Test Information:
Total Questions: 745
Test Number: 350-018
Vendor Name: Cisco
Cert Name: CCIE
Test Name: CCIE Security written (Version 4.0)
Official Site: http://www.certsgrade.com
For
More Details: http://www.certsgrade.com/pdf/350-018/
Question: 1
Which
statement is valid regarding SGACL?
A.
SGACL mapping and policies can only be manually configured.
B.
Dynamically downloaded SGACL does not override manually configured conflicting
policies.
C.
SGACL is access-list bound with a range of SGTs and DGTs.
D.
SGACL is not a role-based access list.
Answer:
C
Explanation:
A
role-based access control list bound to a range of SGTs and DGTs forms an SGACL
Question: 2
Of
which IPS application is Event Store a component?
A.
InterfaceApp
B.
AuthenticationApp
C.
SensorApp
D.
NotificationApp
E.
MainApp
Answer:
E
Explanation:
Cisco
IPS software includes the following applications:
•
MainApp—Initializes the system, starts
and stops the other applications, configures the OS, and performs upgrades. It
contains the following components:
MainApp—Initializes the system, starts
and stops the other applications, configures the OS, and performs upgrades. It
contains the following components:
–
ctlTransSource (Control Transaction
server)—Allows sensors to send control transactions. This is used to enable the
master blocking sensor capability of Attack Response Controller (formerly known
as Network Access Controller).
ctlTransSource (Control Transaction
server)—Allows sensors to send control transactions. This is used to enable the
master blocking sensor capability of Attack Response Controller (formerly known
as Network Access Controller).
–Event Store—An indexed store used to
store IPS events (error, status, and alert system messages) that is accessible
through the CLI, IDM, IME, ASDM, or SDEE.
Event Store—An indexed store used to
store IPS events (error, status, and alert system messages) that is accessible
through the CLI, IDM, IME, ASDM, or SDEE.
Question: 3
Refer
to the exhibit.
Which
two statements about this debug output are true? (Choose two.)
A.
The request is from NHC to NHS.
B.
The request is from NHS to NNC.
C.
192.168.10.2 is the remote NBMA address.
D.
192.168.10.1 is the local VPN address.
E.
69.1.1.2 is the local non-routable address.
F.
This debug output represents a failed NHRP request.
Answer: A,
D
Question: 4
Which
statement describes RA?
A.
The RA is not responsible to verify users request for digital certificates.
B.
The RA is part of private key infrastructure.
C.
The RA has the power to accept registration requests and to issue certificates.
D.
The RA only forwards the requests to the CA to issue certificates.
Answer:
D
Question: 5
Refer
to the exhibit.
Against
which type of attack does the given configuration protect?
A.
pharming
B.
a botnet attack
C.
phishing
D.
DNS hijacking
E.
DNS cache poisoning
Answer:
B
Question: 6
DRAG
DROP
Drag
and drop the description on the left onto the associated items on the right.
Answer:
Collection
of similar programs that work together to execute specific tasks – botnet
Independent
malicious program copies itself from one host to another host over a network
and carries other programs – Viruses
Programs
that appear to have one function but actually perform a different function –
Trojan horse
Programs
that modify other programs and that attach themselves to other programs on
execution - Worms
Question: 7
Refer
to the exhibit.
Which
option describes the behavior of this configuration?
A.
The switch initiates the authentication.
B.
The client initiates the authentication.
C.
The device performs subsequent IEEE 802.1X authentication if it passed MAB
authentication. If the device fails IEEE 802.1X, it will start MAB again.
D.
Devices that perform IEEE 802.1X should be in the MAC address database for
successful authentication.
E.
IEEE 802.1x devices must first authenticate via MAB to perform subsequent IEEE
802.1X authentication. If 802.1X fails, the device is assigned to the default
guest VLAN.
Answer:
C
Question: 8
Which
two statements about the RC4 algorithm are true? (Choose two.)
A.
The RC4 algorithm is an asymmetric key algorithm.
B.
In the RC4 algorithm, the 40-bit key represents four characters of ASCII code.
