350-018 Preparation Kits
Question: 1
Which statement is valid regarding SGACL?
A. SGACL mapping and policies can only be manually configured.
B. Dynamically downloaded SGACL does not override manually configured conflicting policies.
C. SGACL is access-list bound with a range of SGTs and DGTs.
D. SGACL is not a role-based access list.
Answer: C
Explanation:
A role-based access control list bound to a range of SGTs and DGTs forms an SGACL
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sgacl_config.html
Question: 2
Of which IPS application is Event Store a component?
A. InterfaceApp
B. AuthenticationApp
C. SensorApp
D. NotificationApp
E. MainApp
Answer: E
Explanation:
Cisco IPS software includes the following applications:
- MainApp—Initializes the system, starts and stops the other applications, configures the OS, and performs upgrades. It contains the following components:
- ctlTransSource (Control Transaction server)—Allows sensors to send control transactions. This is used to enable the master blocking sensor capability of Attack Response Controller (formerly known as Network Access Controller).
- Event Store—An indexed store used to store IPS events (error, status, and alert system messages) that is accessible through the CLI, IDM, IME, ASDM, or SDEE.
Reference: http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/cli_system_architecture.html#wp1009053
Question: 3
Refer to the exhibit.
Which two statements about this debug output are true? (Choose two.)
A. The request is from NHC to NHS.
B. The request is from NHS to NNC.
C. 192.168.10.2 is the remote NBMA address.
D. 192.168.10.1 is the local VPN address.
E. 69.1.1.2 is the local non-routable address.
F. This debug output represents a failed NHRP request.
Answer: A, D
Question: 4
Which statement describes RA?
A. The RA is not responsible to verify users request for digital certificates.
B. The RA is part of private key infrastructure.
C. The RA has the power to accept registration requests and to issue certificates.
D. The RA only forwards the requests to the CA to issue certificates.
Answer: D
Question: 5
Refer to the exhibit.
Against which type of attack does the given configuration protect?
A. pharming
B. a botnet attack
C. phishing
D. DNS hijacking
E. DNS cache poisoning
Answer: B
Reference: https://supportforums.cisco.com/document/33011/asa-botnet-configuration
Question: 6
DRAG DROP
Drag and drop the description on the left onto the associated items on the right.
Answer:
Collection of similar programs that work together to execute specific tasks – botnet
Independent malicious program copies itself from one host to another host over a network and carries other programs – Viruses
Programs that appear to have one function but actually perform a different function – Trojan horse
Programs that modify other programs and that attach themselves to other programs on execution - Worms
Reference: http://www.cisco.com/web/about/security/intelligence/virus-worm-diffs.html
Question: 7
Refer to the exhibit.
Which option describes the behavior of this configuration?
A. The switch initiates the authentication.
B. The client initiates the authentication.
C. The device performs subsequent IEEE 802.1X authentication if it passed MAB authentication. If the device fails IEEE 802.1X, it will start MAB again.
D. Devices that perform IEEE 802.1X should be in the MAC address database for successful authentication.
E. IEEE 802.1x devices must first authenticate via MAB to perform subsequent IEEE 802.1X authentication. If 802.1X fails, the device is assigned to the default guest VLAN.
Answer: C
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html
Question: 8
Which two statements about the RC4 algorithm are true? (Choose two.)
A. The RC4 algorithm is an asymmetric key algorithm.
B. In the RC4 algorithm, the 40-bit key represents four characters of ASCII code.
C. The RC4 algorithm is faster in computation than DES.
D. The RC4 algorithm uses variable-length keys.
E. The RC4 algorithm cannot be used with wireless encryption protocols.
Answer: C, D
Question: 9
Refer to the exhibit.
After setting the replay window size on your Cisco router, you received the given system message. What is the reason for the message?
A. The replay window size is set too low for the number of packets received.
B. The IPSec anti-replay feature is enabled, but the window size feature is disabled.
C. The IPSec anti-replay feature is disabled.
D. The replay window size is set too high for the number of packets received.
Answer: A
Explanation:
If your replay window size has not been set to a number that is high enough for the number of packets received, you will receive a system message such as the following:
*Nov 17 19:27:32.279: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1
The above message is generated when a received packet is judged to be outside the anti-replay window.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/12-4t/sec-ipsec-data-plane-12-4t-book/sec-ipsec-antireplay.html
Question: 10
Which two statements about IPv6 path MTU discovery are true? (Choose two.)
A. If the destination host receives an ICMPv6 Packet Too Big message from a router, it reduces its path MTU.
B. It can allow fragmentation when the minimum MTU is below a configured value.
C. The discovery packets are dropped if there is congestion on the link.
D. If the source host receives an ICMPv6 Packet Too Big message from a router, it reduces its path MTU.
E. During the discovery process, the DF bit is set to 1.
F. The initial path MTU is the same as the MTU of the original node’s link layer interface.
Answer: D, F
Explanation:
IPv6 routers do not support fragmentation or the Don't Fragment option. For IPv6, Path MTU Discovery works by initially assuming the path MTU is the same as the MTU on the link layer interface where the traffic originates. Then, similar to IPv4, any device along the path whose MTU is smaller than the packet will drop the packet and send back an ICMPv6 Packet Too Big (Type 2) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation.
