web analytics

100% Pass Ensure 350-018 Dumps with Free VCE and PDF (Question 271 – Question 310)

New 350-018 exam questions from PassLeader 350-018 dumps! Welcome to download the newest PassLeader 350-018 VCE and PDF dumps: http://www.passleader.com/350-018.html (894 Q&As)

P.S. Free 350-018 dumps are available on Google Drive shared by PassLeader: https://drive.google.com/open?id=0B-ob6L_QjGLpfjE1cHRyNEtmX3JfdU9CUFlRZnVxNjZUbWxsSnBpNXM0QjZYZjBXZVgyOTQ

QUESTION 271
What is the advantage of using the ESP protocol over the AH?

A.    data confidentiality
B.    data integrity verification
C.    nonrepudiation
D.    anti-replay protection

Answer: A

QUESTION 272
What applications take advantage of a DTLS protocol?

A.    delay-sensitive applications, such as voice or video
B.    applications that require double encryption
C.    point-to-multipoint topology applications
D.    applications that are unable to use TLS

Answer: A

QUESTION 273
What mechanism does SSL use to provide confidentiality of user data?

A.    symmetric encryption
B.    asymmetric encryption
C.    RSA public-key encryption
D.    Diffie-Hellman exchange

Answer: A

QUESTION 274
What action does a RADIUS server take when it cannot authenticate the credentials of a user?

A.    An Access-Reject message is sent.
B.    An Access-Challenge message is sent, and the user is prompted to re-enter credentials.
C.    A Reject message is sent.
D.    A RADIUS start-stop message is sent via the accounting service to disconnect the session.

Answer: A

QUESTION 275
Which transport mechanism is used between a RADIUS authenticator and a RADIUS authentication server?

A.    UDP, with only the password in the Access-Request packet encrypted
B.    UDP, with the whole packet body encrypted
C.    TCP, with only the password in the Access-Request packet encrypted
D.    EAPOL, with TLS encrypting the entire packet
E.    UDP RADIUS encapsulated in the EAP mode enforced by the authentication server

Answer: A

QUESTION 276
Which three statements about the TACACS protocol are correct? (Choose three.)

A.    TACACS+ is an IETF standard protocol.
B.    TACACS+ uses TCP port 47 by default.
C.    TACACS+ is considered to be more secure than the RADIUS protocol.
D.    TACACS+ can support authorization and accountingwhile having another separateauthentication solution.
E.    TACACS+ only encrypts the password of the user for security.
F.    TACACS+ supports per-user or per-group for authorization of router commands.

Answer: CDF

QUESTION 277
Which three EAP methods require a server-side certificate? (Choose three.)

A.    PEAP with MS-CHAPv2
B.    EAP-TLS
C.    EAP-FAST
D.    EAP-TTLS
E.    EAP-GTP

Answer: ABD

QUESTION 278
Which statement is true about EAP-FAST?

A.    It supports Windows single sign-on.
B.    It is a proprietary protocol.
C.    It requires a certificate only on the server side.
D.    It does not support an LDAP database.

Answer: A

QUESTION 279
Which four attributes are identified in an X.509v3 basic certificate field? (Choose four.)

A.    key usage
B.    certificate serial number
C.    issuer
D.    subject name
E.    signature algorithm identifier
F.    CRL distribution points
G.    subject alt name

Answer: BCDE

QUESTION 280
What is the purpose of the OCSP protocol?

A.    checks the revocation status of a digital certificate
B.    submits a certificate signing request
C.    verifies a signature of a digital certificate
D.    protects a digital certificate with its private key

Answer: A

QUESTION 281
What are two reasons for a certificate to appear in a CRL? (Choose two.)

A.    CA key compromise
B.    cessation of operation
C.    validity expiration
D.    key length incompatibility
E.    certification path invalidity

Answer: AB

QUESTION 282
Which transport method is used by the IEEE 802.1X protocol?