C.
The RC4 algorithm is faster in computation than DES.
D.
The RC4 algorithm uses variable-length keys.
E.
The RC4 algorithm cannot be used with wireless encryption protocols.
Answer: C,
D
Question: 9
Refer
to the exhibit.
After
setting the replay window size on your Cisco router, you received the given
system message. What is the reason for the message?
A.
The replay window size is set too low for the number of packets received.
B.
The IPSec anti-replay feature is enabled, but the window size feature is
disabled.
C.
The IPSec anti-replay feature is disabled.
D.
The replay window size is set too high for the number of packets received.
Answer:
A
Explanation:
If
your replay window size has not been set to a number that is high enough for
the number of packets received, you will receive a system message such as the
following:
*Nov
17 19:27:32.279: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=1
The
above message is generated when a received packet is judged to be outside the
anti-replay window.
Question: 10
Which
two statements about IPv6 path MTU discovery are true? (Choose two.)
A.
If the destination host receives an ICMPv6 Packet Too Big message from a
router, it reduces its path MTU.
B.
It can allow fragmentation when the minimum MTU is below a configured value.
C.
The discovery packets are dropped if there is congestion on the link.
D.
If the source host receives an ICMPv6 Packet Too Big message from a router, it
reduces its path MTU.
E.
During the discovery process, the DF bit is set to 1.
F.
The initial path MTU is the same as the MTU of the original node’s link layer
interface.
Answer: D,
F
Explanation:
IPv6
routers do not support fragmentation or the Don't Fragment option. For IPv6, Path
MTU Discovery works by initially assuming the path MTU is the same as the MTU
on the link layer interface where the traffic originates. Then, similar to
IPv4, any device along the path whose MTU is smaller than the packet will drop
the packet and send back an ICMPv6 Packet Too Big (Type 2) message containing
its MTU, allowing the source host to reduce its Path MTU appropriately. The
process is repeated until the MTU is small enough to traverse the entire path
without fragmentation.
Question: 11
An
RSA key pair consists of a public key and a private key and is used to set up
PKI. Which statement applies to RSA and PKI?
A.
The public key must be included in the certificate enrollment request.
B.
The RSA key-pair is a symmetric cryptography.
C.
It is possible to determine the RSA key-pair private key from its corresponding
public key.
D.
When a router that does not have an RSA key pair requests a certificate, the
certificate request is sent, but a warning is shown to generate the RSA key
pair before a CA signed certificate is received.
Answer:
A
Explanation:
An
RSA key pair consists of a public key and a private key. When setting up your
PKI, you must include the public key in the certificate enrollment request.
After the certificate has been granted, the public key will be included in the
certificate so that peers can use it to encrypt data that is sent to the
router. The private key is kept on the router and used both to decrypt the data
sent by peers and to digitally sign transactions when negotiating with peers.
Question: 12
For
what reason has the IPv6 Type 0 Routing Header been recommended for deprecation?
A.
When Type 0 traffic is blocked by a firewall policy, all other traffic with
routing headers is dropped automatically.
B.
It can conflict with ingress filtering.
C.
It can create a black hole when used in combination with other routing headers.
D.
Attackers can exploit its functionality to generate DoS attacks.
Answer:
D
Explanation:
The
functionality provided by IPv6's Type 0 Routing Header can be exploited in order
to achieve traffic amplification over a remote path for the purposes of
generating denial-of-service traffic.
This document updates the IPv6 specification to deprecate the use of
IPv6 Type 0 Routing Headers, in light of this security concern.
Reference:
https://tools.ietf.org/html/rfc5095
Question: 13
Refer
to the exhibit.
Which
option is the reason for the failure of the DMVPN session between R1 and R2?
A.
incorrect tunnel source interface on R1
B.
IPsec phase-1 policy mismatch
C.
tunnel mode mismatch
D.
IPsec phase-2 policy mismatch
E.
IPsec phase-1 configuration missing peer address on R2
Answer:
B
Question: 14
For
which reason would an RSA key pair need to be removed?
A.
The CA is under DoS attack
B.
The CA has suffered a power outage
C.
The existing CA is replaced, and the new CA requires newly generated keys
D.
PKI architecture would never allow the RSA key pair removal
Answer:
C
Explanation:
An
RSA key pair may need to be removed for one of the following reasons:
During
manual PKI operations and maintenance, old RSA keys can be removed and replaced
with new keys.
An
existing CA is replaced and the new CA requires newly generated keys; for
example, the required key size might have changed in an organization so you
would have to delete the old 1024-bit keys and generate new 2048-bit keys.
The
peer router's public keys can be deleted in order to help debug signature
verification problems in IKEv1 and IKEv2. Keys are cached by default with the
lifetime of the certificate revocation list (CRL) associated with the
trustpoint.
Question: 15
Which
encapsulation technique does VXLAN use?
A.
MAC in TCP
B.
MAC in MAC
C.
MAC in UDP
D.
MAC in GRE
Answer:
C
Explanation:
VXLAN
is a MAC in IP/UDP(MAC-in-UDP) encapsulation technique with a 24-bit segment
identifier in the form of a VXLAN ID.
Question: 16
What
are two limitations of the Atomic IP Advanced Engine? (Choose two.)
A.
It has limited ability to check the fragmentation header.
B.
It is unable to fire high-severity alerts for known vulnerabilities.
C.
It is unable to detect IP address anomalies, including IP spoofing
D.
It is unable to inspect a packet’s length fields for bad information.
E.
It is unable to detect Layer 4 attacks if the packets were fragmented by IPv6.
Answer: A,
E
Explanation:
The
Atomic IP Advanced engine contains the following restrictions:
•
Cannot detect the Layer 4 field of the packets if the packets are fragmented so
that the Layer 4 identifier does not appear in the first packet.
•
Cannot detect Layer 4 attacks in flows with packets that are fragmented by IPv6
because there is no fragment reassembly.
•
Cannot detect attacks with tunneled flows.
•
Limited checks are provided for the fragmentation header.
•
There is no support for IPv6 on the management (command and control) interface.
With
ASA
8.2(1), the ASA 5500 AIP SSM support IPv6 features.
•
If there are illegal duplicate headers, a signature fires, but the individual
headers cannot be separately inspected.
•
Anomaly detection does not support IPv6 traffic; only IPv4 traffic is directed
to the anomaly detection processor.
•
Rate limiting and blocking are not supported for IPv6 traffic. If a signature
is configured with a block or rate limit event action and is triggered by IPv6
traffic, an alert is generated but the action is not carried out.
Question: 17
What
are two advantages of SNMPv3 over SNMPv2c? (Choose two.)
A.
integrity, to ensure that data has not been tampered with in transit
B.
no source authentication mechanism for faster response time
C.
Packet replay protection mechanism removed for efficiency
D.
GetBulkRequest capability, to retrieve large amounts of data in a single request
E.
confidentiality via encryption of packets, to prevent man-in-the-middle attacks
Answer: A,
E
Explanation:
SNMPv3
contains all the functionality of SNMPv1 and SNMPv2, but SNMPv3 has significant
enhancements to administration and security. SNMPv3 is an interoperable
standards-based protocol. SNMPv3
provides secure access to devices by authenticating and encrypting packets over
the network.
The
security features provided in SNMPv3 are as follows:
•
Message integrity—Ensuring that a packet has not been tampered with in transit
•
Authentication—Determining that the message is from a valid source
•
Encryption—Scrambling contents of a packet to prevent it from being seen by an
unauthorized source
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/snmp.pdf
Question: 18
Refer
to the exhibit.
Which
two statements correctly describe the debug output?
A.
The remote VPN address is 180.10.10.1
B.
The message is observed on the NHS
C.
The message is observed on the NHC.
D.
The remote routable address 91.91.91.1.
E.
The local non-routable address is 20.10.10.3.
F.
The NHRP hold time is 3 hours.
Answer: A,
C
Question: 19
Which
two statements about NEAT are true? (Choose two.)
A.
NEAT supports standard ACLs on the switch port.
B.
NEAT is not supported on an EtherChannel port.
C.
NEAT should be deployed only with autoconfiguration.
D.
NEAT uses CISP (Client Information Signaling Protocol) to propagate client IP
address.
E.
NEAT is supported on an EtherChannel port.
Answer: B,
C
Explanation:
Restrictions
for Network Edge Authentication Topology
NEAT
is not supported on an EtherChannel port.
It
is recommended that NEAT is only deployed with auto-configuration.
This
feature does not support standard ACLs on the switch port.
Reference:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-neat.html
Question: 20
Refer
to the exhibit.
Which
three descriptions of the configuration are true? (Choose three.)
A.
The configuration is on the NHS.
B.
The tunnel IP address represents the NBMA address.
C.
This tunnel is a point-to-point GRE tunnel.
D.
The tunnel is not providing peer authentication.
E.
The configuration is on the NHC.
F.
The tunnel encapsulates multicast traffic.
G.
The tunnel provides data confidentiality.
Answer: A,
F, G
Question: 21
DRAG
DROP
Drag
and drop the SMTP components on the left onto their corresponding roles on the
right.
Answer:
MTA
– Is the component responsible to move email from sending mail server to the
recipient mail server.
MUA
– Is the component that interacts with the end user
POP/IMAP
– Is the component responsible to fetch email from the recipient mail server
mailbox to recipient MUA
MDA
– Is the component responsible to move the email from MTA to the user mailbox
in the recipient mail server
Explanation:
The
following terminology is important in understanding the operation of a mail
server.
Mail
User Agent (MUA): The MUA is a component which interacts with end users
directly. Examples of MUA are Thunderbird, MS Outlook, Zimbra Desktop. Web mail
interfaces like Gmail and Yahoo! are also MUA.
Mail
Transfer Agent (MTA): The MTA is responsible for transferring an email
from a sending mail server all the way to a recipient mail server. Examples of
MTA are sendmail and postfix.
Mail
Delivery Agent (MDA): Within a destination mail server, local MTA accepts
an incoming email from remote MT
A.
The email is then delivered to user's mailbox by MDA.
POP/IMAP: POP
and IMAP protocols are used to fetch emails from a recipient server's mailbox
to recipient MUA.
Question: 22
When
attempting to use basic HTTP authentication to authenticate a client, which
type of HTTP message should the server use?
A.
HTTP 302 with an Authenticate header
B.
HTTP 401 with a WWW-Authenticate header
C.
HTTP 407
D.
HTTP 200 with a WWW-Authenticate header
Answer:
B
Question: 23
Your
coworker is working on a project to prevent DDoS and ingress filtering and
needs advice on the standard and associated process for a single-homed network.
Which two options do you suggest? (Choose two.)
A.
RFC 5735
B.
RFC 3704
C.
BCP 84
D.
BCP 38
E.
RFC 2827
Answer: D,
E
Question: 24
What
is the range of valid stratum numbers for NTP when configuring a Cisco IOS
device as an authoritative NTP server?
A.
0 to 16
B.
1 to 15
C.
0 to 4
D.
1 to 16
Answer:
B
Explanation:
When
configuring a Cisco device as NTP master its clock becomes a reference clock for
time synchronization to other devices. The stratum of the NTP master can be
configured in the range 1-15, but will usually be configured as stratum-1
Question: 25
Which
statement about the DH group is true?
A.
It provides data confidentiality.
B.
It does not provide data authentication.
C.
It is negotiated in IPsec phase 2.
D.
It establishes a shared key over a secured medium.
Answer:
B
Test Information:
Total Questions: 745
Test Number: 350-018
Vendor Name: Cisco
Cert Name: CCIE
Test Name: CCIE Security written (Version 4.0)
Official Site: http://www.certsgrade.com
For
More Details: http://www.certsgrade.com/pdf/350-018/
Get20%
Immediate Discount on Full Training Mater
Discount Coupon Code: 20off2016