Reference: https://en.wikipedia.org/wiki/Path_MTU_Discovery
Question: 11
An RSA key pair consists of a public key and a private key and is used to set up PKI. Which statement applies to RSA and PKI?
A. The public key must be included in the certificate enrollment request.
B. The RSA key-pair is a symmetric cryptography.
C. It is possible to determine the RSA key-pair private key from its corresponding public key.
D. When a router that does not have an RSA key pair requests a certificate, the certificate request is sent, but a warning is shown to generate the RSA key pair before a CA signed certificate is received.
Answer: A
Explanation:
An RSA key pair consists of a public key and a private key. When setting up your PKI, you must include the public key in the certificate enrollment request. After the certificate has been granted, the public key will be included in the certificate so that peers can use it to encrypt data that is sent to the router. The private key is kept on the router and used both to decrypt the data sent by peers and to digitally sign transactions when negotiating with peers.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-pki-overview.html
Question: 12
For what reason has the IPv6 Type 0 Routing Header been recommended for deprecation?
A. When Type 0 traffic is blocked by a firewall policy, all other traffic with routing headers is dropped automatically.
B. It can conflict with ingress filtering.
C. It can create a black hole when used in combination with other routing headers.
D. Attackers can exploit its functionality to generate DoS attacks.
Answer: D
Explanation:
The functionality provided by IPv6's Type 0 Routing Header can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-of-service traffic. This document updates the IPv6 specification to deprecate the use of IPv6 Type 0 Routing Headers, in light of this security concern.
Reference: https://tools.ietf.org/html/rfc5095
Question: 13
Refer to the exhibit.
Which option is the reason for the failure of the DMVPN session between R1 and R2?
A. incorrect tunnel source interface on R1
B. IPsec phase-1 policy mismatch
C. tunnel mode mismatch
D. IPsec phase-2 policy mismatch
E. IPsec phase-1 configuration missing peer address on R2
Answer: B
Question: 14
For which reason would an RSA key pair need to be removed?
A. The CA is under DoS attack
B. The CA has suffered a power outage
C. The existing CA is replaced, and the new CA requires newly generated keys
D. PKI architecture would never allow the RSA key pair removal
Answer: C
Explanation:
An RSA key pair may need to be removed for one of the following reasons:
During manual PKI operations and maintenance, old RSA keys can be removed and replaced with new keys.
An existing CA is replaced and the new CA requires newly generated keys; for example, the required key size might have changed in an organization so you would have to delete the old 1024-bit keys and generate new 2048-bit keys.
The peer router's public keys can be deleted in order to help debug signature verification problems in IKEv1 and IKEv2. Keys are cached by default with the lifetime of the certificate revocation list (CRL) associated with the trustpoint.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-deploy-rsa-pki.html
Question: 15
Which encapsulation technique does VXLAN use?
A. MAC in TCP
B. MAC in MAC
C. MAC in UDP
D. MAC in GRE
Answer: C
Explanation:
VXLAN is a MAC in IP/UDP(MAC-in-UDP) encapsulation technique with a 24-bit segment identifier in the form of a VXLAN ID.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx-os/vxlan/configuration/guide/b_NX-OS_VXLAN_Configuration_Guide/overview.pdf
Question: 16
What are two limitations of the Atomic IP Advanced Engine? (Choose two.)
A. It has limited ability to check the fragmentation header.
B. It is unable to fire high-severity alerts for known vulnerabilities.
C. It is unable to detect IP address anomalies, including IP spoofing
D. It is unable to inspect a packet’s length fields for bad information.
E. It is unable to detect Layer 4 attacks if the packets were fragmented by IPv6.
Answer: A, E
Explanation:
The Atomic IP Advanced engine contains the following restrictions:
- Cannot detect the Layer 4 field of the packets if the packets are fragmented so that the Layer 4 identifier does not appear in the first packet.
- Cannot detect Layer 4 attacks in flows with packets that are fragmented by IPv6 because there is no fragment reassembly.
- Cannot detect attacks with tunneled flows.
- Limited checks are provided for the fragmentation header.
- There is no support for IPv6 on the management (command and control) interface. With
ASA 8.2(1), the ASA 5500 AIP SSM support IPv6 features.
- If there are illegal duplicate headers, a signature fires, but the individual headers cannot be separately inspected.
- Anomaly detection does not support IPv6 traffic; only IPv4 traffic is directed to the anomaly detection processor.
- Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried out.
Reference: http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/ime/imeguide71/ime_signature_engines.pdf
Question: 17
What are two advantages of SNMPv3 over SNMPv2c? (Choose two.)
