic from a source destined to a host based on triggered entries in the RIB.

C.

Loose uRPF must be used in conjunction with RTBH destination based filtering.

D.

Strict uRPF must be used in conjunction with RTBH source based filtering.

E.

RTBH uses a discard route on the edge devices of the network and a route server to send triggered route updates.

F.

When setting the BGP community attribute in a route-map for RTBH use the no-export community unless BGP confederations are used then use local-as to advertise to sub-as confederations.

 

Correct Answer: AE

 

 

QUESTION 305

A Cisco IOS router is configured as follows:

 

ip dns spoofing 192.168.20.1

 

What will the router respond with when it receives a DNS query for its own host name?

 

A.

The router will respond with the IP address of the incoming interface.

B.

The router will respond with 192.168.20.1 only if the outside interface is down.

C.

The router will respond with 192.168.20.1.

D.

The router will ignore the DNS query and forward it directly to the DNS server.

 

Correct Answer: B

 

 

QUESTION 306

Which configuration is the correct way to change a GET VPN Key Encryption Key lifetime to 10800 seconds on the key server?

 

A.

crypto isakmp policy 1

lifetime 10800

B.

crypto ipsec security-association lifetime seconds 10800

C.

crypto ipsec profile getvpn-profile

set security-association lifetime seconds 10800

!

crypto gdoi group GET-Group

identity number 1234

server local

sa ipsec 1

profile getvpn-profile

D.

crypto gdoi group GET-Group

identity number 1234

server local

rekey lifetime seconds 10800

E.

crypto gdoi group GET-Group

identity number 1234

server local

set security-association lifetime seconds 10800

 

Correct Answer: D

 

 

QUESTION 307

A Cisco Easy VPN software client is unable to access its local LAN devices once the VPN tunnel is established. How can this issue be resolved?

 

A.

The IP address that is assigned by the Cisco Easy VPN Server to the client must be on the same network as the local LAN of the client.

B.

The Cisco Easy VPN Server should apply split-tunnel-policy excludespecified with a split- tunnel-list containing the local LAN addresses that are relevant to the client.

C.

The Cisco Easy VPN Server must push down an interface ACL that permits the traffic to the local LAN from the client.

D.

The Cisco Easy VPN Server should apply a split-tunnel-policy tunnelall policy to the client.

E.

The Cisco Easy VPN client machine needs to have multiple NICs to support this.

 

Correct Answer: B

 

 

QUESTION 308

Which three routing characteristics are relevant for DMVPN Phase 3? (Choose three.)

 

A.

Hubs must not preserve the original IP next-hop.

B.

Hubs must preserve the original IP next-hop.

C.

Split-horizon must be turned off for RIP and EIGRP.

D.

Spokes are only routing neighbors with hubs.

E.

Spokes are routing neighbors with hubs and other spokes.

F.

Hubs are routing neighbors with other hubs and must use the same routing protocol as that used on hub-spoke tunnels.

 

Correct Answer: ACD

 

 

QUESTION 309

Using Cisco IOS, which two object-group options will permit networks 10.1.1.0/24 and 10.1.2.0/24 to host 192.168.5.1 port 80 and 443? (Choose two.)

 

A.

object-group network SOURCE

range 10.1.1.0 10.1.2.255

object-group network DESTINATION

host 192.168.5.1

object-group service HTTP

tcp eq www

tcp eq 443

tcp source gt 1024

!

access-list 101 permit object-group HTTP object-group SOURCE object-group DESTINATION

B.

object-group network SOURCE

10.1.1.0 0.0.0.255

10.1.2.0 0.0.0.255

object-group network DESTINATION

host 192.168.5.1

object-group service HTTP

tcp eq www

tcp eq 443

!

ip access-list extended ACL-NEW

permit object-group SOURCE object-group DESTINATION object-group HTTP

C.

object-group network SOURCE

10.1.1.0 255.255.255.0

10.1.2.0 255.255.255.0

object-group network DESTINATION

host 192.168.5.1

object-group service HTTP

tcp eq www

tcp eq 443

!

ip access-list extended ACL-NEW

permit object-group SOURCE object-group DESTINATION object-group HTTP

D.

object-group network SOURCE

10.1.1.0 255.255.255.0

10.1.2.0 255.255.255.0

object-group network DESTINATION

host 192.168.5.1

object-group service HTTP

tcp eq www

tcp eq 443

tcp source gt 1024

!

ip access-list extended ACL-NEW

permit object-group HTTP object-group SOURCE object-group DESTINATION

 

Correct Answer: AD

 

 

QUESTION 310

Which two statements about the fragmentation of IPsec packets in routers are true? (Choose two.)

 

A.

By default, the IP packets that need encryption are first encrypted with ESP. If the resulting encrypted packet exceeds the IP MTU on the egress physical interface, then the encrypted packet is fragmented and sent out.

B.

By default, the router knows the IPsec overhead to add to the packet. The router performs a lookup if the packet will exceed the egress physical interface IP MTU after encryption, then fragments the packet and encrypts the resulting IP fragments separately.

C.

increases CPU utilization on the decrypting device.

D.

increases CPU utilization on the encrypting device.

 

Correct Answer: BC

 

Free VCE & PDF File for Cisco 350-018 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

Comments are closed.