A.    EAPOL frames
B.    802.3 frames
C.    UDP RADIUS datagrams
D.    PPPoE frames

Answer: A

QUESTION 283
Which encryption mechanism is used in WEP?

A.    RC4
B.    RC5
C.    DES
D.    AES

Answer: A

QUESTION 284
Which three statements about Security Group Tag Exchange Protocol are true? (Choose three.)

A.    SXP runs on UDP port 64999.
B.    A connection is established between a “listener” and a “speaker”.
C.    It propagates the IP-to-SGT binding table across network devices that do not have theability to perform SGT tagging at Layer 2 to devices that support it.
D.    SXP is supported across multiple hops.
E.    SXPv2 introduces connection security via TLS.

Answer: BCD

QUESTION 285
What does the SXP protocol exchange between peers?

A.    IP to SGT binding information
B.    MAC to SGT binding information
C.    ingress port to SGT binding information
D.    ingress switch to SGT binding information

Answer: A

QUESTION 286
What is a primary function of the SXP protocol?

A.    to extend a TrustSec domain on switches that do not support packet tagging with SGTs
B.    to map the SGT tag to VLAN information
C.    to allow the SGT tagged packets to be transmitted on trunks
D.    to exchange the SGT information between different TrustSec domains

Answer: A

QUESTION 287
In RFC 4034, DNSSEC introduced which four new resource record types? (Choose four.)

A.    DNS Public Key (DNSKEY)
B.    Next Secure (NSEC)
C.    Resource Record Signature (RRSIG)
D.    Delegation Signer (DS)
E.    Top Level Domain (TLD)
F.    Zone Signing Key (ZSK)

Answer: ABCD

QUESTION 288
What functionality is provided by DNSSEC?

A.    origin authentication of DNS data
B.    data confidentiality of DNS queries and answers
C.    access restriction of DNS zone transfers
D.    storage of the certificate records in a DNS zone file

Answer: A

QUESTION 289
How are the username and password transmitted if a basic HTTP authentication is used?

A.    Base64 encoded username and password
B.    MD5 hash of the combined username and password
C.    username in cleartext and MD5 hash of the password
D.    cleartext username and password

Answer: A

QUESTION 290
Which field in an HTTPS server certificate is compared to a server name in the URL?

A.    Common Name
B.    Issuer Name
C.    Organization
D.    Organizational Unit

Answer: A

QUESTION 291
Which transport type is used by the DHCP protocol?

A.    UDP ports 67 and 69
B.    TCP ports 67 and 68
C.    UDP and TCP port 67
D.    UDP ports 67 and 68

Answer: D

QUESTION 292
Which domain is used for a reverse lookup of IPv4 addresses?

A.    in-addr.arpa
B.    ip4.arpa
C.    in-addr.net
D.    ip4.net

Answer: A

QUESTION 293
Which port or ports are used for the FTP data channel in passive mode?

A.    random TCP ports
B.    TCP port 21 on the server side
C.    TCP port 21 on the client side
D.    TCP port 20 on the server side
E.    TCP port 20 on the client side

Answer: A

QUESTION 294
Why do firewalls need to specially treat an active mode FTP session?

A.    The data channel is originating from a server side.
B.    The FTP client opens too many concurrent data connections.
C.    The FTP server sends chunks of data that are too big.
D.    The data channel is using a 7-bit transfer mode.

Answer: A

QUESTION 295
Which statement is true about the TFTP protocol?

A.    The client is unable to get a directory listing from the server.
B.    The client is unable to create a new file on a server.
C.    The client needs to log in with a username and password.
D.    The client needs to log in using “anonymous” as a username and specifying an emailaddress as a password.

Answer: A

QUESTION 296
Which NTP stratum level means that the clock is unsynchronized?

A.    0
B.    1
C.    8
D.    16

Answer: D

QUESTION 297
Which statement is true about an NTP server?

A.    It answers using UTC time.
B.    It uses the local time of the server with its time zone indication.
C.    It uses the local time of the server and does not indicate its time zone.
D.    It answers using the time zone of the client.

Answer: A

QUESTION 298
Refer to the exhibit. What is this configuration designed to prevent?
passleader-350-018-dumps-2981

A.    Man in the Middle Attacks
B.    DNS Inspection
C.    Backdoor control channels for infected hosts
D.    Dynamic payload inspection

Answer: C

QUESTION 299
Which statement is true about an SNMPv2 communication?

A.    The whole communication is not encrypted.
B.    Only the community field is encrypted.
C.    Only the query packets are encrypted.
D.    The whole communication is encrypted.

Answer: A

QUESTION 300
Refer to the exhibit. What does this configuration prevent?
passleader-350-018-dumps-3001

A.    HTTP downloads of files with the “.bat” extension on all interfaces
B.    HTTP downloads of files with the “.batch” extension on the inside interface
C.    FTP commands of GET or PUT for files with the “.bat” extension on all interfaces
D.    FTP commands of GET or PUT for files with the “.batch” extension on the inside interface

Answer: C

QUESTION 301
Which four functionalities are built into the ISE? (Choose four.)

A.    Profiling Server
B.    Profiling Collector
C.    RADIUS AAA for Device Administration
D.    RADIUS AAA for Network Access
E.    TACACS+ for Device Administration
F.    TACACS+ for Network Access
G.    Guest Lifecycle Management

Answer: ABDG

QUESTION 302
Which statement is correct about the Cisco IOS Control Plane Protection feature?

A.    Control Plane Protection is restricted to the IPv4 or IPv6 input path.
B.    Traffic that is destined to the router with IP optionswill be redirected to the hostcontrol plane.
C.    Disabling CEF will remove all active control-planeprotection policies. Aggregatecontrol-plane policies will continue to operate.
D.    The open-port option of a port-filtering policy allows access to all TCP/UDP basedservices that are configured on the router.

Answer: C

QUESTION 303
Which Category to Protocol mapping for NBAR is correct?

A.    Category: Enterprise Applications
Protocol: Citrix ICA, PCAnywhere, SAP, IMAP
B.    Category: Internet
Protocol: FTP, HTTP, TFTP
C.    Category: Network Management
Protocol: ICMP, SNMP, SSH, Telnet
D.    Category: Network Mail Services
Protocol: MAPI, POP3, SMTP

Answer: B

QUESTION 304
Which two options correctly describe Remote Triggered Black Hole Filtering (RFC 5635)? (Choose two.)

A.    RTBH destination based filtering can drop traffic destined to a host based on triggeredentries in the FIB
B.    RTBH source based filtering will drop traffic from a source destined to a host based ontriggered entries in the RIB
C.    Loose uRPF must be used in conjunction with RTBH destination based filtering
D.    Strict uRPF must be used in conjunction with RTBH source based filtering
E.    RTBH uses a discard route on the edge devices of the network and a routeserver to sendtriggered route updates
F.    When setting the BGP community attribute in a route-map for RTBH use the no- exportcommunity unless BGP confederations are used then use local-as to advertise to sub-asconfederations

Answer: AE

QUESTION 305
A Cisco IOS router is configured as follows:
ip dns spoofing 192.168.20.1
What will the router respond with when it receives a DNS query for its own host name?

A.    The router will respond with the IP address of the incoming interface.
B.    The router will respond with 192.168.20.1 only if the outside interface is down.
C.    The router will respond with 192.168.20.1.
D.    The router will ignore the DNS query and forward it directly to the DNS server.

Answer: A
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/12-4t/dns-12-4t-book/dns-config-dns.html#GUID-5C6DC8F0-15ED-45DB-8D16-88E0198A01E4

QUESTION 306
Which configuration is the correct way to change a GET VPN Key Encryption Key lifetime to 10800 seconds on the key server?

A.    crypto isakmp policy 1
lifetime 10800
B.    crypto ipsec security-association lifetime? seconds 10800
C.    crypto ipsec profile getvpn-profile
set security-association lifetime seconds 10800
!
crypto gdoi group GET-Group
identity number 1234
server local
sa ipsec 1
profile getvpn-profile
D.    crypto gdoi group GET-Group
identity number 1234
server local
rekey lifetime seconds 10800
E.    crypto gdoi group GET-Group
identity number 1234
server local
set security-association lifetime seconds 10800

Answer: D

QUESTION 307
A Cisco Easy VPN software client is unable to access its local LAN devices once the VPN tunnel is established. How can this issue be resolved?

A.    The IP address that is assigned by the Cisco Easy VPN Server to the client must be on thesame network as the local LAN of the client.
B.    The Cisco Easy VPN Server should apply split-tunnel-policy excludespecified with asplit-tunnel-list containing the local LAN addresses that are relevant to the client.
C.    The Cisco Easy VPN Server must push down an interface ACL that permits the traffic to thelocal LAN from the client.
D.    The Cisco Easy VPN Server should apply a split-tunnel-policy tunnelall policy to theclient.
E.    The Cisco Easy VPN client machine needs to have multiple NICs to support this.

Answer: B

QUESTION 308
Which three routing characteristics are relevant for DMVPN Phase 3? (Choose three.)

A.    Hubs must not preserve the original IP next-hop.
B.    Hubs must preserve the original IP next-hop.
C.    Split-horizon must be turned off for RIP and EIGRP.
D.    Spokes are only routing neighbors with hubs.
E.    Spokes are routing neighbors with hubs and other spokes.
F.    Hubs are routing neighbors with other hubs and must usethe same routing protocol asthat used on hub-spoke tunnels.

Answer: ACD

QUESTION 309
Using Cisco IOS, which two object-group options will permit networks 10.1.1.0/24 and 10.1.2.0/24 to host 192.168.5.1 port 80 and 443? (Choose 2.)

A.    object-group network SOURCE
range 10.1.1.0 10.1.2.255
object-group network DESTINATION
host 192.168.5.1
object-group service HTTP
tcp eq www
tcp eq 443
tcp source gt 1024
!
access-list 101 permit object-group HTTP object-group SOURCE object-group DESTINATION
B.    object-group network SOURCE
10.1.1.0 0.0.0.255
10.1.2.0 0.0.0.255
object-group network DESTINATION
host 192.168.5.1
object-group service HTTP
tcp eq www
tcp eq 443
!
ip access-list extended ACL-NEW
permit object-group SOURCE object-group DESTINATION object-group HTTP
C.    object-group network SOURCE
10.1.1.0 255.255.255.0
10.1.2.0 255.255.255.0
object-group network DESTINATION
host 192.168.5.1
object-group service HTTP
tcp eq www
tcp eq 443
!
ip access-list extended ACL-NEW
permit object-group SOURCE object-group DESTINATION object-group HTTP
D.    object-group network SOURCE
10.1.1.0 255.255.255.0
10.1.2.0 255.255.255.0
object-group network DESTINATION
host 192.168.5.1
object-group service HTTP
tcp eq www
tcp eq 443
tcp source gt 1024
!
ip access-list extended ACL-NEW
permit object-group HTTP object-group SOURCE object-group DESTINATION

Answer: AD

QUESTION 310
Which MPLS label is the signaled value to activate PHP (penultimate hop popping)?

A.    0x00
B.    php
C.    swap
D.    push
E.    imp-null

Answer: E


New 350-018 exam questions from PassLeader 350-018 dumps! Welcome to download the newest PassLeader 350-018 VCE and PDF dumps: http://www.passleader.com/350-018.html (894 Q&As)

P.S. Free 350-018 dumps are available on Google Drive shared by PassLeader: https://drive.google.com/open?id=0B-ob6L_QjGLpfjE1cHRyNEtmX3JfdU9CUFlRZnVxNjZUbWxsSnBpNXM0QjZYZjBXZVgyOTQ