A. integrity, to ensure that data has not been tampered with in transit
B. no source authentication mechanism for faster response time
C. Packet replay protection mechanism removed for efficiency
D. GetBulkRequest capability, to retrieve large amounts of data in a single request
E. confidentiality via encryption of packets, to prevent man-in-the-middle attacks
Answer: A, E
Explanation:
SNMPv3 contains all the functionality of SNMPv1 and SNMPv2, but SNMPv3 has significant enhancements to administration and security. SNMPv3 is an interoperable standards-based protocol. SNMPv3 provides secure access to devices by authenticating and encrypting packets over the network.
The security features provided in SNMPv3 are as follows:
- Message integrity—Ensuring that a packet has not been tampered with in transit
- Authentication—Determining that the message is from a valid source
- Encryption—Scrambling contents of a packet to prevent it from being seen by an unauthorized source
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/snmp.pdf
Question: 18
Refer to the exhibit.
Which two statements correctly describe the debug output?
A. The remote VPN address is 180.10.10.1
B. The message is observed on the NHS
C. The message is observed on the NHC.
D. The remote routable address 91.91.91.1.
E. The local non-routable address is 20.10.10.3.
F. The NHRP hold time is 3 hours.
Answer: A, C
Question: 19
Which two statements about NEAT are true? (Choose two.)
A. NEAT supports standard ACLs on the switch port.
B. NEAT is not supported on an EtherChannel port.
C. NEAT should be deployed only with autoconfiguration.
D. NEAT uses CISP (Client Information Signaling Protocol) to propagate client IP address.
E. NEAT is supported on an EtherChannel port.
Answer: B, C
Explanation:
Restrictions for Network Edge Authentication Topology
NEAT is not supported on an EtherChannel port.
It is recommended that NEAT is only deployed with auto-configuration.
This feature does not support standard ACLs on the switch port.
Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-neat.html
Question: 20
Refer to the exhibit.
Which three descriptions of the configuration are true? (Choose three.)
A. The configuration is on the NHS.
B. The tunnel IP address represents the NBMA address.
C. This tunnel is a point-to-point GRE tunnel.
D. The tunnel is not providing peer authentication.
E. The configuration is on the NHC.
F. The tunnel encapsulates multicast traffic.
G. The tunnel provides data confidentiality.
Answer: A, F, G
Question: 21
DRAG DROP
Drag and drop the SMTP components on the left onto their corresponding roles on the right.
Answer:
MTA – Is the component responsible to move email from sending mail server to the recipient mail server.
MUA – Is the component that interacts with the end user
POP/IMAP – Is the component responsible to fetch email from the recipient mail server mailbox to recipient MUA
MDA – Is the component responsible to move the email from MTA to the user mailbox in the recipient mail server
Explanation:
The following terminology is important in understanding the operation of a mail server.
Mail User Agent (MUA): The MUA is a component which interacts with end users directly. Examples of MUA are Thunderbird, MS Outlook, Zimbra Desktop. Web mail interfaces like Gmail and Yahoo! are also MUA.
Mail Transfer Agent (MTA): The MTA is responsible for transferring an email from a sending mail server all the way to a recipient mail server. Examples of MTA are sendmail and postfix.
Mail Delivery Agent (MDA): Within a destination mail server, local MTA accepts an incoming email from remote MT
A. The email is then delivered to user's mailbox by MDA.
POP/IMAP: POP and IMAP protocols are used to fetch emails from a recipient server's mailbox to recipient MUA.
Reference: http://xmodulo.com/how-mail-server-works.html
Question: 22
When attempting to use basic HTTP authentication to authenticate a client, which type of HTTP message should the server use?
A. HTTP 302 with an Authenticate header
B. HTTP 401 with a WWW-Authenticate header
C. HTTP 407
D. HTTP 200 with a WWW-Authenticate header
Answer: B
Question: 23
Your coworker is working on a project to prevent DDoS and ingress filtering and needs advice on the standard and associated process for a single-homed network. Which two options do you suggest? (Choose two.)
A. RFC 5735
B. RFC 3704
C. BCP 84
D. BCP 38
E. RFC 2827
Answer: D, E
Question: 24
What is the range of valid stratum numbers for NTP when configuring a Cisco IOS device as an authoritative NTP server?
A. 0 to 16
B. 1 to 15
C. 0 to 4
D. 1 to 16
Answer: B
Explanation:
When configuring a Cisco device as NTP master its clock becomes a reference clock for time synchronization to other devices. The stratum of the NTP master can be configured in the range 1-15, but will usually be configured as stratum-1
Reference: https://seriousnetworks.wordpress.com/2013/08/08/configuring-ntp-on-cisco-ios-devices/
Question: 25
Which statement about the DH group is true?
A. It provides data confidentiality.
B. It does not provide data authentication.
C. It is negotiated in IPsec phase 2.
D. It establishes a shared key over a secured medium.
Answer: B
Reference: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange