350 018 PDF

Cisco 350-018
CCIE Security Exam (4.0)

Version: 26.0
Cisco 350-018 Exam

Topic 1, Infrastructure, Connectivity, Communications, and Network Security
QUESTION NO: 1
Which three statements about VXLANs are true? (Choose three.)
A.
It requires that IP protocol 8472 be opened to allow traffic through a firewall.
B.
Layer 2 frames are encapsulated in IP, using a VXLAN ID to identify the source VM.
C.
A VXLAN gateway maps VXLAN IDs to VLAN IDs.
D.
IGMP join messages are sent by new VMs to determine the VXLAN multicast IP.
E.
A VXLAN ID is a 32-bit value.
Answer: B,C,D
Explanation:
Each VXLAN segment, or VNID, is mapped to an IP multicast group in the transport IP network.
Each VTEP device is independently configured and joins this multicast group as an IP host
through the Internet Group Management Protocol (IGMP). The IGMP joins trigger Protocol
Independent Multicast (PIM) joins and signaling through the transport network for the particular
multicast group. The multicast distribution tree for this group is built through the transport network
based on the locations of participating VTEPs.
QUESTION NO: 2
In order to reassemble IP fragments into a complete IP datagram, which three IP header fields are
referenced by the receiver? (Choose three.)
A.
don't fragment flag
B.
packet is fragmented flag
"Pass Any Exam. Any Time." - www.actualtests.com
Cisco 350-018 Exam

C.
IP identification field
D.
more fragment flag
E.
number of fragments field
F.
fragment offset field
Answer: C,D,F
Explanation:
QUESTION NO: 3
Which VTP mode allows the Cisco Catalyst switch administrator to make changes to the VLAN
configuration that only affect the local switch and are not propagated to other switches in the VTP
domain?
A.
transparent
B.
server
Cisco 350-018 Exam

C.
client
D.
local
E.
pass-through
Answer: A
Explanation:
VTP transparent network devices do not participate in VTP. A VTP transparent network device
does not advertise its VLAN configuration and does not synchronize its VLAN configuration based
on received advertisements. However, in VTP version 2, a transparent network device will forward
received VTP advertisements from its trunking LAN ports. In VTP version 3, a transparent network
device is specific to an instance.
QUESTION NO: 4
Which type of VPN is based on the concept of trusted group members using the GDOI key
management protocol?
A.
DMVPN
B.
SSLVPN
C.
GETVPN
D.
EzVPN
E.
MPLS VPN
F.
FlexVPN
Answer: C
Cisco 350-018 Exam

Explanation:
The Cisco IOS GETVPN is a tunnel-less VPN technology that provides end-to-end security for
network traffic in a native mode and maintaining the fully meshed topology. Cisco IOS GET VPN
uses Group Domain of Interpretation (GDOI) as the keying protocol and IPSec for encryption.
QUESTION NO: 5
Based on RFC 4890, what is the ICMP type and code that should never be dropped by the firewall
to allow PMTUD?
A.
ICMPv6 Type 1 Code 0 no route to host
B.
ICMPv6 Type 1 Code 1 communication with destination administratively prohibited
C.
ICMPv6 Type 2 Code 0 packet too big
D.
ICMPv6 Type 3 Code 1 fragment reassembly time exceeded
E.
ICMPv6 Type 128 Code 0 echo request
F.
ICMPv6 Type 129 Code 0 echo reply
Answer: C
Explanation:
Error messagetype fieldcode fielddescription

Packet too big 20A packet too big message is sent to
Respond to a packet that it cannot forward because the packet is larger than the MTU size of the
outgoing link.
Cisco 350-018 Exam

QUESTION NO: 6
A firewall rule that filters on the protocol field of an IP packet is acting on which layer of the OSI
reference model?
A.
network layer
B.
application layer
C.
transport layer
D.
session layer
Answer: A
Explanation:
Cisco 350-018 Exam

QUESTION NO: 7
Which layer of the OSI model is referenced when utilizing http inspection on the Cisco ASA to filter
Instant Messaging or Peer to Peer networks with the Modular Policy Framework?
A.
application layer
B.
presentation layer
C.
network layer
D.
transport layer
Answer: A
Explanation:
Use the HTTP inspection engine to protect against specific attacks and other threats that may be
associated with HTTP traffic. HTTP inspection performs several functions:
Enhanced HTTP inspection
URL screening through N2H2 or Websense
Java and ActiveX filtering

The latter two features are configured in conjunction with Filter rules.
The enhanced HTTP inspection feature, which is also known as an application firewall and is
available when you configure an HTTP inspect map (see the"HTTP Class Map" section), can help
prevent attackers from using HTTP messages for circumventing network security policy. It verifies
the following for all HTTP messages:
Conformance to RFC 2616
Use of RFC-defined methods only.
Compliance with the additional criteria.

Cisco 350-018 Exam

All this happens at application layer.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/i
nspctrl.html#wp1145220
QUESTION NO: 8
When a Cisco IOS Router receives a TCP packet with a TTL value less than or equal to 1, what
will it do?
A.
Route the packet normally
B.
Drop the packet and reply with an ICMP Type 3, Code 1 (Destination Unreachable, Host
Unreachable)
C.
Drop the packet and reply with an ICMP Type 11, Code 0 (Time Exceeded, Hop Count Exceeded)
D.
Drop the packet and reply with an ICMP Type 14, Code 0 (Timestamp Reply)
Answer: C
Explanation:
TTL means Time to live & value 1 means once a packet entersa router TTL value decrease by 1.
So TTL value 1 means packets will no forward to next router.
QUESTION NO: 9
In an 802.11 WLAN, which option is the Layer 2 identifier of a basic service set, and also is
typically the MAC address of the radio of the access point?
A.
Cisco 350-018 Exam

BSSID
B.
SSID
C.
VBSSID
D.
MBSSID
Answer: A
Explanation:
Each BSS is uniquely identified by abasic service set identification(BSSID).For a BSS operating in
infrastructure mode, the BSSID is the mac address of the wireless access point (WAP) generated
by combining the 24 bit Organization Unique Identifier (the manufacturer's identity) and the
manufacturer's assigned 24-bit identifier for the radio chipset in the WAP. The BSSID is the formal
name of the BSS and is always associated with only one BSS.
QUESTION NO: 10
What term describes an access point which is detected by your wireless network, but is not a
trusted or managed access point?
A.
rogue
B.
unclassified
C.
interferer
D.
malicious
Answer: A
Explanation:
A rogue access point, also called rogue AP, is any Wi-Fiaccess pointthat is installed on a network
Cisco 350-018 Exam

but is not authorized for operation on that network, and is not under the management of the
network administrator.
QUESTION NO: 11
A router has four interfaces addressed as 10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, and 10.1.4.1/24.
What is the smallest summary route that can be advertised covering these four subnets?
A.
10.1.2.0/22
B.
10.1.0.0/22
C.
10.1.0.0/21
D.
10.1.0.0/16
Answer: C
Explanation:
Here the interfaces have been assigned an ip address. The ranges on each interface are:
10.1.1.1-10.1.1.255, 10.1.2.1-10.1.2.255, 10.1.3.1-10.1.3.255 & 10.1.4.1-10.1.4.255. Now if we
look at the options, we will be able to get the answers.
Option A: 10.1.2.0/22 is 10.1.0.0 10.1.3.255 i.e. we are not able to get the 10.1.4.1/24 into this.
So this is wrong.
Option B: Same as option A. Wrong answer.
Option C: 10.1.0.0/21 is 10.1.0.0- 10.1.7.255 which covers all the four subnets mentioned in the
question but we have to look for the last one as well.
Option D: 10.1.0.0/16 is 10.1.0.0 10.1.255.255 which also covers the above four subnets but
Option C is more close and correct answer because it is a close match.
10
Cisco 350-018 Exam

QUESTION NO: 12
Which two address translation types can map a group of private addresses to a smaller group of
public addresses? (Choose two.)
A.
static NAT
B.
dynamic NAT
C.
dynamic NAT with overloading
D.
PAT
E.
VAT
Answer: C,D
Explanation:
Dynamic NAT with overload - Changes the SOURCE address so traffic going to the internet can
find its way BACK.
Port address translation - Changes the DESTINATION address so traffic from the Internet to an
internal server can get to it.
QUESTION NO: 13
Which authentication mechanism is available to OSPFv3?
A.
simple passwords
B.
MD5
C.
null
D.
11
Cisco 350-018 Exam

IKEv2
E.
IPsec AH/ESP
Answer: E
Explanation:
In order to ensure that OSPFv3 packets are not altered and re-sent to the device, causing the
device to behave in a way not desired by its system administrators, OSPFv3 packets must be
authenticated. OSPFv3 uses the IPsec secure socket API to add authentication to OSPFv3
packets. This API supports IPv6.
OSPFv3 requires the use of IPsec to enable authentication. Crypto images are required to use
authentication, because only crypto images include the IPsec API needed for use with OSPFv3.
In OSPFv3, authentication fields have been removed from OSPFv3 packet headers. When
OSPFv3 runs on IPv6, OSPFv3 requires the IPv6 authentication header (AH) or IPv6 ESP header
to ensure integrity, authentication, and confidentiality of routing exchanges. IPv6 AH and ESP
extension headers can be used to provide authenticationand confidentiality to OSPFv3.
References: :http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro15-sy-book/ip6-route-ospfv3-auth-ipsec.html
QUESTION NO: 14
Which two IPv6 tunnel types support only point-to-point communication? (Choose two.)
A.
manually configured
B.
automatic 6to4
C.
ISATAP
D.
GRE
Answer: A,D
12
Cisco 350-018 Exam

Explanation:
Tunneling Type
Suggested Usage
Usage Notes
Manual
Simple point-to-point tunnels that can be used within a site or between sites
Can carry IPv6 packets only.
GRE- and IPv4-compatible
Simple point-to-point tunnels that can be used within a site or between sites
Can carry IPv6, Connectionless Network Service (CLNS), and many other types of packets.
IPv4-compatible
Point-to-multipoint tunnels
Uses the ::/96 prefix. We do not recommend using this tunnel type.
6to4
Point-to-multipoint tunnels that can be used to connect isolated IPv6 sites
Sites use addresses from the 2002::/16 prefix.
ISATAP
Point-to-multipoint tunnels that can be used to connect systems within a site
Sites can use any IPv6 unicast addresses.
References:
:http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/12_4t/ipv6_12_4t_book/ip6tunnel.html
QUESTION NO: 15
13
Cisco 350-018 Exam

Which two EIGRP packet types are considered to be unreliable packets? (Choose two.)
A.
update
B.
query
C.
reply
D.
hello
E.
acknowledgement
Answer: D,E
Explanation:
Hello Packets- EIGRP sends Hello packets once it has been enabled on a router for a particular
network. These messages are used to identify neighbors and once identified, serve or function as
a keepalive mechanism between neighboring devices. EIGRP Hello packets are sent to the link
local Multicast group address224.0.0.10.Hello packets sent by EIGRP do not require an
Acknowledgment to be sent confirming that they were received. Because they require no explicit
acknowledgment, Hello packets are classified as unreliable EIGRP packets. EIGRP Hello packets
havean OPCode of 5.
Acknowledgement Packets- An EIGRP Acknowledgment (ACK) packet is simply an EIGRP Hello
packet that contains no data. Acknowledgement packets are used by EIGRP to confirm reliable
delivery of EIGRP packets. ACKs are always sent to a Unicast address, which is the source
address of the sender of the reliable packet, and not to the EIGRP Multicast group address. In
addition, Acknowledgement packets will always contain a non-zero acknowledgment number. The
ACK uses the same OPCode as the Hello Packet because it is essentially just a Hello that
contains no information. The OPCode is 5.
QUESTION NO: 16
Before BGP update messages may be sent, a neighbor must stabilize into which neighbor state?
A.
Active
14
Cisco 350-018 Exam

B.
Idle
C.
Connected
D.
Established
Answer: D
Explanation:
Established State:connection between neighbors established.

This is the state in which BGP can exchange information between the peers. The information can
be updates, keepalives, or notification
QUESTION NO: 17
Which three statements are correct when comparing Mobile IPv6 and Mobile IPv4 support?
(Choose three.)
A.
Mobile IPv6 does not require a foreign agent, but Mobile IPv4 does.
B.
Mobile IPv6 supports route optimization as a fundamental part of the protocol; IPv4 requires
extensions.
C.
Mobile IPv6 and Mobile IPv4 use a directed broadcast approach for home agent address
discovery.
D.
Mobile IPv6 makes use of its own routing header; Mobile IPv4 uses only IP encapsulation.
E.
Mobile IPv6 and Mobile IPv4 use ARP for neighbor discovery.
F.
Mobile IPv4 has adopted the use of IPv6 ND.
15
Cisco 350-018 Exam

Answer: A,B,D
Explanation:
References:
:http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CC8QFjAC&url=htt
p%3A%2F%2Fwww.ns2.szm.com%2FPPS%2FCompare%2520Mobile%2520IPv4%2520and%25
20Mobile%2520IPv6.rtf&ei=A6z9VNPnN4OVuATEt4GQCw&usg=AFQjCNFTnVgCv6W61TnZESq
7spLnhm3Sfw&bvm=bv.87611401,d.c2E
QUESTION NO: 18
Which three statements are true about MACsec? (Choose three.)
A.
It supports GCM modes of AES and 3DES.
B.
It is defined under IEEE 802.1AE.
C.
It provides hop-by-hop encryption at Layer 2.
D.
MACsec expects a strict order of frames to prevent anti-replay.
E.
MKA is used for session and encryption key management.
F.
It uses EAP PACs to distribute encryption keys.
Answer: B,C,E
Explanation:
MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two
MACsec-capable devices. The Catalyst 4500 series switch supports 802.1AE encryption with
MACsec Key Agreement (MKA) on downlink ports for encryption between the switch and host
devices. The switch also supports MACsec link layer switch-to-switch security by using Cisco
TrustSec Network Device Admission Control (NDAC) and the Security Association Protocol (SAP)
key exchange. Link layer security can include both packet authentication between switches and
MACsec encryption between switches (encryption is optional).
16
Cisco 350-018 Exam
QUESTION NO: 19
Troubleshooting the web authentication fallback feature on a Cisco Catalyst switch shows that
clients with the 802.1X supplicant are able to authenticate, but clients without the supplicant are
not able to use web authentication. Which configuration option will correct this issue?
A.
switch(config)# aaa accounting auth-proxy default start-stop group radius
B.
switch(config-if)# authentication host-mode multi-auth
C.
switch(config-if)# webauth
D.
switch(config)# ip http server
E.
switch(config-if)# authentication priority webauth dot1x
Answer: D
Explanation:
Switch(config)#ip http server

or
Switch(config)#ip domain-namedomain_name
(HTTP only) Enable the HTTP server on the switch. By default, the HTTP server is disabled.
Enable the domain name on the switch to configure HTTPS.
QUESTION NO: 20
Refer to the exhibit.
17
Cisco 350-018 Exam
Which route will be advertised by the Cisco ASA to its OSPF neighbors?
A.
10.39.23.0/24
B.
10.40.29.0/24
C.
10.66.42.215/32
D.
10.40.29.0/24
Answer: A
Explanation:
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91
_general_config/route_ospf.html
18
Cisco 350-018 Exam
QUESTION NO: 21
Which three configuration components are required to implement QoS policies on Cisco routers
using MQC? (Choose three.)
A.
class-map
B.
global-policy
C.
policy-map
D.
service-policy
E.
inspect-map
Answer: A,C,D
Explanation:
To configure a traffic policy (sometimes also referred to as a policy map), use thepolicymapcommand. Thepolicy-mapcommand allows you to specify the traffic policy name and also
allows you to enter policy-map configuration mode (a prerequisite for enabling QoS features such
as traffic policing or traffic shaping).
Associate the Traffic Policy with the Traffic Class
After using thepolicy-mapcommand, use theclasscommand to associate the trafficclass with the
traffic policy.
The syntax of theclasscommand is as follows:
classclass-name
no classclass-name
For theclass-nameargument, use the name of the class you created when you used theclassmapcommand to create the traffic class.
After entering theclasscommand, you are automatically in policy-map class configuration mode.
The policy-map class configuration mode is the mode used for enabling the specific QoS features.
19
Cisco 350-018 Exam
QUESTION NO: 22
Which type of PVLAN ports can communicate among themselves and with the promiscuous port?
A.
isolated
B.
community
C.
primary
D.
secondary
E.
protected
Answer: B
Explanation:
A promiscuous port can communicate with all interfaces, including the isolated andcommunityports
within aPVLAN.
QUESTION NO: 23
Which of the following provides the features of route summarization, assignment of contiguous
blocks of addresses, and combining routes for multiple classful networks into a single route?
A.
classless interdomain routing
B.
route summarization
C.
supernetting
D.
20
Cisco 350-018 Exam

private IP addressing
Answer: A
Explanation:
CIDR (Classless Inter-Domain Routing, sometimes known as supernetting) is a way to allocate
and specify the Internet addresses used in inter-domain routing more flexibly than with the original
system of Internet Protocol (IP) address classes.
QUESTION NO: 24
Aggregate global IPv6 addresses begin with which bit pattern in the first 16-bit group?
A.
000/3
B.
001/3
C.
010/2
D.
011/2
Answer: B
Explanation:
The IPv6 address that is unique to the internet is called aggregate global unicast.The component
are summarized to the bit allocation:
A fixed prefix of 0013 bits
IANA allocated prefix45 bits
Site level aggregator16 bits
Interface64 bits
21
Cisco 350-018 Exam
QUESTION NO: 25
Which layer of the OSI reference model typically deals with the physical addressing of interface
cards?
A.
physical layer
B.
data-link layer
C.
network layer
D.
host layer
Answer: B
Explanation:
The media access control methods described by the Data Link layer protocols define the
processes by which network devices can access the network media and transmit frames in diverse
network environments.
QUESTION NO: 26
Which statement best describes a key difference in IPv6 fragmentation support compared to IPv4?
A.
In IPv6, IP fragmentation is no longer needed because all Internet links must have an IP MTU of
1280 bytes or greater.
B.
In IPv6, PMTUD is no longer performed by the source node of an IP packet.
C.
In IPv6, IP fragmentation is no longer needed since all nodes must perform PMTUD and send
packets equal to or smaller than the minimum discovered path MTU.
D.
22
Cisco 350-018 Exam

In IPv6, PMTUD is no longer performed by any node since the don't fragment flag is removed from
the IPv6 header.
E.
In IPv6, IP fragmentation is performed only by the source node of a large packet, and not by any
other devices in the data path.
Answer: E
Explanation:
In IPv6, IP fragmentation is performed only by the source node of a large packet, and not by any
other devices in the data path.
QUESTION NO: 27
It shows the format of an IPv6 Router Advertisement packet. If the Router Lifetime value is set to
0, what does that mean?
A.
The router that is sending the RA is not the default router.
B.
The router that is sending the RA is the default router.
C.
The router that is sending the RA will never power down.
D.
The router that is sending the RA is the NTP master.
23
Cisco 350-018 Exam

E.
The router that is sending the RA is a certificate authority.
F.
The router that is sending the RA has its time synchronized to an NTP source.
Answer: A
Explanation:
Router Lifetime:Tells the host receiving this message how long, in seconds, this router should be
used as a default router. If 0, tells the host this router should not be used as a default router
References:
:http://www.tcpipguide.com/free/t_ICMPv6RouterAdvertisementandRouterSolicitationMess-2.htm
QUESTION NO: 28
If a host receives a TCP packet with an SEQ number of 1234, an ACK number of 5678, and a
length of 1000 bytes, what will it send in reply?
A.
a TCP packet with SEQ number: 6678, and ACK number: 1234
B.
C.
D.
a TCP packet with SEQ number: 5678, and ACK number2234
Answer: D
Explanation:
The response will be SEQ number + length of packet i.e. 1234 + 1000 = 2234.
24
Cisco 350-018 Exam
QUESTION NO: 29
A network administrator uses a LAN analyzer to troubleshoot OSPF router exchange messages
sent to all OSPF routers. To which one of these MAC addresses are these messages sent?
A.
00-00-1C-EF-00-00
B.
01-00-5E-00-00-05
C.
01-00-5E-EF-00-00
D.
EF-FF-FF-00-00-05
E.
EF-00-00-FF-FF-FF
F.
FF-FF-FF-FF-FF-FF
Answer: B
Explanation:
OSPF used IP multicast to exchange Hello packets and Link State Updates. An IP multicast
address is implemented using class D addresses. A class D address ranges from 224.0.0.0 to
239.255.255.255.
Some special IP multicast addresses are reserved for OSPF:

The mapping between IP multicast addresses and MAC addresses has the following rule:
For multiaccess networks that support multicast, the low order 23 bits of the IP address are used
25
Cisco 350-018 Exam

as the low order bits of the MAC multicast address 01-005E-00-00- 00. For example:
OSPF uses broadcast on Token Ring networks.
QUESTION NO: 30
Which option correctly describes the security enhancement added for OSPFv3?
A.
The AuType field in OSPFv3 now supports the more secure SHA-1 and SHA-2 algorithms in
addition to MD5.
B.
The AuType field is removed from the OSPFv3 header since simple password authentication is no
longer an option.
C.
The Authentication field in OSPFv3 is increased from 64 bits to 128 bits to accommodate more
secure authentication algorithms.
D.
Both the AuType and Authentication fields are removed from the OSPF header in OSPFv3, since
now it relies on the IPv6 Authentication Header (AH) and IPv6 Encapsulating Security Payload
(ESP) to provide integrity, authentication, and/or confidentiality?
E.
The Authentication field is removed from the OSPF header in OSPFv3, because OSPFv3 must
only run inside of an authenticated IPSec tunnel.
Answer: D
Explanation:
OSPF (Open Shortest Path First) Version 2 [N1] defines the fields AuType and Authentication in
its protocol header to provide security. In OSPF for IPv6 (OSPFv3) [N2], both of the authentication
fieldswere removed from OSPF headers.OSPFv3 relies on the IPv6 Authentication Header (AH)
and IPv6 Encapsulating Security Payload (ESP) to provide integrity, authentication, and/or
confidentiality.
References: Reference:https://tools.ietf.org/html/rfc4552
26
Cisco 350-018 Exam
QUESTION NO: 31
Which IPv6 tunnel type is a standard that is defined in RFC 4214?
A.
ISATAP
B.
6to4
C.
GREv6
D.
manually configured
Answer: A
Explanation:
ISATAP is an automatic overlay tunneling mechanism that uses the underlying IPv4 network as a
NBMA link layer for IPv6. ISATAP is designed for transporting IPv6 packetswithina site where a
native IPv6 infrastructure is not yet available; for example, when sparse IPv6 hosts are deployed
for testing. ISATAP tunnels allow individual IPv4 or IPv6 dual-stack hosts within a site to
communicate with other such hosts on the same virtual link, basically creating an IPv6 network
using the IPv4 infrastructure.
QUESTION NO: 32
What IP protocol number is used in the protocol field of an IPv4 header, when IPv4 is used to
tunnel IPv6 packets?
A.
6
B.
27
C.
41
27
Cisco 350-018 Exam

D.
47
E.
51
Answer: C
Explanation:
IPv4 packets whose IP headers have the IP protocol number set to 41. This protocol number is
specifically designated forIPv6 encapsulation.
QUESTION NO: 33
Which three statements are true about PIM-SM operations? (Choose three.)
A.
PIM-SM supports RP configuration using static RP, Auto-RP, or BSR.
B.
PIM-SM uses a shared tree that is rooted at the multicast source.
C.
Different RPs can be configured for different multicast groups to increase RP scalability.
D.
Candidate RPs and RP mapping agents are configured to enable Auto-RP.
E.
PIM-SM uses the implicit join model.
Answer: A,C,D
Explanation:
Sparse Mode (SM) is one of the operating modes of Protocol Independent Multicast (PIM) which
uses explicit Join/Prune Messages and RP instead of Dense Mode (DM) PIMs or Distance Vector
Multicast Routing Protocol's (DVMRP's) broadcast and prune technique.
Each multicast group has a shared tree via which receivers hear of new sources and new
28
Cisco 350-018 Exam

receivers hear of all sources. The RP is the root of this per-group shared tree, called the RP-Tree.
PIM SM uses RP, which is the root of the shared tree. An RP acts as the meeting point for sources
and receivers of multicast data. In a PIM SM network, sources must send their traffic to the RP
through PIM Register Messages.
There could be multiple ways to spread RP information to the PIM routers that operate in SM:
References: Reference:http://www.cisco.com/c/en/us/support/docs/ip/multicast/118405-config-rp00.html
QUESTION NO: 34
An IPv6 multicast receiver joins an IPv6 multicast group using which mechanism?
A.
IGMPv3 report
B.
IGMPv3 join
C.
MLD report
D.
general query
E.
PIM join
Answer: C
Explanation:
The Multicast Listener Discovery (MLD)protocol is the multicast group management protocol for
IPv6 and is used to exchange group information between multicast hosts and routers. The MLD
protocol was designed based on IGMP, the Internet Group Management Protocol for IPv4, and the
protocol specification is the same in many points. Unlike IGMP, however, MLD is defined as part
of ICMPv6, while IGMP is defined as a separate transport layer protocol.
29
Cisco 350-018 Exam

QUESTION NO: 35
Which option shows the correct sequence of the DHCP packets that are involved in IP address
assignment between the DHCP client and the server?
A.
REQUEST, OFFER, ACK
B.
DISCOVER, OFFER, REQUEST, ACK
C.
REQUEST, ASSIGN, ACK
D.
DISCOVER, ASSIGN, ACK
E.
REQUEST, DISCOVER, OFFER, ACK
Answer: B
Explanation:
The conversation between DHCP client and DHCP server to get an IP address automatically
completes by exchanging four packets. These packets are
DHCP DISCOVER
DHCP OFFER
DHCP REQUEST
QUESTION NO: 36
Which common FTP client command transmits a direct, byte-for-byte copy of a file?
A.
ascii
B.
binary
C.
30
Cisco 350-018 Exam

hash
D.
quote
E.
glob
Answer: B
Explanation:
To set the mode of file transfer to binary (the binary mode transmits all eight bits per byte and thus
provides less chance of a transmission error and must be used to transmit files other than ASCII
files)
QUESTION NO: 37
Which option is a desktop sharing application, used across a variety of platforms, with default TCP
ports 5800/5801 and 5900/5901?
A.
X Windows
B.
remote desktop protocol
C.
VNC
D.
desktop proxy
Answer: C
Explanation:
VNC enables you to remotely access and control your devices wherever you are in the world,
whenever you need to. VNC has a widespread user base from individuals to the world's largest
multi-national companies utilizing the technology for a range of applications.
31
Cisco 350-018 Exam

QUESTION NO: 38
Which multicast routing mechanism is optimal to support many-to-many multicast applications?
A.
PIM-SM
B.
MOSPF
C.
DVMRP
D.
BIDIR-PIM
E.
MSDP
Answer: D
Explanation:
Bidir-PIM is a variant of the PIM suite of routing protocols for IP multicast. In PIM, packet traffic for
a multicast group is routed according to the rules of the mode configured for that multicast group.
The Cisco IOS implementation of PIM supports three modes for a multicast group:
Bidirectional mode
Dense mode
Sparse mode
QUESTION NO: 39
Which three statements regarding VLANs are true? (Choose three.)
A.
To create a new VLAN on a Cisco Catalyst switch, the VLAN name, VLAN ID and VLAN type must
all be specifically configured by the administrator.
32
Cisco 350-018 Exam

B.
A VLAN is a broadcast domain.
C.
Each VLAN must have an SVI configured on the Cisco Catalyst switch for it to be operational.
D.
The native VLAN is used for untagged traffic on an 802.1Q trunk.
E.
VLANs can be connected across wide-area networks.
Answer: B,D,E
Explanation:
A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A
VLAN consists of a number of end systems, either hosts or network equipment (such as bridges
and routers), connected by a single bridging domain. The bridging domain is supported on various
pieces of network equipment; for example, LAN switches that operate bridging protocols between
them with a separate bridge group for each VLAN.
VLANs are created to provide the segmentation services traditionally provided by routers in LAN
configurations. VLANs address scalability, security, and network management. Routers in VLAN
topologies provide broadcast filtering, security, address summarization, and traffic flow
management. None of the switches within the defined group will bridge any frames, not even
broadcast frames, between two VLANs. Several key issues described in the following sections
need to be considered when designing and building switched LAN internetworks:
LAN Segmentation
Security
Broadcast Control
Performance
Network Management
Communication Between VLANs

LAN Segmentation
VLANs allow logical network topologies to overlay the physical switched infrastructure such that
33
Cisco 350-018 Exam

any arbitrary collection of LAN ports can be combined into an autonomous user group or
community of interest. The technology logically segments the network into separate Layer 2
broadcast domains whereby packets are switched between ports designated to be within the same
VLAN. By containing traffic originating on a particular LAN only to other LANs in the same VLAN,
switched virtual networks avoid wasting bandwidth, a drawback inherent to traditional bridged and
switched networks in which packets are often forwarded to LANs with no need for them.
Implementation of VLANs also improves scalability, particularly in LAN environments that support
broadcast- or multicast-intensive protocols and applications that flood packets throughout the
network.
QUESTION NO: 40
Which technology, configured on the Cisco ASA, allows Active Directory authentication credentials
to be applied automatically to web forms that require authentication for clientless SSL
connections?
A.
one-time passwords
B.
certificate authentication
C.
user credentials obtained during authentication
D.
Kerberos authentication
Answer: C
Explanation:
Clientless SSL VPN connections on the ASA differ from remote access IPSec connections,
particularly with respect to how they interact with SSL-enabled servers, and precautions to follow
to reduce security risks.In a clientless SSL VPN connection, the ASA acts asa proxy between the
end user web browser and target web servers. When a user connects to an SSL-enabled web
server, the ASA establishes a secure connection and validates the server SSL certificate.The
browser never receives the presented certificate, so it cannot examine and validate the
certificate.The current implementation of clientless SSL VPN on the ASA does not permit
communication with sites that present expiredcertificates.Nor does the ASA perform trusted CA
certificate validation to those SSL-enabled sites. Therefore, users do not benefit from certificate
validation of pages delivered from an SSL-enabled web server before they use a web-enabled
service.
34
Cisco 350-018 Exam
QUESTION NO: 41
In what subnet does address 192.168.23.197/27 reside?
A.
192.168.23.0
B.
192.168.23.128
C.
192.168.23.160
D.
192.168.23.192
E.
192.168.23.196
Answer: D
Explanation:
192.168.23.197 ranges from 192.168.23.192 to 192.168.23.223 where 192.168.23.223 is
broadcast address. So Answer is D.
QUESTION NO: 42
Given the IPv4 address 10.10.100.16, which two addresses are valid IPv4-compatible IPv6
addresses? (Choose two.)
A.
:::A:A:64:10
B.
::10:10:100:16
C.
0:0:0:0:0:10:10:100:16
D.
0:0:10:10:100:16:0:0:0
35
Cisco 350-018 Exam

Answer: B,C
Explanation:
Zeros in the beginning of the address is not calculated but they definitely makes difference if you
add zeros at the end of an ip address. Here B and C are identical so B and C are the correct
answer.
QUESTION NO: 43
What is the size of a point-to-point GRE header, and what is the protocol number at the IP layer?
A.
8 bytes, and protocol number 74
B.
C.
D.
E.
Answer: B
Explanation:
The GRE packetheader has the following form:

0123
01234567890123456789012345678901
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|C|R|K|S|s|Recur|A| Flags | Ver | Protocol Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key (HW) Payload Length | Key (LW) Call ID |
36
Cisco 350-018 Exam

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number (Optional) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number (Optional) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
QUESTION NO: 44
Which mode of operation must be enabled on CSM to support roles such as Network
Administrator, Approver, Network Operator, and Help Desk?
A.
Deployment Mode
B.
Activity Mode
C.
Workflow Mode
D.
User Roles Mode
E.
Administration Mode
F.
Network Mode
Answer: C
Explanation:
CiscoWorks Common Services Default Roles:

CiscoWorks Common Services contains the following default roles for Security Manager:
Help DeskHelp desk users can view (but not modify) devices, policies, objects, and topology
maps.
37
Cisco 350-018 Exam
ApproverCan approve the modification of changes and CLI changes.
Network OperatorIn addition to view permissions, network operators can view CLI commands
and Security Manager administrative settings. Network operators can also modify the configuration
archive and issue commands (such as ping) to devices.
Network AdministratorCan only deploy changes
QUESTION NO: 45
Which two ISE Probes would be required to distinguish accurately the difference between an iPad
and a MacBook Pro? (Choose two.)
A.
DHCP or DHCPSPAN
B.
SNMPTRAP
C.
SNMPQUERY
D.
NESSUS
E.
HTTP
F.
DHCP TRAP
Answer: A,E
Explanation:
DHCP Switched Port Analyzer (SPAN) probe, when initialized on a Cisco ISE node, listens to
network traffic, which are coming from network access devices on a specific interface. You need to
configure network access devices to forward DHCP SPAN packets to the Cisco ISE profiler from
the DHCP servers. The profiler receives these DHCP SPAN packets and parses them to capture
the attributes of an endpoint, which can be used for profiling endpoints.
An HTTP session is a sequence of network request-response transactions. The web browser
38
Cisco 350-018 Exam

initiates an HTTP request message, which establishes a Transmission Control Protocol (TCP)
connection to a particular port on the web server (typically port 80). A web server listening on that
port waits for the HTTP request message from the web browsers. The HTTP probe in your Cisco
ISE deployment, when enabled with the SPAN probe, allows the profiler to capture HTTP packets
from the specified interfaces. You can use the SPAN capability on port 80, where the Cisco ISE
server listens to communication from the web browsers.
References:
Reference:http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_prof_pol.html#wp1
341171
QUESTION NO: 46
Which option is the correct definition for MAB?
A.
MAB is the process of checking the mac-address-table on the localswitch for the sticky address.If
the mac-address of the device attempting to access the network matches the configured sticky
address, it will be permitted to bypass 802.1X authentication.
B.
MAB is a process where the switch will send an authentication request on behalf of the endpoint
that is attempting to access the network, using the mac-address of the device as the credentials.
The authentication server evaluates that MAC address against a list of devices permitted to
access the network without a stronger authentication.
C.
MAB is a process where the switch will check a local list of MAC addresses to identify systems
that are permitted network access without using 802.1X.
D.
MAB is a process where the supplicant on the endpoint is configured to send the MAC address of
the endpoint as its credentials.
Answer: B
Explanation:
The MAC Authentication Bypass feature is a MAC-address-based authentication mechanism that
allows clients in a network to integrate with the Cisco Identity Based Networking Services (IBNS)
and Network Admission Control (NAC) strategy using the client MAC address. The MAC
Authentication Bypass feature is applicable to the following network environments:
39
Cisco 350-018 Exam
Network environments in which a supplicant code is not available for a given client platform.
Network environments in which the end client configuration is not under administrative control, that
is, the IEEE 802.1X requests are not supported on these networks.
Standalone MAC Authentication Bypass (MAB) is an authentication method that grants network
access to specific MAC addresses regardless of 802.1X capability or credentials. As a result,
devices such as cash registers, fax machines, and printers can be readily authenticated, and
network features that are based on authorization policies can be made available.
QUESTION NO: 47
Review the exhibit.
Which three statements about the Cisco IPS sensor are true? (Choose three.)
A.
A
B.
B
C.
C
40
Cisco 350-018 Exam

D.
D
E.
E
Answer: A,C,E
Explanation:
Inline VLAN Interface Pairs
You cannot pair a VLAN with itself.
For a given sensing interface, a VLAN can be a member of only one inline VLAN pair. However, a
given VLAN can be a member of an inline VLAN pair on more than one sensing interface.
The order in which you specify the VLANs in an inline VLAN pair is not significant.
A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs.
References: Reference:http://www.cisco.com/c/en/us/td/docs/security/ips/51/configuration/guide/cli/cliguide/cliInter.html
QUESTION NO: 48
Which QoS marking is only locally significant on a Cisco router?
A.
MPLS EXP
B.
DSCP
C.
QoS group
D.
41
Cisco 350-018 Exam

IP precedence
E.
traffic class
F.
flow label
Answer: C
Explanation:
QoS group
Locally significant QoS values that can be manipulated and matched within the system. The range
is from 0 to 126.
References: :http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_2/nxos/qos/configuration/guide/qos_nx-os_book/marking.html
QUESTION NO: 49
Which two VLSM subnets, when taken as a pair, overlap? (Choose two.)
A.
10.22.21.128/26
B.
10.22.22.128/26
C.
10.22.22.0/27
D.
10.22.20.0/23
E.
10.22.16.0/22
Answer: A,D
42
Cisco 350-018 Exam

Explanation:
10.22.21.128/26 has host address range: 10.22.21.129 - 10.22.21.190 and 10.22.20.0/23 has
range: 10.22.20.1 - 10.22.21.254 so option A is completely covered by option D.
QUESTION NO: 50
What is the ICMPv6 type and destination IPv6 address for a Neighbor Solicitation packet that is
sent by a router that wants to learn about a newly introduced network device?
A.
ICMP type 136 and the Solicited-Node multicast address
B.
ICMP type 135 and the Broadcast address
C.
ICMP type 136and the All-Routers multicastaddress
D.
ICMP type 135 and the All-Routers multicast address
E.
ICMP type 135 and the Solicited-Node multicast address
F.
ICMP type 136 and the Broadcast address
Answer: E
Explanation:
A value of 135 in the Type field of the ICMP packet header identifies a neighbor solicitation
message. Neighbor solicitation messages are sent on the local link when a node wants to
determine the link-layer address of another node on the same local link (see the figure below).
When a node wants to determine the link-layer address of another node, the source address in a
neighbor solicitation message is the IPv6 address of the node sending the neighbor solicitation
message. The destination address in the neighbor solicitation message is the solicited-node
multicast address that corresponds to the IPv6 address of the destination node. The neighbor
solicitation message also includes the link-layer address of the source node.
43
Cisco 350-018 Exam
QUESTION NO: 51
Which three statements are true about Cryptographically Generated Addresses for IPv6? (Choose
three.)
A.
They prevent spoofing and stealing of existing IPv6 addresses.
B.
They are derived by generating a random 128-bit IPv6 address based on the public key of the
node.
C.
They are used for securing neighbor discovery using SeND.
D.
SHA orMD5is used during their computation.
E.
The minimum RSA key length is 512 bits.
F.
The SHA-1 hash function is used during their computation.
Answer: A,C,F
Explanation:
A Cryptographically Generated Address (CGA) is an Internet Protocol Version 6 (IPv6) address
that has a host identifier computed from a cryptographic hash function. This procedure is a method
for binding a public signature key to an IPv6 address in the Secure Neighbor Discovery Protocol
(SEND).A Cryptographically Generated Address is formed by replacing the least-significant 64 bits
of the 128-bit IPv6 address with the cryptographic hash of the public key of the address owner.
The messages are signed with the corresponding private key. Only if the source address and the
public key are known can the verifier authenticate the message from that corresponding sender.
This method requires no public key infrastructure. Valid CGAs may be generated by any sender,
including a potential attacker, but they cannot use any existing CGAs.SHA-1 hash function is used
to during computation:
1 proceduregenerateCGA(Sec,subnetPrefix,publicKey,extFields):
2 modifier:= random(0x00000000000000000000000000000000, // 16 octets (128 bits)
3 0xffffffffffffffffffffffffffffffff)
4
44
Cisco 350-018 Exam

5 label1:
6 concat:= concatenate(modifier, 0x000000000000000000, // 9 zero octets
7 publicKey,extFields)
8
9 digest:= SHA1(concat)
10 Hash2:=digest[0:14] // 14*8 = 112 leftmost bits
11
12 ifSec 0andHash2[0:2*Sec] 0: // 2*Sec*8 = 16*Sec leftmost bits
13 modifier:=modifier+ 1
14 gotolabel1
15 end if
16
17 collCount:= 0x00 // 8-bit collision count
QUESTION NO: 52
Which three options are extension headers that are implemented in IPv6? (Choose three.)
A.
Routing Header.
B.
Generic Tunnel Header.
C.
Quality of Service Header.
D.
Fragment Header.
E.
Encapsulating Security Payload Header.
F.
Path MTU Discovery Header.
45
Cisco 350-018 Exam

Answer: A,D,E
Explanation:
Extension Header
Type
Description
Hop-by-Hop Options
0
Options that need to be examined by all devices on the path.
Destination Options(before routing header)
60
Options that need to be examined only by the destination of the packet.
Routing
43
Methods to specify the route for a datagram (used with Mobile IPv6).
Fragment
44
Contains parameters for fragmentation of datagrams.
Authentication Header (AH)
51
Contains information used to verify the authenticity of most parts of the packet.
Encapsulating Security Payload (ESP)
50
Carries encrypted data for secure communication.
Destination Options(before upper-layer header)
60
46
Cisco 350-018 Exam

Mobility(currently without upper-layer header)
135
Parameters used with Mobile IPv6.
QUESTION NO: 53
What is a key characteristic of MSTP?
A.
always uses a separate STP instance per VLAN to increase efficiency
B.
only supports a single STP instance for all VLANs
C.
is a Cisco proprietary standard
D.
several VLANs can be mapped to the same spanning-tree instance
Answer: D
Explanation:
MSTs (IEEE 802.1s) combine the best aspects from both the PVST+ and the 802.1q. The idea is
that several VLANs can be mapped to a reduced number of spanning tree instances because
most networks do not need more than a few logical topologies.
QUESTION NO: 54
Which spanning-tree mode supports a separate spanning-tree instance for each VLAN and also
supports the 802.1w standard that has a faster convergence than 802.1D?
A.
PVST+
B.
47
Cisco 350-018 Exam

PVRST+
C.
PVST
D.
CST
E.
MST
F.
RST
Answer: B
Explanation:
802.1D Spanning Tree Protocol (STP) has a drawback of slow convergence. Cisco Catalyst
switches support three types of STPs, which are PVST+, rapid-PVST+ and MST. PVST+ is based
on IEEE802.1D standard and includes Cisco proprietary extensions such as BackboneFast,
UplinkFast, and PortFast. Rapid-PVST+ is based on IEEE 802.1w standard and has a faster
convergence than 802.1D. RSTP (IEEE 802.1w) natively includes most of the Cisco proprietary
enhancements to the 802.1D Spanning Tree, such as BackboneFast and UplinkFast. RapidPVST+ has these unique features:
Rapid-PVST uses RSTP to provide faster convergence. When any RSTP port receives legacy
802.1D BPDU, it falls back to legacy STP and the inherent fast convergence benefits of 802.1w
are lost when itinteracts with legacy bridges.
QUESTION NO: 55
Which three LSA types are used by OSPFv3? (Choose three.)
A.
Link LSA
B.
Intra-Area Prefix LSA
C.
Interarea-prefix LSA for ASBRs
D.
48
Cisco 350-018 Exam

Autonomous system external LSA
E.
Internetwork LSA
Answer: A,B,D
Explanation:
Link LSA:
A router originates a separate Link LSA for each link it is attached to. These LSAs have link-local
flooding scope and are never flooded beyond a link that they are associated with.These LSAs
have three purposes:
- notify the link-local address of the router's interface to the routers attached to the link
- inform other routers attached to the link of the list of IPv6 prefixes to associate with the link
- allow the router to assert the collection of Option bits to associate with the Network LSA that will
be originated for the link.
The Link-State ID is set to the Interface ID of link of the originating router.
Intra-Area Prefix LSA:
A router uses Intra-Area Prefix LSA to advertise IPv6 prefixes that are associated with
a) the router itself (in IPv4, this was carried in Router LSA)
b) an attached stub network segment (in IPv4, this was carried in Router LSA)
c) an attached transit network segment (in IPv4, this was carried in Network LSA)
A router can originate multiple Intra-Area Prefix LSAs for each router or transit network; each LSA
is distinguished by its Link State ID.
AS-External LSA:
These LSAs are IPv6 equivalent of IPv4's Type-5 External LSAs. These LSAs are originated by
ASBRs describing the destinations external to the AS. Each LSA describe a route to a single IPv6
prefix external to the AS.
AS-External LSAs can be used to describe a default route. Default routes are used when no
specific route exists for a destination.
References: Reference:https://sites.google.com/site/amitsciscozone/home/important-tips/ipv6/ospf
49
Cisco 350-018 Exam
QUESTION NO: 56
Which protocol provides the same functions in IPv6 that IGMP provides in IPv4 networks?
A.
ICMPv6
B.
ND
C.
MLD
D.
TLA
Answer: C
Explanation:
MLD is used by IPv6 routers for discovering multicast listeners on a directly attached link, much
like IGMP is used in IPv4. The protocol is embedded in ICMPv6 instead of using a separate
protocol.MLDv1is similar to IGMPv2 andMLDv2similar to IGMPv3
QUESTION NO: 57
Which authentication scheme, that is supported on the Cisco ASA, generates a unique key that is
used in a single password challenge?
A.
one-time passwords
B.
disposable certificates
C.
password management
D.
50
Cisco 350-018 Exam

Capcha web text
Answer: A
Explanation:
OTP are the unique keys that are generated by ASA in single password challenge. It is used in
certificate enrollment where ASA is also acting as a CA server.
QUESTION NO: 58
Which label is advertised by an LSR to inform neighboring LSRs to perform the penultimate hop
popping operation?
A.
0x00
B.
php
C.
swap
D.
push
E.
imp-null
Answer: E
Explanation:
Penultimate hop popping(PHP) is a function performed by certain routers in an MPLS enabled

network. It refers to the process whereby the outermost label of an MPLS tagged packet is
removed by a Label Switch Router (LSR) before the packet is passed to an adjacent Label Edge
Router (LER).
51
Cisco 350-018 Exam

QUESTION NO: 59
When the RSA algorithm is used for signing a message from Alice to Bob, which statement best
describes that operation?
A.
Alice signs the message with her private key, and Bob verifies that signature with Alice's public
key.
B.
Alice signs the message with her public key, and Bob verifies that signature with Alice's private
key.
C.
Alice signs the message with Bob's private key, and Bob verifies that signature with his public key.
D.
Alice signs the message with Bob's public key, and Bob verifies that signature with his private key.
E.
Alice signs the message with her public key, and Bob verifies that signature with his private key.
F.
Alice signs the message with her private key, and Bob verifies that signature with his public key.
Answer: A
Explanation:
RSAis an algorithm used by modern computers to encrypt and decrypt messages. It is an
asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This is
also calledpublic key cryptography, because one of them can be given to everyone. The other key
must be kept private. It is based on the fact that finding the factors of aninteger is hard (the
factoring problem). RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first
publicly described it in 1978. A user of RSA creates and then publishes the product of two large
prime numbers, along with an auxiliary value, as their public key. The prime factors must be kept
secret. Anyone can use the public key to encrypt a message, but with currently published
methods, if the public key is large enough, only someone with knowledge of the prime factors can
feasibly decode the message.
QUESTION NO: 60
Which three statements about triple DES are true? (Choose three.)
52
Cisco 350-018 Exam

A.
For 3DES, ANSI X9.52 describes three options for the selection of the keys in a bundle, where all
keys are independent.
B.
A 3DES key bundle is 192 bits long.
C.
A 3DES keyspace is168 bits.
D.
CBC, 64-bit CFB, OFB, and CTR are modes of 3DES.
E.
3DES involves encrypting a 64-bit block of plaintext with the 3 keys of the key bundle.
Answer: B,C,D
Explanation:
Don't confuse transport issues with key size. Just like a DES key is 56 bits (+8 parity bits) but
always (by defacto convention) transported in 64 bits, a 3DES key is only 168 bits but is it
transported in 192 bits. So 3DES key bundle is 192 bits long and key space is 168 bits. Common
modes of CBC are:
Electronic Codebook (ECB)
Cipher Block Chaining (CBC)
Propagating Cipher Block Chaining (PCBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
Counter (CTR)
References: Reference:http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
QUESTION NO: 61
According to RFC-5426, syslog senders must support sending syslog message datagrams to
which port?
53
Cisco 350-018 Exam

A.
TCP port 514
B.
UDP port 514
C.
TCP port 69
D.
UDP port 69
E.
TCP port 161
F.
UDP port 161
Answer: B
Explanation:
Syslog receivers MUST support accepting syslog datagrams on the well-known UDP port 514, but
MAY be configurableto listen on a different port.Syslog senders MUST support sending syslog
message datagrams to the UDP port 514, but MAY be configurable to send messages to a
different port.Syslog senders MAY use any source UDP port for transmitting messages.
QUESTION NO: 62
Which three statements about the keying methods used by MACSec are true? (Choose three.)
A.
Key management for host-to-switch and switch-to-switch MACSec sessions is provided by MKA.
B.
A valid mode for SAP is NULL.
C.
MKA is implemented as an EAPoL packet exchange.
D.
SAP is enabled by default for Cisco TrustSec in manual configuration mode.
E.
SAP is not supported on switch SVIs.
54
Cisco 350-018 Exam

F.
SAP is supported on SPAN destination ports.
Answer: B,C,E
Explanation:
SAP negotiation can use one of these modes of operation:
Galois Counter Mode (GCM)authentication and encryption
GCM authentication (GMAC) GCM authentication, no encryption
No Encapsulationno encapsulation (clear text)
Nullencapsulation, no authentication or encryption
The EAP framework implements MKA as a newly defined EAP-over-LAN (EAPOL) packet. EAP
authentication produces a master session key (MSK) shared by both partners in the data
exchange.
Cisco TrustSec NDAC SAP is supported on trunk ports because it is intended only for network
device to network device links, that is, switch-to-switchlinks. It is not supported on:
Host facing access ports (these ports support MKA MACsec)
Switch virtual interfaces (SVIs)
SPAN destination ports
References:
Reference:http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/relea
se/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf
QUESTION NO: 63
What is the function of this command?
switch(config-if)# switchport port-security mac-address sticky
A.
It allows the switch to restrict the MAC addresses on the switch port, based on the static MAC
addresses configured in the startup configuration.
55
Cisco 350-018 Exam

B.
It allows the administrator to manually configure the secured MAC addresses on the switch port.
C.
It allows the switch to permanently store the secured MAC addresses in the MAC address table
(CAM table).
D.
It allows the switch to perform sticky learning, in which the dynamically learned MAC addresses
are copied from the MAC address table (CAM table) to the startup configuration.
E.
It allows the switch to dynamically learn the MAC addresses on the switch port, and the MAC
addresses will be added to the running configuration
Answer: E
Explanation:
QUESTION NO: 64
When configuring a switchport for port security that will support multiple devices and that has
already been configured for 802.1X support, which two commands need to be added? (Choose
two.)
A.
The 802.1X port configuration must be extended with the command dot1x multiple-host.
B.
The 802.1X port configuration must be extended with the command dot1x port-security.
C.
The switchport configuration needs to include the command switchport port-security.
D.
The switchport configuration needs to include the port-security aging command.
E.
The 802.1X port configuration needs to remain in port-control force-authorized rather than portcontrol auto.
Answer: A,C
Explanation:
56
Cisco 350-018 Exam

Enabling Multiple Hosts
You can attach multiple hosts to a single 802.1X-enabled port.
In this mode, only one of the attached hosts must be authorized for all hosts to be granted network
access. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message is
received), all attached clients are denied access to the network.
With the multiple-hosts mode enabled, you can use 802.1X to authenticate the port and port
security to manage network access for all MAC addresses, including that of the client.
Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) and port
security on an 802.1X-authorized port that has thedot1x port-controlinterface configuration
command set toauto.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interfaceinterface-id
Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly
attached.
Step 3
dot1x multiple-hosts
Allow multiple hosts (clients) and port security on an 802.1X-authorized port.
57
Cisco 350-018 Exam

Make sure that thedot1x port-controlinterface configuration command set is set toautofor the
specified interface.
Step 4
end
Return to privileged EXEC mode.
Step 5
show dot1x interfaceinterface-id
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable multiple hosts on the port, use the no dot1x multiple-hosts interface configuration
command.
This example shows how to enable 802.1X on Fast Ethernet interface 0/1 and to allow multiple
hosts:
Switch(config)#interface fastethernet0/1
Switch(config-if)#dot1x port-control auto
Switch(config-if)#dot1x multiple-hosts
References:
Reference:http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/121_13_ea1/configuration/guide/3550scg/Sw8021x.html#wp1033292
QUESTION NO: 65
In Cisco IOS, what is the result of the ip dns spoofing command on DNS queries that are coming
from the inside and are destined to DNS servers on the outside?
A.
The router will prevent DNS packets without TSIG information from passing through the router.
58
Cisco 350-018 Exam

B.
The router will act as a proxy to the DNS request and reply to the DNS request with the IP address
of the interface that received the DNS query if the outside interface is down.
C.
The router will take the DNS query and forward it on to the DNS server with its information in place
of the client IP.
D.
The router will block unknown DNS requests on both the inside and outside interfaces.
Answer: B
Explanation:
The router will act as a proxy to the DNS request and reply to the DNS request with the IP address
of the interface that received the DNS query if the outside interface is down.
References: Reference:http://www.cisco.com/c/en/us/td/docs/iosxml/ios/ipaddr_dns/configuration/12-4t/dns-12-4t-book/dns-config-dns.html#GUID-5C6DC8F015ED-45DB-8D16-88E0198A01E4
QUESTION NO: 66
Which three traffic conditions can be matched when configuring single rate, dual token bucket
traffic policing on Cisco routers? (Choose three.)
A.
conform
B.
normal
C.
violate
D.
peak
E.
exceed
F.
average
59
Cisco 350-018 Exam

Answer: A,C,E
Explanation:
Single-rate traffic policing is implemented by tracking the current burst size using token-bucket
mechanics, and discarding packets that exceed CIR. The so-called, Single-rate, Three-Color
Marker (srTCM) is the RFC name for ingress tool used to implement admission control at the
network edge. The three color term means that any incoming burst could be classified as either
conforming (green, under Bc), exceeding (yellow, over Bc but under Be) or violating (red, over Be).
Depending on the implementation, exceeding packets could be admitted, but have their QoS
marking changed to show higher drop precedence in the network core.
QUESTION NO: 67
A frame relay PVC at router HQ has a CIR of 768 kb/s and the frame relay PVC at router branch
office has a CIR of 384 kb/s. Which QoS mechanism can best be used to ease the data
congestion and data loss due to the CIR speed mismatch?
A.
traffic policing at the HQ
B.
traffic policing at the branch office
C.
traffic shaping at the HQ
D.
traffic shaping at the branch office
E.
LLQ at the HQ
F.
LLQ at the branch office
Answer: C
Explanation:
Common implementations of Frame Relay traffic shaping are:
References: Reference:http://www.cisco.com/c/en/us/support/docs/wan/frame-relay/6151-traffic"Pass Any Exam. Any Time." - www.actualtests.com
60
Cisco 350-018 Exam

shaping-6151.html
QUESTION NO: 68
Which four options could be flagged as potential issues by a network security risk assessment?
(Choose four.)
A.
router hostname and IP addressing scheme
B.
router filtering rules
C.
route optimization
D.
database connectivity and RTT
E.
weak authentication mechanisms
F.
improperly configured email servers
G.
potential web server exploits
Answer: B,E,F,G
Explanation:
Packet filtering firewalls use routers with packet filtering rules to grant or deny access based on
source address, destination address, and port. They offer minimum security but at a very low cost,
and can be an appropriate choice for a low-risk environment. They are fast, flexible, and
transparent. Filtering rules are not often easily maintained on a router, but there are tools available
to simplify the tasks of creating and maintaining the rules.
Weak Authentication Mechanism can lead to the exposure of resources or functionality to
unintended actors, possibly providing attackers with sensitive information or even execute arbitrary
code.
61
Cisco 350-018 Exam

Improperly configured email servers are easy to compromise. They can act as a gateway to enter
into your network.
QUESTION NO: 69
Which MPLS label is the signaled value to activate PHP (penultimate hop popping)?
A.
0x00
B.
php
C.
swap
D.
push
E.
imp-null
Answer: E
Explanation:
Theimplicit NULLshould be used whenever possible, as the PHP reduces the amount of lookup
required on the last hop of an LSP (sometimes that could mean the difference between hardware
and software lookup).
QUESTION NO: 70
What action will be taken by a Cisco IOS router if a TCP packet, with the DF bit set, is larger than
the egress interface MTU?
A.
Split the packet into two packets, so that neither packet exceeds the egress interface MTU, and
forward them out.
62
Cisco 350-018 Exam

B.
Respond to the sender with an ICMP Type 3 , Code 4.
C.
Respond to the sender with an ICMP Type 12, Code 2.
D.
Transmit the packet unmodified.
Answer: B
Explanation:
ICMP type 3 code 4 messages are "fragmentation needed but don't fragment set". This means
your device sent a packet larger than the MTU of the device sending the ICMP message to you.
Normally, the packet could be fragmented, but the DF bit was set. Since you're denying the
inbound ICMP message, the ASA doesn't get notified that its packet wasn't delivered. Dropping
these ICMP messages is generally bad for performance because it essentially results in packet
loss.
QUESTION NO: 71
What will the receiving router do when it receives a packet that is too large to forward, and the DF
bit is not set in the IP header?
A.
Drop the packet, and send the source an ICMP packet, indicating that the packet was too big to
transmit.
B.
Fragment the packet into segments, with all segments having the MF bit set.
C.
Fragment the packet into segments, with all except the last segment having the MF bit set.
D.
Fragment the packet into segments, with all except the first segment having the MF bit set.
Answer: C
Explanation:
63
Cisco 350-018 Exam

IPv4 routers fragment on behalf of the source node that is sending a larger packet. Routers can
fragment IPv4 packets unless the Do-Not-Fragment (DF) bit is set to 1 in the IPv4 header. If the
DF bit is set to 0 (the default), the router splits the packet that is too large to fit into the outgoing
interface and send the two packets toward the destination. When the destination receives the two
fragments, then the destination's protocol stack must perform reassembly of the fragments before
processing the Protocol Data Unit (PDU). The danger is when an application sends its packets
with DF=1 and does not pay attention to the ICMP packet too big messages and does not
perform PMTUD.
References: Reference:http://www.networkworld.com/article/2224654/cisco-subnet/mtu-sizeissues.html
QUESTION NO: 72
Identify three IPv6 extension headers? (Choose three.)
A.
traffic class
B.
flow label
C.
routing
D.
fragment
E.
encapsulating security payload
Answer: C,D,E
Explanation:
Extension Header
Type
Description
Hop-by-Hop Options
64
Cisco 350-018 Exam

0
Options that need to be examined by all devices on the path.
Destination Options(before routing header)
60
Routing
43
Methods to specify the route for a datagram (used with Mobile IPv6).
Fragment
44
Contains parameters for fragmentation of datagrams.
Authentication Header (AH)
51
Contains information used to verify the authenticity of most parts of the packet.
Encapsulating Security Payload (ESP)
50
Carries encrypted data for secure communication.
Destination Options(before upper-layer header)
60
Mobility(currently without upper-layer header)
135
Parameters used with Mobile IPv6.
QUESTION NO: 73
Which three statements correctly describe the purpose and operation of IPv6 RS and RA
65
Cisco 350-018 Exam

messages? (Choose three.)
A.
Both IPv6 RS and RA packets are ICMPv6 messages.
B.
IPv6 RA messages can help host devices perform stateful or stateless address autoconfiguration;
RS messages are sent by hosts to determine the addresses of routers.
C.
RS and RA packets are always sent to an all-nodes multicast address.
D.
RS and RA packets are used by the duplicate address detection function of IPv6.
E.
IPv6 hosts learn connected router information from RA messages which may be sent in response
to an RS message.
F.
RS and RA packets are used for IPv6 nodes to perform address resolution that is similar to ARP in
IPv4.
Answer: A,B,E
Explanation:
IPv6 Neighbor Discovery--RA Message
RA messages typically include the following information:

References: Reference:http://www.cisco.com/c/en/us/td/docs/iosxml/ios/ipv6_basic/configuration/xe-3s/ip6b-xe-3s-book/ip6-neighb-disc-xe.html#GUID-1C16B07D4464-4506-9E0B-DA6AA7743E83
66
Cisco 350-018 Exam
QUESTION NO: 74
Which three statements are true regarding the EIGRP update message? (Choose three.)
A.
Updates require an acknowledgement with an ACK message.
B.
Updates can be sent to the multicast address 224.0.0.10.
C.
Updates are sent as unicasts when they are retransmitted.
D.
Updates always include all routes known by the router with partial updates sent in the Reply
message.
E.
ACKs for updates are handled by TCP mechanisms.
Answer: A,B,C
Explanation:
To Send the updates, EIGRP uses the Reliable Transport Protocol (RTP) to send the EIGRP
updates and confirm their receipt. On point to point topologies such as serial links, MPLS VPNs,
and Frame Relay networks when using point-to-point subinterfaces, the EIGRP Update and ACK
messagees use a simple process of acknowledging each update with an ACK. On multiaccess
data links, EIGRP typically sends Update messages to multicast address 224.0.0.10 and expects
a unicast EIGRP ACK message from each neighbour in reply. RTP manages that process, setting
timers so that the sender of an update waits a reasonable time, but not too long, before deciding
whether all neighbours received the Update or whether one or more neighbours did not reply with
an ACK.
QUESTION NO: 75
Which two EIGRP packet types are considered to be unreliable packets? (Choose two.)
A.
update
67
Cisco 350-018 Exam

B.
query
C.
reply
D.
hello
E.
acknowledgement
Answer: D,E
Explanation:
Hello Packets- EIGRP sends Hello packets once it has been enabled on a router for a particular
network. These messages are used to identify neighbors and once identified, serve or function as
a keepalive mechanism between neighboring devices. EIGRP Hello packets are sent to the link
local Multicast group address 224.0.0.10.Hello packets sent by EIGRP do not require an
Acknowledgment to be sent confirming that they were received. Because they require no explicit
acknowledgment, Hello packets are classified as unreliable EIGRP packets. EIGRP Hello packets
have an OPCode of 5.
Acknowledgement Packets- An EIGRP Acknowledgment (ACK) packet is simply an EIGRP Hello
packet that contains no data. Acknowledgement packets are used by EIGRP to confirm reliable
delivery of EIGRP packets. ACKs are always sent to a Unicast address, which is the source
address of the sender of the reliable packet, and not to the EIGRP Multicast group address. In
addition, Acknowledgement packets will always contain a non-zero acknowledgment number. The
ACK uses the same OPCode as the Hello Packet because it is essentially just a Hello that
contains no information. The OPCode is 5.
QUESTION NO: 76
Which two OSPF network types support the concept of a designated router? (Choose two.)
A.
broadcast
B.
NBMA
C.
68
Cisco 350-018 Exam

point-to-multipoint
D.
point-to-multipoint nonbroadcast
E.
loopback
Answer: A,B
Explanation:
NBMA: simulates a broadcast model by electing a designated router (DR) and a backup
designated router (BDR). There are two ways to simulate a broadcast model on an NBMA
network: define the network type as broadcast with theip ospf network broadcastinterface subcommand or configure the neighbor statements using therouter ospfcommand.
QUESTION NO: 77
Which IPv6 routing protocol can use IPv6 ESP and AH to provide integrity, authentication, and
confidentiality services to protect the routing information exchange between the adjacent routing
neighbors?
A.
RIPng
B.
EIGRPv6
C.
BGP-4
D.
IS-IS
E.
OSPFv3
Answer: E
Explanation:
69
Cisco 350-018 Exam

OSPF (Open Shortest Path First) Version 2 [N1] defines the fields AuType and Authentication in
its protocol header to provide security.
In OSPF for IPv6 (OSPFv3) [N2], both of the authentication fieldswere removed from OSPF
headers.OSPFv3 relies on the IPv6Authentication Header (AH) and IPv6 Encapsulating Security
Payload(ESP) to provide integrity, authentication, and/or confidentiality.
QUESTION NO: 78
Which three IPv6 tunneling methods are point-to-multipoint in nature? (Choose three.)
A.
automatic 6to4
B.
manually configured
C.
IPv6 over IPv4 GRE
D.
ISATAP
E.
automatic IPv4-compatible
Answer: A,D,E
Explanation:
Tunneling Method
Suggested Usage
Manual
Used to provide a point-to-point IPv6 link over an existing IPv4 network; only supports IPv6 traffic.
GRE
Used to provide a point-to-point IPv6 link over an existing IPV4 network; supports multiple
protocols, including IPv6.
6to4
70
Cisco 350-018 Exam

Used to provide a point-to-multipoint IPv6 link over an existing IPv4 network; sites must use IPv6
addresses from the 2002::/16 range.
6rd (or 6RD)
Used to provide a point-to-multipoint IPv6 link over an existing IPv4 network; sites can use IPv6
addresses from any range.
ISATAP
Used to provide point-to-multipoint IPv6 links over an existing IPv4 network. Designed to be used
between devices inside the same site.
QUESTION NO: 79
Which additional capability was added in IGMPv3?
A.
leave group messages support
B.
source filtering support
C.
group-specific host membership queries support
D.
IPv6 support
E.
authentication support between the multicast receivers and the last hop router
Answer: B
Explanation:
IGMP is the protocol used by IPv4 systems to report their IP multicast group memberships
toneighboring multicast routers.Version 3 of IGMP adds support for "source filtering", that
is, the ability for a system to report interest in receiving packets *only* from specific source
addresses, or from *all but* specific source addresses, sent to aparticular multicast address.That
information may be used by multicast routing protocols to avoid delivering multicast packets from
specific sources to networks where there are no interested receivers.
71
Cisco 350-018 Exam
QUESTION NO: 80
Beacons, probe request, and association request frames are associated with which category?
A.
management
B.
control
C.
data
D.
request
Answer: A
Explanation:
Three frame types are:
QUESTION NO: 81
Which feature can be implemented to avoid any MPLS packet loss?
A.
IP TTL propagation
B.
LDP IGP sync
C.
label advertisement sync
D.
conditional label advertisement
E.
PHP
72
Cisco 350-018 Exam

Answer: B
Explanation:
Packet loss can occur because the actions of the IGP and LDP are not synchronized. Packet loss
can occur in the following situations:
When an IGP adjacency is established, the router begins forwarding packets using the new
adjacency before the LDP label exchange completesbetween the peers on that link.
If an LDP session closes, the router continues to forward traffic using the link associated with the
LDP peer rather than an alternate pathway with afully synchronized LDP session.
QUESTION NO: 82
Which domain is used for a reverse lookup of IPv4 addresses?
A.
in-addr.arpa
B.
ip4.arpa
C.
in-addr.net
D.
ip4.net
Answer: A
Explanation:
Reverse DNS lookups for IPv4 addresses use areverse IN-ADDR entryin the special domaininaddr.arpa. In this domain, an IPv4 address is represented as a concatenated sequence offour
decimal numbers, separated by dots, to which is appended the second level domain suffix.inaddr.arpa. The four decimal numbers are obtained by splitting the 32-bit IPv4 address into four 8bit portions and converting each 8-bit portion into a decimal number. These decimal numbers are
then concatenated in the order: least significant 8-bit portion first (leftmost), most significant 8-bit
portion last (rightmost). It is important to note thatthis is the reverse order to the usual dotteddecimal convention for writing IPv4 addressesin textual form. For example, an address (A) record
73
Cisco 350-018 Exam

formail.example.compoints to the IP address 192.0.2.5. In pointer records of the reverse database,
this IP address is stored as the domain name5.2.0.192.in-addr.arpapointing back to its designated
host namemail.example.com. This allows it to pass the Forward Confirmed reverse DNS process.
QUESTION NO: 83
Which port or ports are used for the FTP data channel in passive mode?
A.
random TCP ports
B.
TCP port 21 on the server side
C.
TCP port 21 on the client side
D.
TCP port 20 on the server side
E.
TCP port 20 on the client side
Answer: A
Explanation:
FTP has a stateful control connection which maintains a current working directory and other flags,
and each transfer requires a secondary connection through which the data is transferred. In
"passive" mode this secondary connection is from client to server, whereas in the default "active"
mode this connection is from server to client. This apparent role reversal when in active mode, and
random port numbers for all transfers, is why firewalls and NAT gateways have such a hard time
with FTP. HTTP is stateless and multiplexes control and data over a single connection from client
to server on well-known port numbers, which trivially passes through NAT gateways and is simple
for firewalls to manage.
QUESTION NO: 84
Why do firewalls need to specially treat an active mode FTP session?
74
Cisco 350-018 Exam

A.
The data channel is originating from a server side.
B.
The FTP client opens too many concurrent data connections.
C.
The FTP server sends chunks of data that are too big.
D.
The data channel is using a 7-bit transfer mode.
Answer: A
Explanation:
PASV-mode FTP client-side firewall

If youre the firewall/router administrator on the PASV-mode client side, youll need to open the
following ports:
Outbound: TCP port 21 and TCP ports 1025 and above
Inbound: TCP ports 1025 and above
Note that the PASV mode FTP client requires outbound access to TCP ports 1025 and above.
While this doesnt seem like a big difference from the PORT-mode FTP client requirements, it is in
fact a tremendous difference from a security point of view. To allow the PASV-mode FTP client
outbound access to the FTP server, you must let these clients have outbound access to all highnumber ports. Since you have no way of determining in advance what high-number port the FTP
server will assign to the data channel, you must open all the high-numbered ports.
This configuration might be fine if you had some way to assure that only FTP clients would be
accessing an FTP server on these ports. Unfortunately, you cant easily control what applications
can access what ports. And even if you did limit just FTP clients to these ports, you would be
blocking other applications access to the high-number ports.
To further complicate matters, you must also allow inbound access to all high-number ports. The
result is that you must allow inbound and outbound access to all high-number ports. Needless to
say, this is an untenable security configuration.
One way you can improve the packet-filtering situation is to limit access to outbound TCP port 21
from certain clients. However, you still run into the spoofing problem.
PASV-mode FTP client-side firewall
75
Cisco 350-018 Exam

These are the ports you need to open on the server side of the PASV-mode connection:
Outbound: TCP ports 1025 and above
Inbound: TCP port 21 and TCP ports 1025 and above
QUESTION NO: 85
Which statement is true about the TFTP protocol?
A.
The client is unable to get a directory listing from the server.
B.
The client is unable to create a new file on a server.
C.
The client needs to log in with a username and password.
D.
The client needs to log in using "anonymous" as a username and specifying an email address as a
password.
Answer: A
Explanation:
TFTP is a simple protocol used to transfer files, and therefore was named the Trivial File Transfer
Protocol or TFTP. The only thing it can do is read and write files from/to a remote server. It cannot
list directories content or change the working directory, and currently has no provisions for user
authentication, so a TFTP server must have set a dedicated working directory from which send
and receive files.
A TFTP server cannot receive a file from a client unless a file with the same name and with full
write permissions already exists in the current working folder. That's why this application has a
toolbar button to create on your Mac the files you plan to upload: such files are created with the
proper permissions already set, so that your TFTP clients may upload their files overwriting those
already existing in the TFTP current folder.
76
Cisco 350-018 Exam

QUESTION NO: 86
Which NTP stratum level means that the clock is unsynchronized?
A.
0
B.
1
C.
8
D.
16
Answer: D
Explanation:
NTP uses a hierarchical, semi-layered system of time sources. Each level of this hierarchy is
termed a "stratum" and is assigned a number starting with zero at the top. A server synchronized
to a stratum n server will be running at stratum n + 1. The number represents the distance from
the reference clock and is used to prevent cyclical dependencies in the hierarchy. Stratum is not
always an indication of quality or reliability; it is common to find stratum 3 time sources that are
higher quality than other stratum 2 time sources. Telecommunication systems use a different
definition for clock strata. A brief description of strata 0, 1, 2 and 3 is provided below.
Stratum 0
These are high-precision timekeeping devices such as atomic (cesium, rubidium) clocks, GPs
clocks or other radio clocks. They generate a very accurate pulse per second signal that triggers
an interrupt and timestamp on a connected computer. Stratum 0 devices are also known as
reference clocks.
Stratum 1
These are computers whose system clocks are synchronized to within a few microseconds of their
attached stratum 0 devices. Stratum 1 servers may peer with other stratum 1 servers for sanity
checking and backup. They are also referred to as primary time servers
Stratum 2
These are computers that are synchronized over a network to stratum 1 servers. Often a stratum 2
computer will query several stratum 1 servers. Stratum 2 computers may also peer with other
stratum 2 computers to provide more stable and robust time for all devices in the peer group.
Stratum 3
77
Cisco 350-018 Exam

These are computers that are synchronized to stratum 2 servers. They employ exactly the same
algorithms for peering and data sampling as stratum 2, and can themselves act as servers for
stratum 4 computers, and so on.
The upper limit for stratum is 15; stratum 16 is used to indicate that a device is unsynchronized.
The NTP algorithms on each computer interact to construct a Bellman-Ford shortest-path
spanning tree, to minimize the accumulated round-trip delay to the stratum 1 servers for all the
clients.
QUESTION NO: 87
Which statement is true about an NTP server?
A.
It answers using UTC time.
B.
It uses the local time of the server with its time zone indication.
C.
It uses the local time of the server and does not indicate its time zone.
D.
It answers using the time zone of the client.
Answer: A
Explanation:
NTP is intended to synchronize all participating computers to within a few milliseconds of

Coordinated Universal Time (UTC). It uses a modified version of Marzullo's algorithm to select
accurate time servers and is designed to mitigate the effects of variable network latency. NTP can
usually maintain time to within tens of milliseconds over the public Internet, and can achieve better
than one millisecond accuracy in local area networks under ideal conditions. Asymmetric routes
and network congestion can cause errors of 100 ms or more.
QUESTION NO: 88
Which statement is true about an SNMPv2 communication?
78
Cisco 350-018 Exam

A.
The whole communication is not encrypted.
B.
Only the community field is encrypted.
C.
Only the query packets are encrypted.
D.
The whole communication is encrypted.
Answer: A
Explanation:
SNMPv2c messages use different header and protocol data unit (PDU) formats from SNMPv1
messages. SNMPv2c also uses two protocol operations that are not specified in SNMPv1.
Furthermore, RFC 2576 defines two possible SNMPv1/v2c coexistence strategies: proxy agents
and bilingual network-management systems.
QUESTION NO: 89
Which four functionalities are built into the ISE? (Choose four.)
A.
Profiling Server
B.
Profiling Collector
C.
RADIUS AAA for Device Administration
D.
RADIUS AAA for Network Access
E.
TACACS+ for Device Administration
F.
TACACS+ for Network Access
G.
Guest Lifecycle Management
79
Cisco 350-018 Exam

Answer: A,B,D,G
Explanation:
Key features of ISE
QUESTION NO: 90
Which three routing characteristics are relevant for DMVPN Phase 3? (Choose three.)
A.
Hubs must not preserve the original IP next-hop.
B.
Hubs must preserve the original IP next-hop.
C.
Split-horizon must be turned off for RIP and EIGRP.
D.
Spokes are only routing neighbors with hubs.
E.
Spokes are routing neighbors with hubs and other spokes.
F.
Hubs are routing neighbors with other hubs and must use the same routing protocol as that used
on hub-spoke tunnels.
Answer: A,C,D
Explanation:
These are the benefits that DMVPN Phase 3 brings:

Allows summarization of routing protocol updates from hub to spokes. The spokes no longer
need to have an individual route with an IP next-hop of the tunnel IP address of the remote spoke
for the networks behind all the other spokes. The spokes can use summarized routes or specific
routes with an IP next-hop of the tunnel IP address of the hub and still be able to build spoke-tospoke tunnels. This can reduce the load on the routing protocol running on the hub router. You
can reduce the load; when you can summarize the networks behind the spokes to a few summary
routes or even one summary route, the hub routing protocol only has to advertise the few or one
summary route to each spoke rather than all of the individual spoke routes. For example, with
80
Cisco 350-018 Exam

1000 spokes and one route per spoke, the hub receives 1000 routes but only has to advertise one
summary route back to each spoke (equivalent to 1000 advertisements, one per spoke) instead of
the 1,000,000 advertisements it had to send in the prior implementation of DMVPN (Phase 2).
Provides better alternatives to complex daisy chaining of hubs for expanding DMVPN spoke-tospoke networks. The hubs must still be interconnected, but they are not restricted to just a daisychain pattern. The hubs may now be interconnected in a dual direction chain, partial or full mesh,
or in a hierarchical design. Since the routing table is now used to forward data packets and NHRP
control packets between hubs, there is efficient forwarding of packets to the correct hub rather
than having request and reply packets traversing around the daisy chain to go through all of the
hub routers.
Allows for expansion of DMVPN spoke-to-spoke networks beyond two hubs with Open Shortest
Path First (OSPF) as the routing protocol. Because the spokes use routes with the IP next-hop set
to the hub router (not the remote spoke router as before), you can configure OSPF to use point-tomultipoint network mode rather than broadcast network mode. Configuring OSPF to use point-tomultipoint network mode removes the Designated Router (DR) and Backup Designated Router
(BDR) requirements that restricted the DMVPN network to just two hubs (Figure 2). When using
OSPF, each spoke still has all the individual spoke routes, because the DMVPN network must be
in a single OSPF area and you cannot summarize routes within an OSPF area.
References: Reference:http://www.cisco.com/c/en/us/products/collateral/ios-nx-ossoftware/converged-vpn-solution-managed-services/prod_white_paper0900aecd8055c34e.html
QUESTION NO: 91
Using Cisco IOS, which two object-group options will permit networks 10.1.1.0/24 and 10.1.2.0/24
to host 192.168.5.1 port 80 and 443? (Choose 2.)
A.
object-group network SOURCErange 10.1.1.0 10.1.2.255object-group network DESTINATIONhost
192.168.5.1object-group service HTTPtcp eq wwwtcp eq 443tcp source gt 1024!access-list 101
permit object-group HTTP object-group SOURCE object-group DESTINATION
B.
object-group network SOURCE10.1.1.0 0.0.0.25510.1.2.0 0.0.0.255object-group network
DESTINATIONhost 192.168.5.1object-group service HTTPtcp eq wwwtcp eq 443!ip access-list
extended ACL-NEWpermit object-group SOURCE object-group DESTINATION object-group
HTTP
C.
object-group network SOURCE10.1.1.0 255.255.255.010.1.2.0 255.255.255.0object-group
network DESTINATIONhost 192.168.5.1object-group service HTTPtcp eq wwwtcp eq 443!ip
81
Cisco 350-018 Exam

access-list extended ACL-NEWpermit object-group SOURCE object-group DESTINATION objectgroup HTTP
D.
object-group network SOURCE10.1.1.0 255.255.255.010.1.2.0 255.255.255.0object-group
network DESTINATIONhost 192.168.5.1object-group service HTTPtcp eq wwwtcp eq 443tcp
source gt 1024!ip access-list extended ACL-NEWpermit object-group HTTP object-group
SOURCE object-group DESTINATION
Answer: A,D
Explanation:
The configuration needsto permit 10.1.1.0/24 and 10.1.2.0/24 to be able to access host
192.168.5.1 on port 80 and 443. Option A and Option D have configured things correctly. They
have specified 10.1.1.0/24 & 10.1.2.0/24 as source and 192.168.5.1 as the destination and have
permitted services that are defined under the object-group service HTTP.
QUESTION NO: 92
Which two statements about the fragmentation of IPsec packets in routers are true? (Choose two.)
A.
By default, the IP packets that need encryption are first encrypted with ESP. If the resulting
encrypted packet exceeds the IP MTU on the egress physical interface, then the encrypted packet
is fragmented and sent out.
B.
By default, the router knows the IPsec overhead to add to the packet. The router performs a
lookup if the packet will exceed the egress physical interface IP MTU after encryption, then
fragments the packet and encrypts the resulting IP fragments separately.
C.
increases CPU utilization on the decrypting device.
D.
increases CPU utilization on the encrypting device.
Answer: B,C
Explanation:
82
Cisco 350-018 Exam

Remember that the DF bit is copied from the inner IP header to the outer IP header when IPsec
encrypts a packet. The media MTU and PMTU values are stored in the IPsec Security Association
(SA). The media MTU is based on the MTU of the outbound router interface and the PMTU is
based on the minimum MTU seen on the path between the IPsec peers. Remember that IPsec
encapsulates/encrypts the packet before it attempts to fragment it.
QUESTION NO: 93
crypto gdoi group gdoi_group
identity number 1234
server local
sa receive-only
sa ipsec 1
profile gdoi-p
match address ipv4 120
Which statement about the above configuration is true?
A.
83
Cisco 350-018 Exam

The key server instructs the DMVPN spoke to install SAs outbound only.
B.
The key server instructs the GDOI group to install SAs inbound only.
C.
The key server instructs the DMVPN hub to install SAs outbound only.
D.
The key server instructs the GDOI spoke to install SAs inbound only.
Answer: B
Explanation:
Receive Only SA
For multicast traffic using the GDOI protocol, bidirectional SAs are installed. The Receive Only
feature enables an incremental deployment so that only a few sites can be verified before bringing
up an entire network. To test the sites, one of the group members should send encrypted traffic to
all the other group members and have them decrypt the traffic and forward the traffic in the clear.
Receive Only SA mode allows encryption in only the inbound direction for a period of time. (See
the steps for the Receive Only SA process.) If you configure thesareceive-onlycommand on the
key server, Steps 2 and 3 happen automatically.
This action allows the group members to install SAs in the inbound direction only. Receive-only
SAs can be configured under a crypto group. (See the Configuring the Group ID Server Type and
SA Type section.)
If thesareceive-onlycommand is configured, all TEKs under this group are going to be marked
receive only by the key server when they are sent to the group member.
References: Reference:http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-xe-3s-book/sec-get-vpn.html
QUESTION NO: 94
class-map nbar_rtp
match protocol rtp payload-type "0, 1, 4 - 0x10, 10001b - 10010b, 64"
The above NBAR configuration matches RTP traffic with which payload types?
84
Cisco 350-018 Exam

A.
0, 1, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 64
B.
0, 1, 4, 5, 6, 7, 8, 9, 10
C.
0, 1, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 64
D.
0, 1, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 64
Answer: A
Explanation:
Real-time Transport Protocol (RTP) is a packet format for multimedia data streams. It can be used
for media-on-demand and for interactive services such as Internet telephony. RTP consists of a
data part and a control part. The control part is called Real-Time Transport Control Protocol
(RTCP). RTCP is a separate protocol that is supported by NBAR. It is important to note that the
NBAR RTP Payload Type Classification feature does not identify RTCP packets and that RTCP
packets run on odd-numbered ports and RTP packets run on even-numbered ports.
The data part of RTP is a thin protocol that provides support for applications with real-time
properties such as continuous media (audio and video), which includes timing reconstruction, loss
detection, and security and content identification. RTP is discussed in RFC 1889
(ATransportProtocolforReal-TimeApplications) and RFC 1890
(RTPProfileforAudioandVideoConferenceswithMinimalControl).
The RTP payload type is the data transported by RTP in a packet, for example, audio samples or
compressed video data.
The NBAR RTP Payload Type Classification feature not only allows real-time audio and video
traffic to be statefully identified, but can also differentiate on the basis of audio and video codecs to
provide more granular QoS. The RTP Payload Type Classification feature, therefore, does a deeppacket inspection into the RTP header to classify RTP packets.
QUESTION NO: 95
85
Cisco 350-018 Exam
According to this DHCP packet header, which field is populated by a DHCP relay agent with its
own IP address before the DHCPDISCOVER message is forwarded to the DHCP server?
A.
ciaddr
B.
yiaddr
C.
siaddr
86
Cisco 350-018 Exam

D.
giaddr
Answer: D
Explanation:
In order to allow DHCP clients on subnets not directly served by DHCP servers to communicate
with DHCP servers, DHCP relay agents can be installed on these subnets. The DHCP client
broadcasts on the local link; the relay agent receives the broadcast and transmits it to one or more
DHCP servers usingunicast. The relay agent stores its own IP address in the GIADDR field of the
DHCP packet. The DHCP server uses the GIADDR to determine the subnet on which the relay
agent received the broadcast, and allocates an IP address on that subnet. When the DHCP server
replies to the client, it sends the reply to the GIADDR address, again using unicast. The relay
agent then retransmits the response on the local network.
QUESTION NO: 96
Which two are valid SMTP commands, according to RFC 821? (Choose two.)
A.
EHLO
B.
HELO
C.
RCPT
D.
AUTH
Answer: B,C
Explanation:
HELLO (HELO)
This command is used to identify the sender-SMTP to the receiver-SMTP.The argument field
contains the host name of the sender-SMTP. The receiver-SMTP identifies itself to the senderSMTP in the connection greeting reply, and in the response to this command. This command and
an OK reply to it confirm that both the sender-SMTP and the receiver-SMTP are in the initial state,
that is, there is no transaction in progress and all state tables and buffers are cleared.
87
Cisco 350-018 Exam

RECIPIENT (RCPT)
This command is used to identify an individual recipient of the mail data; multiple recipients are
specified by multiple use of this command. The forward-path consists of an optional list of hosts
and a required destination mailbox.When the list of hosts is present, it is a source route and
indicates that the mail must be relayedto the next host on the list.If the receiver-SMTP does not
implement the relay function it may user the same reply it would for an unknown local user (550).
When mail is relayed, the relay host must remove itself from the beginning forward-path and put
itself at thebeginning of the reverse-path.When mail reaches its ultimate destination (the forwardpath contains only a destination mailbox), the receiver-SMTP inserts it into the destination mailbox
in accordance with its host mail conventions.
QUESTION NO: 97
Which two statements about VTP passwords are true? (Choose two)
A.
The VTP password can only be configured when the switch is in Server mode.
B.
The VTP password is sent in the summary advertisements.
C.
The VTP password is encrypted for confidentiality using 3DES.
D.
VTP is not required to be configured on all switches in the domain.
E.
The VTP password is hashed to preserve authenticity using the MD5 algorithm.
F.
The VTP password can only be configured when the switch is in Client mode.
Answer: B,E
Explanation:
"The general purpose of an MD5 value is to verify the integrity of a received packet and to detect
any changes to the packet or corruption of the packet during transit. When a switch detects a new
revision number that is different from the currently stored value, the switch sends a request
message to the VTP server and requests the VTP subsets. A subset advertisement contains a list
of VLAN information. The switch calculates the MD5 value for the subset advertisements and
88
Cisco 350-018 Exam

compares the value to the MD5 value of the VTP summary advertisement. If the two values are
different, the switch increases the No of config digest errors counter."
QUESTION NO: 98
Which option represents IPv6 address ff02::1?
A.
PIM routers.
B.
RIP routers.
C.
all nodes on the local network.
D.
NTP.
Answer: C
Explanation:
Address
Description
ff02::1
All nodes on the local network segment
ff02::2
All routers on the local network segment
ff02::5
OSPFv3 All SPF routers
ff02::6
OSPFv3 All DR routers
ff02::8
89
Cisco 350-018 Exam

IS-IS for IPv6 routers
ff02::9
RIP routers
ff02::a
EIGRP routers
ff02::d
PIM routers
QUESTION NO: 99
Which two statements about IPv6 are true? (Choose two.)
A.
Broadcast is available.
B.
Routing tables are less complicated.
C.
The address pool will eventually deplete.
D.
Data encryption is built into the packet frame.
E.
Increased NAT is required.
F.
Fewer bitsmakeIPv6 easier to configure.
Answer: B,D
Explanation:
In IPv6, IPsecis part ofIP itself. It can span packets, since the ESP header is now a part of IP's
header. And because it's integrated with IP, more parts of the IP header can be protected.
90
Cisco 350-018 Exam
QUESTION NO: 100

Which statement describes an IPv6 benefit?
A.
Broadcast is not available.
B.
Routing tables are more complicated.
C.
The address pool is limited.
D.
Data encryption is not built into the packet frame.
E.
Increased NAT is required.
Answer: A
Explanation:
IPv6 does not implement traditional IP broadcast, and therefore does not define broadcast
addresses. In IPv6, the same result can be achieved by sending a packet to the link-local all
nodes multicast group which is analogous to IPv4 multicast.
Broadcast addressing as a distinct addressing method is gone in IPv6. Broadcast functionality is
implemented using multicast addressing to groups of devices. A multicast group to which all nodes
belong can be used for broadcasting in a network.
QUESTION NO: 101

Which option is representative of automatic IP addressing in IPv4?
A.
10.1.x.x
B.
172.10.1.x
91
Cisco 350-018 Exam

C.
169.254.x.x
D.
196.245.x.x
E.
128.1.1.x
F.
127.1.x.x
Answer: C
Explanation:
IP addresses are assigned to the computers automatically by a ISP provider, network server
(DHC), or APIPA. If you are not connected to any network, an APIPA IP address is assigned
which is private IP address for your computer which is not routable and that is what 169.254.... is
for.
QUESTION NO: 102

Which option describes the behavior of this configuration?

A.
Traffic from the 30.30.0.0/16 network to the 10.10.0.0/32 network will be translated.
B.
Traffic from the 30.30.0.0/32 network to the 10.10.0.0/16 network will not be translated.
C.
92
Cisco 350-018 Exam

D.
Answer: C
Explanation:
Here, the two network objects have this configuration:
Object network obj-10.10.0.0
Subnet 10.10.0.0 255.255.0.0
This means that we have defined an object 10.10.0.0/16
And another one is,
Subnet 30.30.30.0 255.255.255.0
Now if you look at the options, you will see that only option C is giving you an answer with
combination of /16 and /24.
QUESTION NO: 103


A.
Host 10.10.10.1 will get translated as 20.20.20.1 from inside to outside.
B.
93
Cisco 350-018 Exam

Host 20.20.20.1 will be translated as 10.10.10.1 from outside to inside.
C.
Host 20.20.20.1 will be translated as 10.10.10.1 from inside to outside.
D.
Host 10.10.10.1 will be translated as 20.20.20.1 from outside to inside.
Answer: A
Explanation:
He we created a network object and defined a single host in it. We created a rule for that host
where we mentioned that this host in inside, when goes outside then this should be dynamically
natted to 20.20.20.1.
QUESTION NO: 104

Which ICMP message type code indicates fragment reassembly time exceeded?
A.
Type 4, Code 0
B.
Type 11, Code 0
C.
Type 11, Code 1
D.
Type 12, Code 2
Answer: C
Explanation:
Type
Code
Description
11 Time Exceeded
94
Cisco 350-018 Exam

0
TTL expired in transit
1
Fragment reassembly time exceeded
QUESTION NO: 105

Which IPV4 header field increments every time when packet is sent from a source to a
destination?
A.
Flag
B.
Fragment Offset
C.
Identification
D.
Time To Live
Answer: C
Explanation:
This field is an identification field and is primarily used for uniquely identifying the group of
fragments of a single IP datagram.
QUESTION NO: 106

A device is sending a PDU of 5000 B on a link with an MTU of 1500 B. If the PDU includes 20 B of
IP header, which statement is true?
95
Cisco 350-018 Exam

A.
The first three packets will have a packet payload size of 1400.
B.
The last packet will have a payload size of 560.
C.
D.
Answer: C
Explanation:
Here the MTU is set to 1500 and size of IP header is 20B. When you set a MTU, you cannot add
anything over it. Packet of larger size is broken into the specified MTU sizes and sent across. Here
MTU is 1500 and size of IP header is 20B, so first three packet will have packet payload size of
1480. We said it will be first three packets because the Size of PDU is 5200B and if we have to
break this packet into packets of maximum size of 1500 then calculation would be:
5200 = 1500 + 1500 + 1500 + 700.
QUESTION NO: 107

Which statement about VLAN is true?
A.
VLAN cannot be routed.
B.
VLANs 1006 through 4094 are not propagated by VTPversion 3.
C.
VLAN1 is a Cisco default VLAN that can be deleted.
D.
The extended-range VLANs cannot be configured in global configuration mode.
Answer: A
Explanation:
96
Cisco 350-018 Exam

With VTP versions 1 and 2, the switch supports VLAN IDs 1006 through 4094 only in VTP
transparent mode (VTP disabled). These are extended-range VLANs and configuration options
are limited. Extended-range VLANs created in VTP transparent mode are not saved in the VLAN
database and are not propagated. VTP version 3 supports extended range VLAN (VLANs 1006 to
4094) database propagation. If extended VLANs are configured, you cannot convert from VTP
version 3 to version 1 or 2.
QUESTION NO: 108

Which two statements about SNMP are true? (Choose two)
A.
SNMP operates at Layer-6 of the OSI model.
B.
NMS sends a request to the agent at TCP port 161.
C.
NMS sends request to the agent from any source port.
D.
NMS receives notifications from the agent on UDP 162.
E.
MIB is a hierarchical representation of management data on NMS.
Answer: C,D
Explanation:
SNMP uses the UDP port 161 for sending and receiving requests, and port 162 for receiving traps
from managed devices. Every device that implements SNMP must use these port numbers as the
defaults, but some vendors allow you to change the default ports in the agent's configuration. If
these defaults are changed, the NMS must be made aware of the changes so it can query the
device on the correct ports.
QUESTION NO: 109

Which two statements about the DNS are true? (Choose two.)
97
Cisco 350-018 Exam

A.
The client-server architecture is based on query and response messages.
B.
Query and response messages have different format.
C.
In the DNS message header, the QR flag set to 1 indicates a query.
D.
In the DNS header, an Opcode value of 2 represents a client status request.
E.
In the DNS header, the Rcode value is set to 0 in Query message.
Answer: A,D
Explanation:
Set theopCodevariable to a new value. This field indicates the type of the question present in the
DNS packet;valcan be one of thevalues QUERY, IQUERY or STATUS.
QUESTION NO: 110

Which three HTTP header fields can be classified by NBAR for request messages? (Choose
three.)
A.
User-Agent
B.
Server
C.
Referrer
D.
Content-Encoding
E.
Location
F.
From
98
Cisco 350-018 Exam

Answer: A,C,F
Explanation:
Header field DescriptionExamplestatus

UserAgent
The user agent stringof the user agent
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/21.0
Permanent
Referer
This is the address of the previous web page from which a link to the currently requested page
was followed. (The word referrer has been misspelled in the RFC as well as in most
implementations to the point that it has become standard usage and is considered correct
terminology)
Referer:http://en.wikipedia.org/wiki/Main_Page
Permanent
From The email address of the From:user@example.comPermanent
user making the request
QUESTION NO: 111


A.
The packet will be dropped if received on the same interface that the router would use to forward
return packet.
99
Cisco 350-018 Exam

B.
The packet will be forwarded as long as it is in the routing table.
C.
The packet will be forwarded if received on the same interface that the router would use to forward
return packet.
D.
Packet will be forwarded only if exists a default route for the return path.
Answer: C
Explanation:
Cisco IOS Devices

An important consideration for deployment is that Cisco Express Forwarding switching must be
enabled for Unicast RPF to function. This command has been enabled by default as of IOS
version 12.2. If it is not enabled, administrators can enable it with the following global configuration
command:ip cef
Unicast RPF is enabled on a per-interface basis. Theip verify unicast source reachable-via
rxcommand enables Unicast RPF in strict mode. To enable loose mode, administrators can use
theanyoption to enforce the requirement that the source IP address for a packet must appear in
the routing table. Theallow-defaultoption may be used with either therxoranyoption to include IP
addresses not specifically contained in the routing table. Theallow-self-pingoption should not be
used because it could create a denial of service condition. An access list such as the one that
follows may also be configured to specifically permit or deny a list of addresses through Unicast
RPF:
interface FastEthernet 0/0
ip verify unicast source reachable-via {rx | any} [allow-default]
[allow-self-ping] [list]
Addresses that should never appear on a network can be dropped by entering a route to a null
interface. The following command will cause all traffic received from the 10.0.0.0/8 network to be
dropped even if Unicast RPF is enabled in loose mode with theallow-defaultoption:ip route
10.0.0.0 255.0.0.0 Null0
References: Reference:http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
100
Cisco 350-018 Exam

QUESTION NO: 112
Which three types of traffic are processed by CoPP configured on the device? (Choose three.)
A.
tansient traffic
B.
routing protocol traffic
C.
IPsec traffic
D.
traffic that is destined to the device interface
E.
any traffic filtered by the access list
F.
traffic from a management protocol such as Telnet or SNMP
Answer: B,D,F
Explanation:
CoPP is performed on a per-forwarding-engine basis and software CoPP is performedon an

aggregate basis.
CoPP does not support MAC ACLs.
CoPP does not support non-IP classes except for the default non-IP class. ACLs can be used
instead of non-IP classes to drop non-IP traffic, and the default non-IP CoPP class can be used to
limit to non-IP traffic that reaches the RP CPU.
In PFC3A mode, egress QoS and CoPP cannot be configured at the same time. A warning
message is displayed to inform you that egress QoS and CoPP cannotbe configured at the same
time.
You must ensure that the CoPP policy does not filter critical traffic such as routing protocols or
interactive access to the switches. Filtering this traffic could prevent remote access to the
switch,requiring a console connection.
The PFC3 supports built-in special-case rate limiters, which are useful for situations where an ACL
101
Cisco 350-018 Exam

cannot be used (for example, TTL, MTU, and IP options). When you enable the special-case rate
limiters, you should be aware that the special-case rate limiters will override the CoPP policy for
packets matching the rate-limiter criteria.
Neither egress CoPP nor silent mode is supported. CoPP is only supported on ingress (servicepolicy output CoPP cannot be applied to the control plane interface).
ACE hit counters in hardware are only for ACL logic. You can rely on software ACE hit counters
and theshow access-list,show policy-map control-plane, andshow mls ip qoscommands to
troubleshoot evaluate CPU traffic.
QUESTION NO: 113

Which statement about PVLAN setup is true?
A.
The host that is connected to the community port can communicate with a host that is connected
to a different community port.
B.
The host that is connected to the community port cannot communicate with hosts that are
connected to the promiscuous port.
C.
The host that is connected to the community port cannot communicate with hosts that are
connected to the isolated port.
D.
The host that is connected to the community port can only communicate with hosts that are
connected to the same community port.
Answer: C
Explanation:
Primary, Isolated, and Community Private VLANs

Primary VLANs and the two types of secondary VLANs (isolated and community) have these
characteristics:
Primary VLAN The primary VLAN carries traffic from the promiscuous ports to the host ports,
both isolated and community, and to other promiscuous ports.
102
Cisco 350-018 Exam

Isolated VLANAn isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream
from the hosts toward the promiscuous ports. You can only configure one isolated VLAN in a
private VLAN domain. An isolated VLAN can have several isolated ports. The traffic from each
isolated port also remains completely separate.
Community VLANA community VLAN is a secondary VLAN that carries upstream traffic from the
community ports to the promiscuous port and to other host ports in the same community. You can
configure multiple community VLANs in a private VLAN domain. The ports within one community
can communicate, but these ports cannot communicate with ports in any other community or
isolated VLAN in the private VLAN.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/421_n
2_1/b_Cisco_n5k_layer2_config_gd_rel_421_N2_1/Cisco_n5k_layer2_config_gd_rel_421_N2_1_
chapter5.html
QUESTION NO: 114

Which statement applies to Flexible NetFlow?
A.
Flexible NetFlow uses seven key fields in IP datagrams to identify the flow.
B.
Flexible NetFlow uses key fields of IP datagram to identify fields from which data is captured.
C.
User-defined flows can be defined in Flexible NetFlow.
D.
Flexible NetFlow cannot be used for billing and accounting applications.
E.
Flexible NetFlow does not have any predefined records.
Answer: C
Explanation:
A big advantage of the Flexible NetFlow concept is that the user can define the flow. The userdefined flow records and the component structure of Flexible NetFlow make it easy for you to
create various configurations for traffic analysis and data export on a networking device with a
minimum number of configuration commands.
103
Cisco 350-018 Exam
QUESTION NO: 115

Which statement about Storm Control implementation on a switch is true?
A.
Storm Control does not prevent disruption due to unicast traffic.
B.
Storm Control is implemented as a global configuration.
C.
Storm Control uses the bandwidth and rate at which a packet is received to measure the activity.
D.
Storm Control uses the bandwidth and rate at which a packet is dispatched to measure the
activity.
E.
Storm Control is enabled by default.
Answer: C
Explanation:
The traffic storm control threshold numbers and the time interval combination make the traffic
storm control algorithm work with different levels of granularity. A higher threshold allows more
packets to pass through. Traffic storm control is implemented in hardware. The traffic storm control
circuitry monitors packets passing from a LAN interface to the switching bus. Using the
Individual/Group bit in the packet destination address, the traffic storm control circuitry determines
if the packet is unicast or broadcast, keeps track of the current count of packets within the 1second interval and when the threshold is reached, traffic storm control filters out subsequent
packets.
References: Reference:http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/122SX/configuration/guide/book/storm.pdf
QUESTION NO: 116

104
Cisco 350-018 Exam
If SW4 is sending superior BPDUs, where should the root guard feature be configured to preserve
SW3 as a root bridge?
A.
SW4 Gi0/0 interface.
B.
Sw3 Gi0/0 interface.
C.
Sw2 Gi0/1 interface.
D.
SW2 Gi0/1 and SW3 Gi0/1
Answer: C
Explanation:
Root guardis a feature that can be used to influence which switches are eligible to become the
root bridge. Although priorities are used to determine who becomes the root bridge, they provide
no mechanism to determine who is eligible to become the root bridge. There is nothing to stop a
new switch being introduced to the network with a lower bridge ID, which allows it to become the
root bridge. The introduction of this new switch can affect the network, as new paths may be
formed that are not ideal for the traffic flows of the network.Figuredemonstrates why you might
need to configure root guard.
105
Cisco 350-018 Exam
FigureRoot Guard Topology

In figure, a new switch (Switch-D) has been added to the network by connecting to Switch-C.
Currently Switch-A is the root bridge and has a gigabit connection to Switch-B, which is the
secondary root bridge. A lot of server-to-server traffic traverses the link between Switch-A and
Switch-B. Switch-D has been configured with the lowest priority in the network (a priority of 0 as
indicated by the bridge ID of Switch-D), and thus becomes the root bridge. This has the effect of
blocking the gigabit port (port 2/1) on Switch-B, severely affecting the performance of the network,
because server traffic must travel over 100-Mbps uplinks from Switch-A
Switch-C
Switch-B and vice versa.

To prevent the scenario inFigurefrom occurring, you can configure the root guard feature to
prevent unauthorized switches from becoming the root bridge. When you enable root guard on a
port, if superior configuration BPDUs to the current configuration BPDUS generated by the root
bridge are received, the switch blocks the port, discards the superior BPDUs and assigns a state
of root inconsistent to the port.
QUESTION NO: 117

106
Cisco 350-018 Exam
Which three statements correctly describe the configuration? (Choose three).

A.
The tunnel is not providing peer authentication
B.
The tunnel encapsulates multicast traffic.
C.
This is a point-to-point GRE tunnel.
D.
The configuration is on the NHS.
E.
The configuration is on the NHC.
F.
The tunnel provides data confidentiality.
G.
The tunnel IP address represents the NBMA address.
Answer: B,D,F
Explanation:
tunnel protection ipsec profile Hub-Spoke command validates option B as well as F, that says
that tunnel encapsulates multicast traffic andprovides data confidentiality.
107
Cisco 350-018 Exam

QUESTION NO: 118
Which statement correctly describes the configuration?

A.
The configuration is the super view configuration of role-based access control.
B.
The configuration would not work unless the AAA server is configured for authentication and
authorization.
C.
The exec commands in the configuration will be excluded from the test view.
D.
The configuration is the CLI configuration of role-based access control.
Answer: D
Explanation:
Commands exec include configure terminal

Commands exec include show run
These two commands say that the user logging in will have restricted access to the device. They
can only see the show run and can get into config terminal. Anything apart from this will be denied.
Adds commands or interfaces to a view.
parser-modeThe mode in which the specified command exists.

108
Cisco 350-018 Exam
includeAdds a command or an interface to the view and allows the same command or interface
to be added to an additional view.
include-exclusiveAdds a command or an interface to the view and excludes the same command
or interface from being added to all other views.
excludeExcludes a command or an interface from the view; that is, customers cannot access a
command or an interface.
allA "wildcard" that allows every command in a specified configuration mode that begins with the
same keyword or every subinterface for a specified interface to be part of the view.
interfaceinterface-name Interface that is added to the view.
commandCommand that is added to the view.

References:
Reference:http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
QUESTION NO: 119

Which item is not encrypted by ESP?
A.
ESP header
B.
ESP trailer
C.
IP header
D.
Data
E.
TCP-UDP header
109
Cisco 350-018 Exam

Answer: A
Explanation:
The ESP header is inserted into the packet between the IP header and any subsequent packet
contents. However, because ESP encrypts the data, the payload is changed. ESP does not
encrypt the ESP header, nor does it encrypt the ESP authentication.
QUESTION NO: 120

Which item is not authenticated by ESP?
A.
ESP header
B.
ESP trailer
C.
New IP header
D.
Original IP header
E.
Data
F.
TCP-UDP header
Answer: C
Explanation:
In tunnel mode, AH authenticates the entire original header and builds a new ip header that is
placed at the front of the packet. The only field not authenticated by AH in tunnel mode are fields
in the new IP header that can change in trans it.
QUESTION NO: 121

110
Cisco 350-018 Exam

Which statement about the Cisco NAC CAS is true?
A.
The Cisco NAC CAS acts as a gateway between untrusted networks.
B.
The Cisco NAC CAS can only operate as an in-band real IP gateway.
C.
The Cisco NAC CAS can operate as an out-of-band virtual gateway.
D.
The Cisco NAC CAS is an administration and monitoring server.
Answer: C
Explanation:
The Out-of-Band Server Types appear in the dropdown menu when you apply an OOB-enabled
license to a Cisco NAC Appliance deployment. For OOB, the CAS operates as a Virtual or Real-IP
Gateway while client traffic is In-Band (in the Cisco NAC Appliance network) during authentication
and certification. Once clients are authenticated and certified, they are considered out-of-band
(no longer passing through the Cisco NAC Appliance network) and allowed directly onto the
trusted network. Choose one of the following operating modes for the CAS:
Out-of-Band Virtual GatewayCAS operates as a Virtual Gateway during authentication and

certification, before the user is switched out-of-band (i.e., the user is connected directly to the
access network).
Out-of-Band Real-IP GatewayCAS operates as a Real-IP Gateway during authentication and

certification, before the user is switched out-of-band (i.e., the user is connected directly to the
access network).
Note that the CAM can control both in-band and out-of-band Clean Access Servers in its domain.
However, theCASitself must beeitherin-band or out-of-band.
QUESTION NO: 122

Which two statements about dynamic ARP inspection are true? (Choose two.)
A.
111
Cisco 350-018 Exam

Dynamic ARP inspection checks ARP packets on both trusted and untrusted ports.
B.
Dynamic ARP inspection is only supported on access and trunk ports.
C.
Dynamic ARP inspection checks invalid ARP packets against the trusted database.
D.
The trusted database to check for an invalid ARP packet is manually configured.
E.
Dynamic ARP inspection does not perform ingress security checking.
F.
DHCP snooping must be enabled.
Answer: C,F
Explanation:
Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The
switch performs these activities:
Intercepts all ARP requests and responses on untrusted ports
Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before
updating the local ARP cache or before forwarding the packet to the appropriate destination
Dropsinvalid ARP packets.

Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC
address bindings stored in a trusted database, the DHCP snooping binding database. This
database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the
switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without
any checks. On untrusted interfaces, the switch forwardsthe packet only if it is valid.
QUESTION NO: 123

112
Cisco 350-018 Exam
Which command caused the above messages?

A.
Neighbor 101.0.0.1 maximum-prefix 500 80 warning-only.
B.
Neighbor 101.0.0.1 maximum-prefix 500 90.
C.
Neighbor 101.0.0.1 maximum-prefix 500 70.
D.
Neighbor 101.0.0.1 maximum-prefix 500 70 warning-only.
Answer: C
Explanation:
To control how many prefixes can be received from a neighbor, use theneighbor maximumprefixcommand in router configuration mode. To disable this function, use thenoform of this
command.
neighbor{ip-address|peer-group-name}maximum-prefixmaximum[threshold] [warning-only]
no neighbor{ip-address|peer-group-name}maximum-prefixmaximum
QUESTION NO: 124

Which two options describe the main purpose of EIGRP authentication? (Choose two.)
A.
To identify authorized peers.
B.
To allow faster convergence
C.
To provide redundancy
113
Cisco 350-018 Exam

D.
To prevent injection of incorrect routing information.
E.
To provide routing updates confidentiality
Answer: A,D
Explanation:
The addition of authentication to your routers' EIGRP messages ensures that your routers only
accept routing messages from other routers that know the same pre-shared key. Without this
authentication configured, if someone introduces another router with different or conflicting route
information on to the network, the routing tables on your routers could become corrupt and a
denial of service attack could ensue. Thus, when you add authentication to the EIGRP messages
sent between your routers, it prevents someone from purposely or accidentally adding another
router to the network and causing a problem.
References: Reference:http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gatewayrouting-protocol-eigrp/82110-eigrp-authentication.html
QUESTION NO: 125

Which statement about IPv6 is true?
A.
Broadcast is available.
B.
The address pool will never deplete.
C.
Data security is natively supported through mandatory IPv6 extension headers for ESP and AH.
D.
Increased NAT is required compared to IPv4.
E.
IPv6 has fewer bits available for addressing than IPv4.
Answer: C
114
Cisco 350-018 Exam

Explanation:
When ESP is applied in transport mode, theESP Headeris added to the existing datagram as in
AH, and theESP TrailerandESP Authentication Dataare placed at the end. In tunnel mode, theESP
HeaderandTrailerbracket the entire encapsulated IPv6 datagram. Note the encryption and
authentication coverage in each case, and also how theNext Headerfield points back into the
datagram since it appears in the ESP Trailer.
QUESTION NO: 126

Which IPv4 header field usually increments for each subsequent packet sent?
A.
Flag
B.
Fragment Offset
C.
Identification
D.
Time To Live
Answer: C
Explanation:
This field is an identification field and is primarily used for uniquely identifying the group of
fragments of a single IP datagram.
QUESTION NO: 127

Which address range is representative of Automatic Private IP Addressing?
A.
10.1.x.x
115
Cisco 350-018 Exam

B.
172.10.1.x
C.
169.254.x.x
D.
196.245.x.x
E.
128.1.1.x
F.
127.1.x.x
Answer: C
Explanation:
IP addressisassigned to the computers automatically by a ISP provider, network server (DHCP),

or APIPA. If you are not connected to any network, an APIPA IP address is assigned which is
private IP address for your computer which is not routable and that is what 169.254.... is for.
QUESTION NO: 128

Which ICMP message type code indicates fragmentation needed but DF bit set?
A.
Type 3, Code 0
B.
Type 4, Code 2
C.
Type 3, Code 4
D.
Type 8, Code 0
Answer: C
Explanation:
116
Cisco 350-018 Exam

From the descriptions the IESG has obtained, adjusting the routers to continue to send ICMP
message Type 3 code 4 (destination unreachable, don't fragment (DF) bit sent and fragmentation
required) even when they have their "don't send ICMP messages" switch turned on would allow
path MTU discovery to work but not effect older BSD hosts, since they never set the DF bit in their
packets.
QUESTION NO: 129

Which group of devices is represented by the IPv6 address ff02::1?
A.
All PIM routers on the local network.
B.
All the routers running RIP on the local network.
C.
All nodes on the local network.
D.
All NTP servers on the local network.
Answer: C
Explanation:
Address
Description
ff02::1
All nodes on the local network segment
ff02::2
All routers on the local network segment
ff02::5
OSPFv3 All SPF routers
ff02::6
117
Cisco 350-018 Exam

OSPFv3 All DR routers
ff02::8
IS-IS for IPv6 routers
ff02::9
RIP routers
ff02::a
EIGRP routers
ff02::d
PIM routers
QUESTION NO: 130

Which statement about layer-2 VLAN is true?
A.
VLAN cannot be routed.
B.
VLANs 1006 through 4094 are not propagated by VTP version 3.
C.
VLAN1 is a Cisco default VLAN that can be deleted.
D.
The extended-range VLANs cannot be configured in global configuration mode.
Answer: A
Explanation:
Virtual LANs (VLANs) offer a method of dividing one physical network into multiple broadcast
domains. However, VLAN-enabled switches cannot, by themselves, forward traffic across VLAN
boundaries. For inter-VLAN communication, a Layer 3 router is required.
118
Cisco 350-018 Exam

QUESTION NO: 131
Which two statements about the OSPF authentication configuration are true? (Choose two.)
A.
OSPF authentication is required in area 0.
B.
There are three types of OSPF authentication options available.
C.
In MD5 authentication, the password is encrypted when it is sent.
D.
Null authentication includes the password in clear-text.
E.
Type-3 authentication is a clear-text password authentication.
F.
In MD5 authentication, the password never goes across the network.
Answer: B,F
Explanation:
Two types of authentication can be used:

1. clear text authentication clear text passwords are used
2. MD5 authentication MD5 authentication is used. This type of authenticationismore secure.
NOTE with OSPF authentication turned on, routers must pass the authentication process in
order to become OSPF neighbors
To configure clear text authentication, the following steps are required:
1. configure the OSPF password on the interface by using theip ospf authentication-key
PASSWORDinterface command
2. configure the interface to use OSPF clear-text authentication by using theip ospf
authenticationinterface command
119
Cisco 350-018 Exam

QUESTION NO: 132
Which statement about DH group is true?
A.
The DH group does not provide data authentication.
B.
The DH group is used to provide data confidentiality.
C.
The DH group is used to establish a shared key over a secured medium.
D.
The DH group is negotiated in IPsec phase-2.
Answer: A
Explanation:
Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.
Higher group numbers are more secure, but require additional time to compute the key. They
become part of the authentication procedure but they never provide authentication.
QUESTION NO: 133

Which statement about DHCP is true?
A.
DHCP uses TCP port 68 and 67
B.
The DHCPDiscover packet is a broadcast message
C.
The DHCPRequest is a unicast message.
D.
The DHCPOffer packet is sent from the DHCP client
Answer: B
Explanation:
120
Cisco 350-018 Exam

DHCP client sends a DHCP Discover broadcast on the network for finding a DHCP server. If there
is no respond from a DHCP server, the client assigns itself an Automatic Private IPv4 address
(APIPA).
QUESTION NO: 134

Which three statements about SMTP are true? (Choose three.)
A.
SMTP uses TCP port 25.
B.
The POP protocol is used by the SMTP client to manage stored mail.
C.
The IMAP protocol is used by the SMTP client to send email.
D.
The mail delivery agent in the SMTP architecture is responsible for DNS lookup.
E.
SMTPS uses SSL and TLS.
F.
Answer: A,E,F
Explanation:
Server administrators choose whether clients use TCP port 25 (SMTP) or port 587
(Submission)for relaying outbound mail to an initial mail server. The specifications and many
servers support both. Although some servers support port 465 for legacysecure SMTPin violation
of the specifications, it is preferable to use standard ports and standard ESMTP commands if a
secure session needs to be used between the client and the server.
TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data
encryption and authentication between applications and servers in scenarios where that data is
being sent across an insecure network, such as checking your email. The terms SSL and TLS are
often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the
predecessor of the other SSL 3.0 served as the basis for TLS 1.0 which, as a result, is
sometimes referred to as SSL 3.1.
121
Cisco 350-018 Exam
QUESTION NO: 135

Which statement about DNS is true?
A.
The client-server architecture is based on push-pull messages.
B.
Query and response messages have different format.
C.
In the DNS message header, the QR flag set to 1 indicates a query.
D.
In the DNS header, an Opcode value of 2 represents a server status request.
E.
In the DNS header, the Rcode value is set to 0 for format error.
Answer: D
Explanation:
Set theopCodevariable to a new value. This field indicates the type of the question present in the
DNS packet;valcan be one of the values QUERY, IQUERY or STATUS.
STATUS is used to query the nameserver for its status.
QUESTION NO: 136

Which statement about Infrastructure ACLs on Cisco IOS software is true?
A.
Infrastructure ACLs are used to protect the device forwarding path.
B.
Infrastructure ACLs are used to protect device management and internal link addresses.
C.
Infrastructure ACLs are used to authorize the transit traffic.
122
Cisco 350-018 Exam

D.
Infrastructure ACLs only protect device physical management interface.
Answer: B
Explanation:
The infrastructure ACL is the first line of defence between ones network and the outside world. It
is not meant to be the only defence; but well-maintained infrastructure ACLs can help to protect
your network from seeing or carrying unnecessary traffic, or prevent your network from originating
malicious traffic (such as spoofed packets, where the source address of a customers traffic is
from an allocation that is not your own).
QUESTION NO: 137

In traceroute, which ICMP message indicates that the packet is dropped by a router in the path?
A.
Type 3, Code 3
B.
Type 11, Code 0
C.
Type 5, Code 1
D.
Type 3, Code 1
E.
Type 11, Code 1
Answer: B
Explanation:
ICMP Fields:
Type
11
123
Cisco 350-018 Exam

Code
0 = time to live exceeded in transit;
1 = fragment reassembly time exceeded.
QUESTION NO: 138

Which three statements about Dynamic ARP Inspection on Cisco Switches are true? (Choose
three.)
A.
Dynamic ARP inspection checks ARP packets on both trusted and untrusted ports.
B.
Dynamic ARP inspection is only supported on access ports.
C.
Dynamic ARP inspection checks ARP packets against the trusted database.
D.
The trusted database can be manually configured using the CLI.
E.
Dynamic ARP inspection does not perform ingress security checking.
F.
DHCP snooping is used to dynamically build the trusted database.
Answer: C,D,F
Explanation:
DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in
a trusted database, the DHCP snooping binding database. This database is built by DHCP
snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is
received on a trusted interface, the switch forwards the packet without any checks. On untrusted
interfaces, the switch forwards the packet only if it is valid.
DAI can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts
with statically configured IP addresses, i.e. manually configured.
124
Cisco 350-018 Exam

References: Reference:http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/122SX/configuration/guide/book/dynarp.html
QUESTION NO: 139

Which statement about the PVLAN is true?
A.
Promiscuous ports can only communicate with other promiscuous ports.
B.
Isolated ports cannot communicate with the other promiscuous ports.
C.
Community ports can communicate with the other promiscuous ports but not with the other
community ports.
D.
Isolated ports can communicate with the other isolated ports only.
E.
Promiscuous ports can communicate with all the other type of ports.
F.
Community ports can communicate with the other community ports but not with promiscuous
ports.
Answer: E
Explanation:
PVLANs provide layer 2 isolation between ports within the same broadcast domain. Thereare
three types of PVLAN ports:
QUESTION NO: 140

A device is sending a PDU of 5000 B on a link with an MTU of 1500 B. If the PDU includes 20 B of
IP header, which statement is true considering the most efficient way to transmit this PDU?
125
Cisco 350-018 Exam

A.
B.
C.
D.
Answer: C
Explanation:
Here the MTU is set to 1500 and size of IP header is 20B. When you set a MTU, you cannot add
anything over it. Packet of larger size is broken into the specified MTU sizes and sent across. Here
MTU is 1500 and size of IP header is 20B, so first three packet will have packet payload size of
1480. We said it will be first three packets because the Size of PDU is 5200B and if we have to
break this packet into packets of maximum size of 1500 then calculation would be:
5200 = 1500 + 1500 + 1500 + 700.
QUESTION NO: 141


A.
B.
126
Cisco 350-018 Exam

C.
D.
Answer: C
Explanation:
Here, the two network objects have this configuration:
Subnet 10.10.0.0 255.255.0.0
And another one is,
Subnet 30.30.30.0 255.255.255.0
Now if you look at the options, you will see that only option C is giving you an answer with
combination of /16 and /24.
QUESTION NO: 142

127
Cisco 350-018 Exam

A.
Traffic from the n2 network object to the outside network will be translated using the g1 network
objects and outside interface.
B.
Traffic from the n3 network object to the inside network will be translated using the g1 network
objects and outside interface.
C.
object and outside interface.
D.
object and outside interface.
Answer: D
Explanation:
The commandthat need focus here is:

Object network n3
Nat (inside,outside) dynamic g1 interface
The highlighted command is sub command of the object network n3 i.e.This command is only
applicable for n3. When you configure anything within an object network then it is significant only
for that object. Here it is saying that 192.168.2.0/24 when they go outside, then they will be
translated to ip of the outside interface.
QUESTION NO: 143

128
Cisco 350-018 Exam

A.
Traffic from the n2 network object to the inside network will be translated using the n1 network
object.
B.
Traffic from the n1 network object to the outside network will be translated using the n2 network
object.
C.
object.
D.
object.
Answer: C
Explanation:
Explanation
The command that need focus here is:
Object network n2
Nat (inside,outside) dynamic n1
The highlighted command is sub command of the object network n2 i.e.This command is only
applicable for n2. When you configure anything within an object network then it is significant only
for that object. Here it is saying that 172.16.2.0/24 when they go outside, then they will be
translated to ip address specified in the object group n1.
129
Cisco 350-018 Exam

QUESTION NO: 144
What are two advantages of using NLA with Windows Terminal Services? (Choose two.)
A.
uses SPNEGO and TLS to provide optional double encryption of user credentials
B.
forces the use of Kerberos to pass credentials from client to server
C.
protects against man-in-the-middle attacks
D.
requires clients to present an SSL certificate to verify their authenticity
E.
protects servers against DoS attacks by requiring lesser resources for authentication
Answer: A,C
Explanation:
The CredSSP Protocol then uses the Simple and Protected Generic Security Service Application
Program Interface Negotiation Mechanism (SPNEGO) Protocol Extensions to negotiate a Generic
Security Services (GSS) mechanism that performs mutual authentication and GSS confidentiality
services to securely bind to the TLS channel and encrypt the credentials for the target server.
Its not a necessity to require Network Level Authentication, but doing so makes your computer
more secure by protecting you from Man in the Middle attacks. Systems even as old as Windows
XP can connect to hosts with Network Level Authentication, so theres no reason not to use it.
QUESTION NO: 145

Which record statement is part of the NetFlow monitor configuration that is used to collect MPLS
traffic with an IPv6 payload?
A.
record mpls IPv6-fields labels 3
B.
record mpls IPv4-fields labels 3
130
Cisco 350-018 Exam

C.
record mpls labels 3
D.
record mpls ipv6-fields labels
Answer: A
Explanation:
It configures the flow record map name for IPv4, IPv6, or MPLS. Use theipv4-ipv6-fieldskeyword to
collect IPv4 and IPv6 fields in an MPLS-aware NetFlow.
QUESTION NO: 146

Which configuration is required to enable the exporter?

A.
Source Loopback0
B.
Cache timeout active 60
C.
Cache timeout inactive 60
D.
Next-hop address
Answer: A
131
Cisco 350-018 Exam

Explanation:
The source interface is used to set the source IP address of the NetFlow exports sent by the
router. Scrutinizer may send SNMP requests to the router using this address. Use the command
below if you experience problems. You can set the source interface to an Ethernet or WAN
interface instead of the loopback.
QUESTION NO: 147

Hierarchical priority queuing is used on the interfaces on which you enable a traffic-shaping
queue. Which two statements about hierarchical priority queuing are true? (Choose two.)
A.
Priority packets are never dropped from the shape queue unless the sustained rate of priority
traffic exceeds the shape rate.
B.
For IPsec-encrypted packets, you can match traffic based only on the DSCP or precedence
setting.
C.
IPsec over TCP is not supported for priority traffic classification.
D.
For IPsec-encrypted packets, you cannot match traffic based on the DSCP or precedence setting.
E.
IPsec over TCP is supported for priority traffic classification.
Answer: B,C
Explanation:
Configuring the Hierarchical Priority Queuing Policy
You can optionally configure priority queuing for a subset of latency-sensitive traffic.
Guidelines
One side-effect of priority queuing is packet re-ordering. For IPsec packets, out-of-order packets
that are not within the anti-replay window generate warning syslog messages. These warnings are
false alarms in the case of priority queuing. You can configure the IPsec anti-replay window size to
132
Cisco 350-018 Exam

avoid possible false alarms. See thecrypto ipsec security-association replaycommand in theCisco
ASA 5500 Series Command Reference.
For hierarchical priority queuing, you do not need to create a priority queue on an interface.
Restrictions
For hierarchical priority queuing, for encrypted VPN traffic, you can only match traffic based on the
DSCP or precedence setting; you cannot match a tunnel group.
For hierarchical priority queuing, IPsec-over-TCP traffic is not supported.

References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/con
ns_qos.html
QUESTION NO: 148

Which two MAC authentication methods are supported on WLCs? (Choose two.)
A.
local MAC authentication
B.
MAC authentication using a RADIUS server
C.
MAC authentication using tokens
D.
MAC authentication using a PIN
Answer: A,B
Explanation:
There are two types of MAC authentication that are supported on WLCs:
With local MAC authentication, user MAC addresses are stored in a database on the WLC. When
a user tries to access the WLAN that is configured for MAC filtering, the client MAC address is
133
Cisco 350-018 Exam

validated against the local database on the WLC, and the client is granted access to the WLAN if
the authentication is successful.
QUESTION NO: 149

Client MFP supplements rather than replaces infrastructure MFP. Which three are client MFP
components? (Choose three.)
A.
key generation and distribution
B.
protection and validation of management frames
C.
error reports
D.
error generation
E.
non-management messages protection
Answer: A,B,C
Explanation:
Client MFP Components
Client MFP consists of these components:
Key Generation and Distribution
Client MFP does not use the key generation and distribution mechanisms that were derived for
Infrastructure MFP. Instead, client MFP leverages the security mechanisms defined by IEEE
802.11i to also protect class 3 unicast management frames. Stations must support CCXv5 and
must negotiate either TKIP or AES-CCMP to use client MFP. EAP or PSK can be used to obtain
the PMK.
Protection of Management Frames
Unicast class 3 management frames are protected with the application of either AES-CCMP or
TKIP in a similar manner to that already used for data frames. Parts of the frame header are
copied into the encrypted payload component of each frame for added protection, as discussed in
the next sections.
134
Cisco 350-018 Exam

These frame types are protected:
AES-CCMP- and TKIP-protected data frames include a sequence counter in the IV fields, which is
used to prevent replay detection. The current transmit counter is used for both data and
management frames, but a new receive counter is used for management frames. The receive
counters are tested to ensure that each frame has a higher number than the last received frame
(to ensure that the frames are unique and have not been replayed), so it does not matter that this
scheme causes the received values to be non-sequential.
References: Reference:http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlansecurity/82196-mfp.html#gendis
QUESTION NO: 150

Which two items are required for LDAP authenticated bind operations? (Choose two.)
A.
Root DN
B.
Password
C.
Username
D.
SSO
E.
UID
Answer: A,B
Explanation:
An authenticated bind is performed when a root distinguished name (DN) and password are
available. In the absence of a root DN and password, an anonymous bind is performed. In LDAP
deployments, the search operation is performed first and the bind operation later. This is because,
if a password attribute is returned as part of the search operation, the password verification can be
done locally on an LDAP client. Thus, there is no need to perform an extra bind operation. If a
password attribute is not returned, the bind operation can be performed later. Another advantage
of performing a search operation first and a bind operation later is that the DN received in the
135
Cisco 350-018 Exam

search result can be used as the user DN instead of forming a DN by prefixing the username (cn
attribute) with the base DN. All entries stored in an LDAP server have a unique DN. The DN
consists of two parts: the Relative Distinguished Name (RDN) and the location within the LDAP
server where the record resides.
QUESTION NO: 151

Which of the following two options can you configure to avoid iBGP full mesh? (Choose two.)
A.
Route reflectors
B.
Confederations
C.
BGP NHT
D.
Local preference
E.
Virtual peering
Answer: A,B
Explanation:
The trick of a BGP Confederation is to divide an AS into multiple ASs and assign the whole group
to a single confederation. Each AS alone has iBGP fully meshed. To the outside world, the
confederation appears to be a single AS.
Aroute reflector(RR) is a network routing component. It offers an alternative to the logical full-mesh
requirement of internal border gateway protocol (IBGP). A RR acts as a local point for IBGP
sessions. The purpose of the RR is concentration.
QUESTION NO: 152

Which three authentication types does OSPF support? (Choose three.)
136
Cisco 350-018 Exam

A.
Null
B.
Plaintext
C.
MD5
D.
PAP
E.
PEAP
F.
MS-CHAP
Answer: A,B,C
Explanation:
Open Shortest Path First (OSPF) authentication which allows the flexibility to authenticate OSPF
neighbors. You can enable authentication in OSPF in order to exchange routing update
information in a secure manner. OSPF authentication can either be none (or null), simple, or MD5.
The authentication method "none" means that no authentication is used for OSPF and it is the
default method. With simple authentication, the password goes in clear-text over the network. With
MD5 authentication, the password does not pass over the network. MD5 is a message-digest
algorithm specified in RFC 1321. MD5 is considered the most secure OSPF authentication mode.
When you configure authentication, you must configure an entire area with the same type of
authentication. Starting with Cisco IOSSoftware Release 12.0(8), authentication is supported on
a per-interface basis.
References: Reference:http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-firstospf/13697-25.html
QUESTION NO: 153

Which three steps are required to rekey the routers on a link without dropping OSPFv3 protocol
packets or disturbing the adjacency? (Choose three.)
A.
137
Cisco 350-018 Exam

For every router on the link, create an additional inbound SA for the interface that is being rekeyed
using a new SPI and the new key.
B.
For every router on the link, replace the original outbound SA with one that uses the new SPI and
key values.
C.
For every router on the link, remove the original inbound SA.
D.
For every router on the link, create an additional outbound SA for the interface that is being
rekeyed using a new SPI and the new key.
E.
For every router on the link, replace the original inbound SA with one that uses the new SPI and
key values.
F.
For every router on the link, remove the original outbound SA.
Answer: A,B,C
Explanation:
Rekeying Procedure
The following three-step procedure SHOULD be provided to rekey the routers on a link without
dropping OSPFv3 protocol packets or disrupting the adjacency.
(1) For every router on the link, create an additional inbound SA for the interface being rekeyed
using a new SPI and the new key.
(2) For every router on the link, replace the original outbound SA with one using the new SPI and
key values. The SA replacement operation should be atomic with respect to sending OSPFv3
packets on the link so that no OSPFv3 packets are sent without authentication/encryption.
(3) For every router on the link, remove the original inbound SA.
Note that all routers on the link must complete step 1 before any begin step 2.Likewise, all the
routers on the link must complete step 2 before any begin step 3.
One way to control the progression from one step to the next is for each router to have a
configurable time constant KeyRolloverInterval. After the router begins step 1 on a given link, it
waits for this interval and then moves to step 2.Likewise, after moving to step 2, it waits for this
interval and then moves to step 3.
138
Cisco 350-018 Exam

In order to achieve smooth key transition, all routers on a link should use the same value for
KeyRolloverInterval and should initiate the key rollover process within this time period.
At the end of this procedure, all the routers on the link will have a single inbound and outbound SA
for OSPFv3 with the new SPI and key values.
QUESTION NO: 154

Which BGP configuration forces the session to tear down when the learned routes from the
neighbor exceed 10?
A.
neighbor 10.0.0.1 maximum-prefix 10 80 warning-only
B.
neighbor 10.0.0.1 maximum-prefix 10 80
C.
D.
neighbor 10.0.0.1 maximum-prefix 80 10
Answer: B
Explanation:
This forces the neighbor session to tear down when the BGP learned routes from the neighbor
exceeds 10.
Topic 2, Security Protocols
QUESTION NO: 155

Which three RADIUS protocol statements are true? (Choose three.)
139
Cisco 350-018 Exam

A.
RADIUS protocol runs over TCP 1645 and 1646.
B.
Network Access Server operates as a server for RADIUS.
C.
RADIUS packet types for authentication include Access-Request, Access-Challenge, AccessAccept, and Access-Reject.
D.
RADIUS protocol runs over UDP 1812 and 1813.
E.
RADIUS packet types for authentication include Access-Request, Access-Challenge, AccessPermit, and Access-Denied.
F.
RADIUS supports PPP, PAP, and CHAP as authentication methods.
Answer: C,D,F
Explanation:
The client/server packet exchange consists primarily of the following types of RADIUS messages:
Access-Requestsent by theclient (NAS) requesting access
Access-Rejectsent by theRADIUS server rejecting access
Access-Acceptsent by the RADIUS server allowing access
Access-Challengesent by the RADIUS server requesting more information in order to allow

access. The NAS, after communicating with the user, responds with another Access-Request.
By default, NPS sends and receives RADIUS traffic by using User Datagram Protocol (UDP) ports
1812, 1813, 1645, and 1646.
With PPP, each system may require its peer to authenticate itself using one of two authentication
protocols. These are the Password Authentication Protocol (PAP), and the Challenge Handshake
Authentication Protocol (CHAP). When a connection is established, each end can request the
other to authenticate itself, regardless of whether it is the caller.
140
Cisco 350-018 Exam
QUESTION NO: 156

Which three statements are true about TLS? (Choose three.)
A.
TLS protocol uses a MAC to protect the message integrity.
B.
TLS data encryption is provided by the use of asymmetric cryptography.
C.
The identity of a TLS peer can be authenticated using public key or asymmetric cryptography.
D.
TLS protocol is originally based on the SSL 3.0 protocol specification.
E.
TLS provides support for confidentiality, authentication, and nonrepudiation.
Answer: A,C,D
Explanation:
Message authentication code (MAC) is used for data integrity. HMAC is used for CBC mode of
block ciphers and stream ciphers. AEAD is used for Authenticated encryption such as GCM mode
and CCM mode. TLS/SSL uses public key encryption to authenticate the server to the client and,
optionally, the client to the server. Public key cryptography is also used to establish a session key.
The session key is used in symmetric algorithms to encrypt the bulk of the data with the faster,
less processor-intensive symmetric key encryption.SSL 3.0 improved upon SSL 2.0 by adding
SHA-1based ciphers and support for certificate authentication.
From a security standpoint, SSL 3.0 should be considered less desirable than TLS 1.0. The SSL
3.0 cipher suites have a weaker key derivation process; half of the master key that is established
is fully dependent on the MD5 hash function, which is not resistant to collisions and is, therefore,
not considered secure. Under TLS 1.0, the master key that is established depends on both MD5
and SHA-1 so its derivation process is not currently considered weak. It is for this reason that SSL
3.0 implementations cannot be validated under FIPS 140-2.
QUESTION NO: 157

Which three features are supported with ESP? (Choose three.)
141
Cisco 350-018 Exam

A.
ESP uses IP protocol 50.
B.
ESP supports Layer 4 and above encryption only.
C.
ESP provides confidentiality, data origin authentication, connectionless integrity, and antireplay
service.
D.
ESP supports tunnel or transport modes.
E.
ESP has less overhead and is faster than the AH protocol.
F.
ESP provides confidentiality, data origin authentication, connection-oriented integrity, and
antireplay service.
Answer: A,C,D
Explanation:
Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec it provides
origin authenticity, integrity and confidentiality protection of packets. ESP also supports
encryption-only and authentication-only configurations, but using encryption without authentication
is strongly discouraged because it is insecure. Unlike Authentication Header (AH), ESP in
transport mode does not provide integrity and authentication for the entire IP packet. However, in
Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header
added, ESP protection is afforded to the whole inner IP packet (including the inner header) while
the outer header (including any outer IPv4 options or IPv6 extension headers) remains
unprotected. ESP operates directly on top of IP, using IP protocol number 50.
QUESTION NO: 158

Which three options correctly describe the AH protocol? (Choose three.)
A.
The AH protocol encrypts the entire IP and upper layer protocols for security.
B.
The AH protocol provides connectionless integrity and data origin authentication.
142
Cisco 350-018 Exam

C.
The AH protocol provides protection against replay attacks.
D.
The AH protocol supports tunnel mode only.
E.
The AH protocol uses IP protocol 51.
F.
The AH protocol supports IPv4 only.
Answer: B,C,E
Explanation:
Authentication Header (AH) is a member of the IPsec protocol suite. AH guarantees

connectionless integrity and data origin authentication of IP packets. Further, it can optionally
protect against replay attacks by using the sliding window technique and discarding old packets.
AH operates directly on top of IP, using IP protocol number 51.
QUESTION NO: 159

Which two identifiers are used by a Cisco Easy VPN Server to reference the correct group policy
information for connecting a Cisco Easy VPN Client? (Choose two.)
A.
IKE ID_KEY_ID
B.
OU field in a certificate that is presented by a client
C.
XAUTH username
D.
hash of the OTP that is sent during XAUTH challenge/response
E.
IKE ID_IPV4_ADDR
Answer: A,B
143
Cisco 350-018 Exam

Explanation:
The ISAKMP parameters are applied at the ISAKMP profile level. The ISAKMP profile can
uniquely identify devices through its concept of match identity criteria. These criteria are based on
the IKE identity that is presented by incoming IKE connections and includes IP address, FQDN,
and group (the VPN remote client grouping).
Group group-name-Matches the group-name with the ID type ID_KEY_ID. It also matches the
group-name with the Organizational Unit (OU) field of the Distinguished Name (DN). Example:
match identity groupvpngroup.
QUESTION NO: 160

Which two security measures are provided when you configure 802.1X on switchports that
connect to corporate-controlled wireless access points? (Choose two.)
A.
It prevents rogue APs from being wired into the network.
B.
It provides encryption capability of data traffic between APs and controllers.
C.
It prevents rogue clients from accessing the wired network.
D.
It ensures that 802.1x requirements for wired PCs can no longer be bypassed by disconnecting
the AP and connecting a PC in its place.
Answer: A,D
Explanation:
802.1X provides rogue access point detection by retrieving information from the controller. The
rogue access point table is populated with any detected BSSID addresses from any frames that
are not present in the neighbor list. A neighbor list contains the known BSSID addresses of
validated APs or neighbors.
To determine whether rogue AP clients are also clients on the enterprise WLAN, the client MAC
address can be compared with MAC addresses collected by the AAA during 802.1X
authentication. This allows for the identification of potential WLAN clients that might have been
compromised or users who are not following security policies.
144
Cisco 350-018 Exam
QUESTION NO: 161

Which configuration implements an ingress traffic filter on a dual-stack ISR border router to
prevent attacks from the outside to services such as DNSv6 and DHCPv6?
A.
!ipv6 access-list testdeny ipv6 FF05::/16 anydeny ipv6 any FF05::/16! output omittedpermit ipv6
any any!
B.
!ipv6 access-list testpermit ipv6 any FF05::/16! output omitteddeny ipv6 any any!
C.
!ipv6 access-list testdeny ipv6 any any eq dnsdeny ipv6 any any eq dhcp! output omittedpermit
ipv6 any any!
D.
!ipv6 access-list testdeny ipv6 any 2000::/3! output omittedpermit ipv6 any any!
E.
!ipv6 access-list testdeny ipv6 any FE80::/10! output omittedpermit ipv6 any any!
Answer: A
Explanation:
QUESTION NO: 162

Which protocol does 802.1X use between the supplicant and the authenticator to authenticate
users who wish to access the network?
A.
SNMP
B.
TACACS+
C.
RADIUS
D.
EAP over LAN
145
Cisco 350-018 Exam

E.
PPPoE
Answer: D
Explanation:
Extensible Authentication Protocol (EAP) over LAN (EAPoL) is a network port authentication
protocol used in IEEE 802.1X (Port Based Network Access Control) developed to give a generic
network sign-on to access network resources. EAPoL, similar to EAP, is a simple encapsulation
that can run over any LAN. The same three main components are defined in EAP and EAPoL to
accomplish the authentication conversation:
References: :http://www.vocal.com/secure-communication/eapol-extensible-authenticationprotocol-over-lan/
QUESTION NO: 163

Which two statements are correct regarding the AES encryption algorithm? (Choose two.)
A.
It is a FIPS-approved symmetric block cipher.
B.
It supports a block size of 128, 192, or 256 bits.
C.
It supports a variable length block size from 16 to 448 bits.
D.
It supports a cipher key size of 128, 192, or 256 bits.
E.
The AES encryption algorithm is based on the presumed difficulty of factoring large integers.
Answer: A,D
Explanation:
AES has been adopted by the U.S. government and is now used worldwide. It supersedes the
Data Encryption Standard (DES), which was published in 1977. The algorithm described by AES
146
Cisco 350-018 Exam

is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting
the data. AES was announced by the NIST as U.S. FIPS PUB 197 (FIPS 197) on November 26,
2001.This announcement followed a five-year standardization process in which fifteen competing
designs were presented and evaluated, before the Rijndael cipher was selected as the most
suitable.
The Advanced Encryption Standard published in 2001 uses a key size of (at minimum) 128 bits. It
also can use keys up to 256 bits (a specification requirement for submissions to the AES contest).
Many observers currently think 128 bits is sufficient for the foreseeable future for symmetric
algorithms of AES's quality. The U.S. Government requires 192 or 256-bit AES keys for highly
sensitive data.
References: :http://en.wikipedia.org/wiki/Key_size.
QUESTION NO: 164

What are two benefits of using IKEv2 instead of IKEv1 when deploying remote-access IPsec
VPNs? (Choose two.)
A.
IKEv2 supports EAP authentication methods as part of the protocol.
B.
IKEv2 inherently supports NAT traversal.
C.
IKEv2 messages use random message IDs.
D.
The IKEv2 SA plus the IPsec SA can be established in six messages instead of nine messages.
E.
All IKEv2 messages are encryption-protected.
Answer: A,B
Explanation:
Mutual EAP authentication: support for EAP-only (i.e., certificate-less) authentication of both of the
IKE peers; the goal is to allow for modern password-based authentication methods to be used
(RFC 5998). NAT traversal: The encapsulation of IKE and ESP in UDP port 4500 enables these
protocols to pass through a device or firewall performing NAT.
147
Cisco 350-018 Exam

References: :http://en.wikipedia.org/wiki/Internet_Key_Exchange
QUESTION NO: 165

DNSSEC was designed to overcome which security limitation of DNS?
A.
DNS man-in-the-middle attacks
B.
DNS flood attacks
C.
DNS fragmentation attacks
D.
DNS hash attacks
E.
DNS replay attacks
F.
DNS violation attacks
Answer: A
Explanation:
Securing the domain name system is integral to the security of the Internet infrastructure in whole.
When properly maintained, DNSSEC signed zones provide extra security by preventing man-inthe-middle attacks. Any customer with DNSSEC-aware resolver will not be at risk from DNS
spoofing. Customers that are not DNSSEC aware will not see any adverse effect. While they wont
get the protection, theyll continue to access your domain name just as they always have. The
more domain names that are using DNSSEC, the more websites and email addresses will be
protected on the Internet.
References: :https://www.menandmice.com/resources/articles/dnssec/
148
Cisco 350-018 Exam

QUESTION NO: 166
Which SSL protocol takes an application message to be transmitted, fragments the data into
manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and
transmits the resulting unit in a TCP segment?
A.
SSL Handshake Protocol
B.
SSL Alert Protocol
C.
SSL Record Protocol
D.
SSL Change CipherSpec Protocol
Answer: C
Explanation:
The SSL Record Protocol provides two services for SSL connections: confidentiality, by encrypting
application data; and message integrity, by using amessage authentication code(MAC). The
Record Protocol is a base protocol that can be utilized by some of the upper-layer protocols of
SSL. One of these is the handshake protocol which, as described later, is used to exchange the
encryption and authentication keys. It is vital that this key exchange be invisible to anyone who
may be watching this session.
Figure 1 indicates the overall operation of the SSL Record Protocol. The Record Protocol takes an
application message to be transmitted, fragments the data into manageable blocks, optionally
compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in
a TCP segment. Received data is decrypted, verified, decompressed, and reassembled and then
delivered to the calling application, such as the browser.
Figure 1: SSL Record Protocol Operation
149
Cisco 350-018 Exam
The first step is fragmentation. Each upper-layer message is fragmented into blocks of 2 14 bytes
(16,384 bytes) or less. Next, compression is optionally applied. In SLLv3 (as well as the current
version of TLS), no compression algorithm is specified, so the default compression algorithm is
null. However, specific implementations may include a compression algorithm.
The next step in processing is to compute a message authentication code over the compressed
data. For this purpose, a shared secret key is used. In essence, the hash code (for example, MD5)
is calculated over a combination of the message, a secret key, and some padding. The receiver
performs the same calculation and compares the incoming MAC value with the value it computes.
If the two values match, the receiver is assured that the message has not been altered in transit.
An attacker would not be able to alter both the message and the MAC, because the attacker does
not know the secretkey needed to generate the MAC.
Next, the compressed message plus the MAC are encrypted using symmetric encryption. A variety
of encryption algorithms may be used, including the Data Encryption Standard (DES) and triple
DES. The final step of SSL Record Protocol processing is to prepend a header, consisting of the
following fields:
Content Type (8 bits): The higher-layer protocol used to process the enclosed fragment.
Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the value is 3.
150
Cisco 350-018 Exam

Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0.
Compressed Length (16 bits): The length in bytes of the plain-text fragment (or compressed
fragment if compression is used).
The content types that have been defined are change_cipher_spec, alert, handshake, and
application_data. The first three are the SSL-specific protocols, mentioned previously. The
application-data type refers to the payload from any application that would normally use TCP but is
now using SSL, which in turn uses TCP. In particular, the HTTP protocol that is used for Web
transactions falls into the application-data category. A message from HTTP is passed down to
SSL, which then wraps this message into an SSL record.
References: :http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/ssl.html.
QUESTION NO: 167

IPsec SAs can be applied as a security mechanism for which three options? (Choose three.)
A.
Send
B.
Mobile IPv6
C.
site-to-site virtual interfaces
D.
OSPFv3
E.
CAPWAP
F.
LWAPP
Answer: B,C,D
Explanation:
151
Cisco 350-018 Exam

Mobile IPv6 usually usesthe IPsec/IKEv2 to secure Mobile Node (MN) and Home Agent(HA)
communication. The implementation of IPsec/IKEv2 with MIPv6 is complex because it requires a
tight coupling between MIPv6 protocol part and the IPsec/IKEv2 part of the IPstack. This paper
proposes a security mechanism which uses Transport Layer Security (TLS)for establishing Keying
Material and other bootstrapping parameters required to protectMobile IPv6 signaling and data
traffic between Mobile Node and Home Agent. Thismechanism also supports Dual-Stack Mobile
IPv6 which IPsec/IKEv2 finds it difficult toimplement. TLS based establishment of Mobile IPv6
security associations compared to IKEv2is the ease of implementation while providing an
equivalent level of security.
You can use IPsec authentication for both OSPFv2 and OSPFv3. You configure the actual IPsec
authentication separately and apply it to the applicable OSPF configuration.
References:
:http://www.academia.edu/4694526/Transport_Layer_Security_TLS_Implementation_for_Secured
_MN-_HA_Communication_in_Mobile_IPv6
Andhttps://www.juniper.net/documentation/en_US/junos12.1x45/topics/example/ospf-ipsecauthentication-configuring.html.
QUESTION NO: 168

Which four options are valid EAP mechanisms to be used with WPA2? (Choose four.)
A.
PEAP
B.
EAP-TLS
C.
EAP-FAST
D.
EAP-TTLS
E.
EAPOL
F.
EAP-RADIUS
G.
EAP-MD5
152
Cisco 350-018 Exam

Answer: A,B,C,D
Explanation:
The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP,
is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport
Layer Security (TLS) tunnel. The purpose was to correct deficiencies in EAP; EAP assumed a
protected communication channel, such as that provided by physical security, so facilities for
protection of the EAP conversation were not provided.
EAP-FAST (Flexible Authentication via Secure Tunneling) is a protocol proposal by Cisco Systems
as a replacement for LEAP. The protocol was designed to address the weaknesses of LEAP while
preserving the "lightweight" implementation. Use of server certificates is optional in EAP-FAST.
EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client
credentials are verified.
EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. It was
co-developed by Funk Software and Certicom and is widely supported across platforms. Microsoft
did not incorporate native support for the EAP-TTLS protocol in Windows XP, Vista, or 7.
Supporting TTLS on these platforms requires third-party ECP (Encryption Control Protocol)
certified software.
References: :http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol.
QUESTION NO: 169

Which three statements are true about the SSH protocol? (Choose three.)
A.
SSH protocol runs over TCP port 23.
B.
SSH protocol provides for secure remote login and other secure network services over an
insecure network.
C.
Telnet is more secure than SSH for remote terminal access.
D.
SSH protocol runs over UDP port 22.
E.
SSH transport protocol provides for authentication, key exchange, confidentiality, and integrity.
153
Cisco 350-018 Exam

F.
SSH authentication protocol supports public key, password, host based, or none as authentication
methods.
Answer: B,E,F
Explanation:
The Secure Shell Protocol (SSH) is a protocol for secure remote login and other secure network
services over an insecure network. This document describes the SSH authentication protocol
framework andpublic key, password, and host-based client authentication methods. The SSH
authentication protocol runs on top of the SSH transport layer protocol and provides a single
authenticated tunnel for the SSH connection protocol.
References: :https://www.ietf.org/rfc/rfc4252.txt
QUESTION NO: 170

Which two statements are true when comparing ESMTP and SMTP? (Choose two.)
A.
Only SMTP inspection is provided on the Cisco ASA firewall.
B.
A mail sender identifies itself as only able to support SMTP by issuing an EHLO command to the
mail server.
C.
ESMTP mail servers will respond to an EHLO with a list of the additional extensions they support.
D.
SMTP commands must be in upper case, whereas ESMTP can be either lower or upper case.
E.
ESMTP servers can identify the maximum email size they can receive by using the SIZE
command.
Answer: C,E
Explanation:
154
Cisco 350-018 Exam

EHLO is just like HELO except that the server's response text provides computer-readable
information about the server's abilities. Here is what happens if the server accepts EHLO (required
code 250). On the first response line, the text begins with the server's name. On each response
line past the first, the text is anextension, followed optionally by a space and an argument,
followed optionally by a space and another argument, etc. The extension is a nonempty string of
letters, digits, and hyphens. Each argument is a nonempty string of graphical ASCII characters.If
the server supports EHLO, the client can use EHLO instead of HELO as its first request. (Note that
sendmail's decision of whether to use HELO or EHLO depends on the server's greeting.) On the
other hand, if the server does not support EHLO, and the client sends EHLO, the server will reject
EHLO. The client then has to fall back to HELO. There are a few servers that disconnect when
they see EHLO. If the client finds that neither EHLO nor HELO was accepted, for example
because the connection was closed, then it has to make a new connection and start with HELO.
The SIZE extension has two purposes:
References: Reference:http://cr.yp.to/smtp/size.htmlandhttp://cr.yp.to/smtp/ehlo.html.
QUESTION NO: 171

How does a DHCP client request its previously used IP address in a DHCP DISCOVER packet?
A.
It is included in the CIADDR field.
B.
It is included as DHCP Option 50 in the OPTIONS field.
C.
It is included in the YIADDR field.
D.
It is the source IP address of the UDP/53 wrapper packet.
E.
The client cannot request its last IP address; it is assigned automatically by the server.
Answer: B
Explanation:
Subscriber management or DHCP management enables you to specify that DHCP local server
assign a particular address to a client. For example, if a client is disconnected, you might use this
155
Cisco 350-018 Exam

capability to assign the same address that the client was using prior to being disconnected. If the
requested address is available, DHCP assigns it to the client. If the address is unavailable, the
DHCP local server offers another address, based on the address allocation process.
Both DHCP local server and DHCPv6 local server support the specific address request feature.
DHCP local server uses DHCP option 50 in DHCP DISCOVER messages to request a particular
address, while DHCPv6 local server uses the IA_NA option (Identity Association for NonTemporary Addresses) in DHCPv6 SOLICIT messages.
References: :http://www.juniper.net/techpubs/en_US/junos14.2/topics/concept/dhcp-extendeddhcp-local-server-option-50.html
QUESTION NO: 172

Which two statements about an authoritative server in a DNS system are true? (Choose two.)
A.
It indicates that it is authoritative for a name by setting the AA bit in responses.
B.
It has a direct connection to one of the root name servers.
C.
It has a ratio of exactly one authoritative name server per domain.
D.
It cannot cache or respond to queries from domains outside its authority.
E.
It has a ratio of at least one authoritative name server per domain.
Answer: A,E
Explanation:
An authoritative server indicates its status of supplying definitive answers, deemedauthoritative, by
setting a software flag (a protocol structure bit), called theAuthoritative Answer(AA) bit in its
responses.This flag is usually reproduced prominently in the output of DNS administration query
tools (such asdig) to indicatethat the responding name server is an authority for the domain name
in question.
156
Cisco 350-018 Exam
QUESTION NO: 173

Which three security features were introduced with the SNMPv3 protocol? (Choose three.)
A.
Message integrity, which ensures that a packet has not been tampered with in-transit
B.
DoS prevention, which ensures that the device cannot be impacted by SNMP buffer overflow
C.
Authentication, which ensures that the message is from a valid source
D.
Authorization, which allows access to certain data sections for certain authorized users
E.
Digital certificates, which ensure nonrepudiation of authentications
F.
Encryption of the packet to prevent it from being seen by an unauthorized source
Answer: A,C,F
Explanation:
Security features provided in SNMPv3 are as follows:

SNMPv3 is a security model in which an authentication strategy is set up for a user and the group
in which the user resides. A security level is the permitted level of security within a security model.
A combination of a security model and a security level determines which security mechanism is
used when handling an SNMP packet.
References: :http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe3se/3850/snmp-xe-3se-3850-book/nm-snmp-snmpv3.html
QUESTION NO: 174

Which common Microsoft protocol allows Microsoft machine administration and operates over
TCP port 3389?
157
Cisco 350-018 Exam

A.
remote desktop protocol
B.
desktop mirroring
C.
desktop shadowing
D.
Tarantella remote desktop
Answer: A
Explanation:
Remote Desktop Protocol(RDP) is a proprietary protocol developed by Microsoft, which provides a

user with a graphical interface to connect to another computer over a network connection. The
user employs RDP client software for this purpose, while the other computer must run RDP server
software. By default, the server listens on TCP port 3389 and UDP port 3389.
References: :http://en.wikipedia.org/wiki/Remote_Desktop_Protocol.
QUESTION NO: 175

What does the Common Criteria (CC) standard define?
A.
The current list of Common Vulnerabilities and Exposures (CVEs)
B.
The U.S standards for encryption export regulations
C.
Tools to support the development of pivotal, forward-looking information system technologies
D.
The international standards for evaluating trust in information systems and products
E.
The international standards for privacy laws
F.
158
Cisco 350-018 Exam

The standards for establishing a security incident response system
Answer: D
Explanation:
TheCommon Criteria for Information Technology Security Evaluation(abbreviated asCommon
CriteriaorCC) is an international standard (ISO/IEC 15408) for computer security certification.
Common Criteria is a framework in which computer system users canspecifytheir
securityfunctionalandassurancerequirements (SFRs and SARs respectively) through the use of
Protection Profiles (PPs), vendors can thenimplementand/or make claims about the security
attributes of their products, and testing laboratories canevaluatethe products to determine if they
actually meet the claims. In other words, Common Criteria provides assurance that the process of
specification, implementation and evaluation of a computer security product has been conducted
in a rigorous and standard and repeatable manner at a level that is commensurate with the target
environment for use.
Common Criteria is used as the basis for a Government driven certification scheme and typically
evaluations are conducted for the use of Federal Government agencies and critical infrastructure.
Ref:http://en.wikipedia.org/wiki/Common_Criteria.
QUESTION NO: 176

Which three types of information could be used during the incident response investigation phase?
(Choose three.)
A.
netflow data
B.
SNMP alerts
C.
encryption policy
D.
syslog output
E.
IT compliance reports
159
Cisco 350-018 Exam

Answer: A,B,D
Explanation:
Incident Analysis and Response

Role-based security event management dashboard
Session-based event consolidation with full-rule context
Graphical attack path visualization with detailed investigation
Attack path device profiles with endpoint MAC identification
Graphical and detailed sequential attack pattern display
Incident details, including rules, raw events, common vulnerabilities and exposures (CVEs), and
mitigation options
Immediate incident investigation and false positive determination
GUI rule definition in support of custom rules and keyword parsing
Incident escalation with user-based "to-do" work list
Notification, including e-mail, net flow, pager, syslog, and SNMP
Integration with existing ticketing and workflow system via Extensible Markup Language (XML)
event notification
QUESTION NO: 177

Which protocol can be used to encrypt traffic sent over a GRE tunnel?
A.
SSL
B.
SSH
C.
IPsec
D.
DH
160
Cisco 350-018 Exam

E.
TLS
Answer: C
Explanation:
IPsec provides a secure method for tunnelling data across an IP network, it has limitations. IPsec
does not support IP broadcast or IP multicast, preventing the use of protocols that rely on these
features, such as routing protocols. IPsec also does not support the use of multiprotocol traffic.
Generic Route Encapsulation (GRE) is a protocol that can be used to "carry" other passenger
protocols, such as IP broadcast or IP multicast, as well as non-IP protocols
References:
:http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2
P_GRE_IPSec/2_p2pGRE_Phase2.html.
QUESTION NO: 178

When you compare WEP to WPA (not WPA2), which three protections are gained? (Choose
three.)
A.
a message integrity check
B.
AES-based encryption
C.
avoidance of weak Initialization vectors
D.
longer RC4 keys
E.
a rekeying mechanism
Answer: A,C,E
Explanation:
161
Cisco 350-018 Exam

WPA uses a message integrity check algorithm calledMichaelto verify the integrity of the packets.
Michael is much stronger than a CRC, but not as strong as the algorithm used in WPA2.
Weak initialization vector: at a moderate traffic load, it is possible to break wep encryption by
watching the traffic for various weak initialization vectors in less than 12 hours.Today, most vendor
use a weak-key avoidance scheme to reduce the impact of this type of attack. Despite this fix,
after lengthy use, WEP usingstatic keys can be compromised.
A rekeying mechanism, to provide fresh encryption andintegrity keys,undoing the threat of attacks
stemmingfrom key reuse.
QUESTION NO: 179

Which two statements about SHA are correct? (Choose two.)
A.
Five 32-bit variables are applied to the message to produce the 160-bit hash.
B.
The message is split into 64-bit blocks for processing.
C.
The message is split into 512-bit blocks for processing.
D.
SHA-2 and MD5 both consist of four rounds of processing.
Answer: A,C
Explanation:
162
Cisco 350-018 Exam
References: Reference:http://en.wikipedia.org/wiki/SHA-1
QUESTION NO: 180

Which three statements about IKEv2 are correct? (Choose three.)
A.
INITIAL_CONTACT is used to synchronize state between peers.
B.
The IKEv2 standard defines a method for fragmenting large messages.
C.
The initial exchanges of IKEv2 consist of IKE_SA_INIT and IKE_AUTH.
D.
Rekeying IKE and child SAs is facilitated by the IKEv2 CREATE_CHILD_SA exchange.
E.
NAT-T is not supported.
F.
Attribute policy push (via the configuration payload) is only supported in REQUEST/REPLY mode.
Answer: A,C,D
Explanation:
163
Cisco 350-018 Exam

INITIAL_CONTACT: notification to others so that the remote peers would reset any
stateinformation, remote peer has with this node.Since this message needs to be cryptographically
protected.
IKE message flow always consists of a request followed by a response.
It is the responsibility of the requester to ensure reliability.Ifthe response is not received within a
timeout interval, the requesterneeds to retransmit the request (or abandon the connection).The
first request/response of an IKE session (IKE_SA_INIT) negotiates security parameters for the
IKE_SA, sends nonces, and sends Diffie-Hellman values.
The second request/response (IKE_AUTH) transmits identities, provesknowledge of the secrets
corresponding to the two identities, and sets up an SA for the first (and often only) AH and/or ESP
CHILD_SA.
The types of subsequent exchanges are CREATE_CHILD_SA (which creates a CHILD_SA) and
INFORMATIONAL (which deletes an SA, reports error conditions, or does other housekeeping).
Every request requires a response.
References: :https://tools.ietf.org/html/rfc4306
QUESTION NO: 181

Which three statements about LDAP are true? (Choose three.)
A.
LDAP uses UDP port 389 by default.
B.
LDAP is defined in terms of ASN.1 and transmitted using BER.
C.
LDAP is used for accessing X.500 directory services.
D.
An LDAP directory entry is uniquely identified by its DN.
E.
A secure connection via TLS is established via the UseTLS operation.
Answer: B,C,D
164
Cisco 350-018 Exam

Explanation:
LDAP provides access to distributed directory services that act in accordance with X.500 data and
service models. These protocol elements are based on those described in the X.500 Directory
Access Protocol (DAP).
The compilation rules for converting data-types into bits and bytes is called the transfer
syntax.BasicEncodingRules or BER is the transfer syntax for SNMP and LDAP. BER uses the
concept of an 'identifier'. An identifier is a unique code assigned to every data-type. This identifier
acts as the calling code for that data-type.
QUESTION NO: 182

Which three features describe DTLS protocol? (Choose three.)
A.
DTLS handshake does not support reordering or manage loss packets.
B.
DTLS provides enhanced security, as compared to TLS.
C.
DTLS provides block cipher encryption and decryption services.
D.
DTLS is designed to prevent man-in-the-middle attacks, message tampering, and message
forgery.
E.
DTLS is used by application layer protocols that use UDP as a transport mechanism.
F.
DTLS does not support replay detection.
Answer: C,D,E
Explanation:
The BEAST attack [BEAST] uses issues with the TLS 1.0 implementationof Cipher Block Chaining
(CBC) (that is, the predictable initialization vector) to decrypt parts of a packet, and specifically to
decrypt HTTP cookies when HTTP is run over TLS.
165
Cisco 350-018 Exam

TLS allows the definition of ephemeral Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman
parameters in its respective key exchange modes.In addition, clients that do not properly verify the
receivedparameters are exposed to man-in-the-middle(MITM) attacks.
DTLS is an adaptation of TLS for UDP.
QUESTION NO: 183

Which statement regarding TFTP is not true?
A.
Communication is initiated over UDP port 69.
B.
Files are transferred using a secondary data channel.
C.
Data is transferred using fixed-size blocks.
D.
TFTP authentication information is sent in clear text.
E.
TFTP is often utilized by operating system boot loader procedures.
F.
The TFTP protocol is implemented by a wide variety of operating systems and network devices.
Answer: D
Explanation:
TFTP is a network protocol used to transfer files between remote machines. It is a simple version
of FTP, lacking some of the more advanced features FTP offers, but requiringfewer resourcesthan
FTP.
Because of its simplicity TFTP can be used only to send and receive files. It uses UDP port 69 for
communication. Because of its disadvantages TFTP is not widely used today, but it's used to save
and restore a router configuration or to backup an IOS image. TFTP doesn't support user
authentication and sends all data in clear text
166
Cisco 350-018 Exam
QUESTION NO: 184

Which three new capabilities were added to HTTP v1.1 over HTTP v1.0? (Choose three.)
A.
chunked transfer encoding
B.
HTTP pipelining
C.
POST method
D.
HTTP cookies
E.
keepalive mechanism
Answer: A,B,E
Explanation:
Chunked transfer encodingis a data transfer mechanism in version 1.1 of the Hypertext Transfer
Protocol (HTTP) in which data is sent in a series of "chunks". It uses the Transfer-Encoding HTTP
header in place of the Content-Length header, which the earlier version of the protocol would
otherwise require. Because the Content-Length header is not used, the sender does not need to
know the length of the content before it starts transmitting a response to the receiver. Senders can
begin transmitting dynamically-generated content before knowing the total size of that content.
The size of each chunk is sent right before the chunk itself so that the receiver can tell when it has
finished receiving data for that chunk. The data transfer is terminated by a final chunk of length
zeroHTTP requests and responses can be pipelined on a connection.Pipelining allows a client to
make multiple requests without waiting for each response, allowing a single TCP connection to be
used much more efficiently, with much lower elapsed time.
HTTP/1.1 phased out support for keep-alive connections, replacing them with an improved design
calledpersistent connections. The goals of persistent connections are the same as those of keepalive connections, but the mechanisms behave better.
QUESTION NO: 185

167
Cisco 350-018 Exam

Refer to the exhibit, which shows a partial output of the show command.
Which statement best describes the problem?

A.
Context vpn1 is not inservice.
B.
There is no gateway that is configured under context vpn1.
C.
The config has not been properly updated for context vpn1.
D.
The gateway that is configured under context vpn1 is not inservice.
Answer: A
Explanation:
To display the operational status and configuration parameters for Secure Socket Layer (SSL)
virtual private network (VPN) context configurations, use theshowwebvpncontextcommand in
privileged EXEC mode.VPN1 context has both the status (AS & OS) as down so the VPN1 is not
in service.
QUESTION NO: 186

Which four protocols are supported by Cisco IOS Management Plane Protection? (Choose four.)
168
Cisco 350-018 Exam

A.
Blocks Extensible Exchange Protocol (BEEP)
B.
Hypertext Transfer Protocol Secure (HTTPS)
C.
Secure Copy Protocol (SCP)
D.
Secure File Transfer Protocol (SFTP)
E.
Secure Shell (SSH)
F.
Simple Network Management Protocol (SNMP)
Answer: A,B,E,F
Explanation:
The management plane is the logical path of all traffic related to the management of a routing
platform. One of three planes in a communication architecture that is structured in layers and
planes, the management plane performs management functions for a network and coordinates
functions among all the planes (management, control, data). The management plane also is used
to manage a device throughits connection to the network.
Examples of protocols processed in the management plane are Simple Network Management
Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols
are used for monitoring and for CLI access. Restricting access to devices to internal sources
(trusted networks) is critical.
References: :http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html
QUESTION NO: 187

Which three statements about OCSP are correct? (Choose three.)
A.
OCSP is defined in RFC2560.
169
Cisco 350-018 Exam

B.
OCSP uses only http as a transport.
C.
OCSP responders can use RSA and DSA signatures to validate that responses are from trusted
entities.
D.
A response indicator may be good, revoked, or unknown.
E.
OCSP is an updated version SCEP.
Answer: A,C,D
Explanation:
Three definitive response indicators for use in the certificate status value are:
Clients that request OCSP services SHALL be capable of processing responses signed used DSA
keys identified by the DSA sig-alg-oid specified in section 7.2.2 of [RFC2459]. Clients SHOULD
also be capable of processing RSA signatures. OCSP responders SHALL support the SHA1
hashing algorithm.
References: Reference:https://www.ietf.org/rfc/rfc2560.txt
QUESTION NO: 188

DHCPv6 is used in which IPv6 address autoconfiguration method?
A.
stateful autoconfiguration
B.
stateless autoconfiguration
C.
EUI-64 address generation
D.
cryptographically generated addresses
Answer: A
170
Cisco 350-018 Exam

Explanation:
Stateful autoconfiguration is the IPv6 equivalent of DHCP. A new protocol, called DHCPv6 (and
based closely on DHCP), is used to pass out addressing and service information in the same way
that DHCP is used in IPv4. This is called "stateful" because the DHCP server and the client must
both maintain state information to keep addresses from conflicting, to handle leases, and to renew
addresses over time.
Our network does not use DHCPv6. The DHCPv6 protocol is not yet standardized, although there
are several drafts available, including "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
(by J. Bound and C. Perkins) "Extensions for DHCPv6" (by C. Perkins) which are expected to
move to proposed standard status shortly.
References: :http://www.opus1.com/ipv6/whatisautoconfiguration.html
QUESTION NO: 189

Which two options represent definitions that are found in the syslog protocol (RFC 5426)?
(Choose two.)
A.
Syslog message transport is reliable.
B.
Each syslog datagram must contain only one message.
C.
IPv6 syslog receivers must be able to receive datagrams of up to 1180 bytes.
D.
Syslog messages must be prioritized with an IP precedence of 7.
E.
Syslog servers must use NTP for the accurate time stamping of message arrival.
Answer: B,C
Explanation:
Each syslog UDP datagram MUST contain only one syslog message, which may be complete or
truncated. The message MUST be formatted and truncated according to RFC 5424. Additional
171
Cisco 350-018 Exam

data MUST NOT be present in the datagram payload.
IPv4 syslog receivers MUST be able to receive datagrams with message sizes up to and including
480 octets. IPv6 syslog receivers MUST be able to receive datagrams with message sizes up to
and including 1180 octets. All syslog receivers SHOULD be able to receive datagrams with
message sizes of up to and including 2048 octets. The ability to receive larger messages is
encouraged.
References: :https://tools.ietf.org/html/rfc5426#section-3.1
QUESTION NO: 190

Which protocol is superseded by AES?
A.
DES
B.
RSA
C.
RC4
D.
MD5
Answer: A
Explanation:
DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key
size being too small; in January, 1999, distributed.net and the Electronic Frontier Foundation
collaborated to publicly break a DES key in 22 hours and 15 minutes (see chronology). There are
also some analytical results which demonstrate theoretical weaknesses in the cipher, although
they are infeasible to mount in practice. The algorithm is believed to be practically secure in the
form of Triple DES, although there are theoretical attacks. In recent years, the cipher has been
superseded by the Advanced Encryption Standard (AES). Furthermore, DES has been withdrawn
as a standard by the National Institute of Standards and Technology (formerly the National Bureau
of Standards).
References: :http://en.wikipedia.org/wiki/Data_Encryption_Standard
172
Cisco 350-018 Exam
QUESTION NO: 191

What is the purpose of the SPI field in an IPsec packet?
A.
identifies a transmission channel
B.
provides anti-replay protection
C.
ensures data integrity
D.
contains a shared session key
Answer: A
Explanation:
In order to decide what protection is to be provided for an outgoing packet, IPsec uses the
Security Parameter Index (SPI), an index to the security association database (SADB), along with
the destination address in a packet header, which together uniquely identify a security association
for that packet. A similar procedure is performed for an incoming packet, where IPsec gathers
decryption and verification keys from the security association database.
References: :http://en.wikipedia.org/wiki/IPsec
QUESTION NO: 192

Which IPsec protocol provides data integrity but no data encryption?
A.
AH
B.
ESP
C.
173
Cisco 350-018 Exam

SPI
D.
DH
Answer: A
Explanation:
Authentication Header (AH) provides authentication and integrity to the datagrams passed
between two systems.
It achieves this by applying a keyed one-way hash function to the datagram to create a message
digest. If any part of the datagram is changed during transit, it will be detected by the receiver
when it performs the same one-way hash function on the datagram and compares the value of the
message digest that the sender has supplied. The one-way hash also involves the use of a secret
shared between the two systems, which means that authenticity can be guaranteed.
References: :http://www.ciscopress.com/articles/article.asp?p=24833&seqNum=3
QUESTION NO: 193

What transport protocol and port are used by GDOI for its IKE sessions that are established
between the group members and the key server?
A.
UDP port 848
B.
TCP port 848
C.
ESP port 51
D.
SSL port 443
E.
UDP port 4500
Answer: A
174
Cisco 350-018 Exam

Explanation:
GDOI uses User Datagram Protocol (UDP) 848 to establish its IKE sessions between the key
server and the group members. Upon receiving a registration request, the key server
authenticates the router, performs an optional authorization check, and downloads the policy and
keys to the group member. The group member is ready to use these encryption keys. The key
server pushes new keys to the group (also known as rekeying the group) whenever needed,
similar to SA expiration. The key server can host multiple groups and each group will have a
different group key.
References: :http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/getvpn-solutionmanaged-services/prod_white_paper0900aecd804c363f.html
QUESTION NO: 194

What is the advantage of using the ESP protocol over the AH?
A.
data confidentiality
B.
data integrity verification
C.
nonrepudiation
D.
anti-replay protection
Answer: A
Explanation:
ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an antireplay service (a form of partial sequence integrity), and limited traffic flow confidentiality. The set
of services provided depends on options selected at the time of Security Association
establishment and on the placement of the implementation. Confidentiality may be selected
independent of allother services. However, use of confidentiality without integrity/authentication
(either in ESP or separately in AH) maysubject traffic to certain forms of active attacks that could
undermine the confidentiality service.
175
Cisco 350-018 Exam

References: :https://www.ietf.org/rfc/rfc2406.txt
QUESTION NO: 195

Which three statements about the TACACS protocol are correct? (Choose three.)
A.
TACACS+ is an IETF standard protocol.
B.
TACACS+ uses TCP port 47 by default.
C.
TACACS+ is considered to be more secure than the RADIUS protocol.
D.
TACACS+ can support authorization and accounting while having another separate authentication
solution.
E.
TACACS+ only encrypts the password of the user for security.
F.
TACACS+ supports per-user or per-group for authorization of router commands.
Answer: C,D,F
Explanation:
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP
offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires
additional programmable variables such as re-transmit attempts and time-outs to compensate for
best-effort transport, but it lacks the level of built-in support that a TCP transport offers:
RADIUS combines authentication and authorization. The access-accept packets sent by the
RADIUS server to the client contain authorization information. This makes it difficult to decouple
authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication
solutions that can still use TACACS+ for authorization and accounting. For example, with
TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and
accounting. After a NAS authenticates on a Kerberos server, it requests authorization information
from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server
that it has successfully authenticated on a Kerberos server, and the server then provides
176
Cisco 350-018 Exam

authorization information.
During a session, if additional authorization checking is needed, the access server checks with a
TACACS+ server to determine if the user is granted permission to use a particular command. This
provides greater control over the commands that can be executed on the access server while
decoupling from the authentication mechanism.
TACACS+ provides two methods to control the authorization of router commands on a per-user or
per-group basis. The first method is to assign privilege levels to commands and have the router
verify with the TACACS+ server whether or not the user is authorized at the specified privilege
level. The second method is to explicitly specify in the TACACS+ server, on a per-user or pergroup basis, the commands that are allowed.
QUESTION NO: 196

What is the purpose of the OCSP protocol?
A.
checks the revocation status of a digital certificate
B.
submits a certificate signing request
C.
verifies a signature of a digital certificate
D.
protects a digital certificate with its private key
Answer: A
Explanation:
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the
revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet
standards track.
References: :http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
177
Cisco 350-018 Exam

QUESTION NO: 197
Which transport method is used by the IEEE 802.1X protocol?
A.
EAPOL frames
B.
802.3 frames
C.
UDP RADIUS datagrams
D.
PPPoE frames
Answer: A
Explanation:
Authenticators and supplicants communicate with one another by using the Extensible
Authentication Protocol (EAP, RFC-2284). EAP was originally designed to run over PPP and to
authenticate dial-in users, but 802.1x defines an encapsulation method for passing EAP packets
over Ethernet frames. This method is referred to asEAP over LANs, or EAPOL. Ethernet type of
EAPOL is88-8E, two octets in length. EAPOL encapsulations are described for IEEE 802
compliant environment, such as 802.3 Ethernet, 802.11 Wireless LAN and Token Ring/FDDI.
References: :http://www.zyxeltech.de/SNotep335wt/app/8021x.htm#EAPOL
QUESTION NO: 198

Which encryption mechanism is used in WEP?
A.
RC4
B.
RC5
C.
DES
178
Cisco 350-018 Exam

D.
AES
Answer: A
Explanation:
WEP was included as the privacy component of the original IEEE 802.11 standard ratified in
September 1999. WEP uses the stream cipher RC4 for confidentiality, and the CRC-32 checksum
for integrity. It was deprecated in 2004 and is documented in the current standard.
Standard 64-bit WEP uses a 40 bit key (also known as WEP-40), which is concatenated with a 24bit initialization vector (IV) to form the RC4 key. At the time that the original WEP standard was
drafted, the U.S. Government's export restrictions on cryptographic technology limited the key
size. Once the restrictions were lifted, manufacturers of access points implemented an extended
128-bit WEP protocol using a 104-bit key size (WEP-104).
References: :http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy#Encryption_details
QUESTION NO: 199

Which three statements about Security Group Tag Exchange Protocol are true? (Choose three.)
A.
SXP runs on UDP port 64999.
B.
A connection is established between a "listener" and a "speaker."
C.
It propagates the IP-to-SGT binding table across network devices that do not have the ability to
perform SGT tagging at Layer 2 to devices that support it.
D.
SXP is supported across multiple hops.
E.
SXPv2 introduces connection security via TLS.
Answer: B,C,D
Explanation:
179
Cisco 350-018 Exam

Cisco TrustSec (CTS) builds secure networks by establishing domains of trusted network devices.
Each device in the domain is authenticated by its peers. Communication on the links between
devices in the domain is secured with a combination of encryption, message integrity check, and
data-path replay protection mechanisms.
The Security Group Tag (SGT) Exchange Protocol (SXP) is one of several protocols that supports
CTS and is referred to in this document as CTS-SXP. CTS-SXP is a control protocol for
propagating IP-to-SGT binding information across network devices that do not have the capability
to tag packets. CTS-SXP passes IP to SGT bindings from authentication points to upstream
devices in the network. This process allows security services on switches, routers, or firewalls to
learn identity information from access devices.
References: :http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe3s/sec-usr-cts-xe-3s-book/cts-sxp-ipv4.html
QUESTION NO: 200

What does the SXP protocol exchange between peers?
A.
IP to SGT binding information
B.
MAC to SGT binding information
C.
ingress port to SGT binding information
D.
ingress switch to SGT binding information
Answer: A
Explanation:
180
Cisco 350-018 Exam

QUESTION NO: 201

What is a primary function of the SXP protocol?
A.
to extend a TrustSec domain on switches that do not support packet tagging with SGTs
B.
to map the SGT tag to VLAN information
C.
to allow the SGT tagged packets to be transmitted on trunks
D.
to exchange the SGT information between different TrustSec domains
Answer: A
Explanation:
Cisco TrustSec (CTS) builds secure networks by establishing domains of trusted network devices.
Each device in the domain is authenticated by its peers. Communication on the links between
devices in the domain is secured with a combination of encryption, message integrity check, and
data-path replay protection mechanisms.
181
Cisco 350-018 Exam

QUESTION NO: 202
Which transport type is used by the DHCP protocol?
A.
UDP ports 67 and 69
B.
TCP ports 67 and 68
C.
UDP and TCP port 67
D.
UDP ports 67 and 68
Answer: D
Explanation:
The DHCP employs a connectionless service model, using the User Datagram Protocol (UDP). It
is implemented with two UDP port numbers for its operations which are the same as for the
BOOTP protocol. UDP port number 67 is the destination port of a server, and UDP port number 68
is used by the client.
References: :http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol.
QUESTION NO: 203

Which Category to Protocol mapping for NBAR is correct?
A.
Category: Enterprise ApplicationsProtocol: Citrix ICA, PCAnywhere, SAP, IMAP
B.
Category: InternetProtocol: FTP, HTTP, TFTP
C.
Category: Network ManagementProtocol: ICMP, SNMP, SSH, Telnet
D.
Category: Network Mail ServicesProtocol: MAPI, POP3, SMTP
182
Cisco 350-018 Exam

Answer: B
Explanation:
Supported Protocols in category internet are shown below:
References:
Reference:http://www.cisco.com/c/en/us/td/docs/ios/12_4t/qos/configuration/guide/qsnbar1.html#w
p1056828
QUESTION NO: 204

Which statement describes the computed authentication data in the AH protocol?
A.
The computed authentication data is never sent across.
B.
The computed authentication data is part of a new IP header.
C.
The computed authentication data is part of the AH header.
183
Cisco 350-018 Exam

D.
The computed authentication data is part of the original IP header.
Answer: C
Explanation:
QUESTION NO: 205

Which statement about the AH is true?
A.
AH authenticates only the data.
B.
AH authenticates only the IP header.
C.
AH authenticates only the TCP-UDP header.
D.
AH authenticates the entire packet and any mutable fields.
E.
AH authenticates the entire packet except for any mutable fields.
Answer: E
184
Cisco 350-018 Exam

Explanation:
In transport mode, AH is used for end-to-end authentication. For IPv4, AH is placed after the origin
al IP header and before the transport segment or before any other IPsec headers that have been
inserted. The authentication process covers the entire packet, except for mutable fields in the IPv4
header that are set to 0 for MAC calculation [8]. For IPv6, AH is viewed as an end-to-end payload
and is placed after the original IPv6 header and hop-by-hop, routing and fragmentation extension
headers. The destination options extension header(s) could appear either before or after the AH
header depending on the semantics desired. The authentication process covers the entire packet,
except for mutable fields that are set to 0 for MAC calculation.
References:
Reference:http://www.upm.ro/facultati_departamente/stiinte_litere/conferinte/situl_integrare_europ
eana/Lucrari/Crainicu.pdf
QUESTION NO: 206

Which three fields are part of the AH header? (Choose three.)
A.
Source Address
B.
Destination Address
C.
Packet ICV
D.
Protocol ID
E.
Application Port
F.
SPI identifying SA
G.
Payload Data Type Identifier
Answer: C,F,G
185
Cisco 350-018 Exam

Explanation:
The AH header contains the following fields:

Next HeaderIdentifies the next header that uses the IP protocol ID. For example, the value might
be "6" to indicate TCP.
LengthIndicates the length of the AH header.
Security Parameters Index (SPI)Used in combination with the destination address and the security
protocol (AH or ESP) to identify the correct security association for the communication. (For more
information, see the "Internet Key Exchange" section later in this chapter.) The receiver uses this
value to determine with which security association this packet is identified.
Sequence NumberProvides anti-replay protection for the SA. It is 32-bit, incrementally increasing
number (starting from 1) that is never allowed to cycle and that indicates the packet number sent
over the security association for the communication. The receiver checks this field to verify that a
packet for a security association with this number has not been received already. If one has been
received, the packet is rejected.
Authentication DataContains the Integrity Check Value (ICV) that is used to verify the integrity of
the message. The receiver calculates the hash value and checks it against this value (calculated
by the sender) to verify integrity.
References: Reference:https://technet.microsoft.com/en-us/library/cc959507.aspx
QUESTION NO: 207

Which statement about the HTTP protocol is true?
A.
The request method does not include the protocol version.
B.
The proxy acts as an intermediary receiving agent in the request-response chain.
C.
The tunnel acts as an intermediary relay agent in the request-response chain.
D.
The gateway acts as an intermediary forwarding agent in the request-response chain.
E.
186
Cisco 350-018 Exam

The success and error codes are returned in the response message by the user-agent.
Answer: C
Explanation:
There are three common forms of intermediary: proxy, gateway, and tunnel. A proxy is
aforwarding agent, receiving requests for a URI in its absolute form, rewriting all or part of the
message, and forwarding the reformatted request toward the server identified by the URI. A
gateway is a receiving agent, acting as a layer above some other server(s) and, if necessary,
translating the requests to the underlying server's protocol. A tunnel acts as a relay point between
two connections without changing the messages; tunnels are used when the communication
needs to pass through an intermediary (such as a firewall) even when the intermediary cannot
understand the contents of the messages.
References: :http://www.w3.org/Protocols/rfc2616/rfc2616.txt
QUESTION NO: 208

Which statement about SMTP is true?
A.
SMTP uses UDP port 25.
B.
The POP protocol is used by the SMTP client to manage stored mail.
C.
The IMAP protocol is used by the SMTP client to retrieve and manage stored email.
D.
The mail delivery agent in the SMTP architecture is responsible for DNS lookup.
E.
Answer: C
Explanation:
Internet Message Access Protocol(IMAP) is a protocol for e-mail retrieval and storage developed
187
Cisco 350-018 Exam

by Mark Crispin in 1986 at Stanford University as an alternative to POP. IMAP, unlike POP,
specifically allows multiple clients simultaneously connected to the same mailbox, and through
flags stored on the server, different clients accessing the same mailbox at the same or different
times can detect state changes made by other clients.
References: :http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
QUESTION NO: 209

Which two statements about DHCP are true? (Choose two.)
A.
DHCP uses TCP port 67.
B.
DHCP uses UDP ports 67 and 68.
C.
The DHCPDiscover packet has a multicast address of 239.1.1.1.
D.
DHCPRequest is a broadcast message.
E.
The DHCPOffer packet is sent from the DHCP server.
Answer: B,E
Explanation:
The DHCP employs a connectionless service model, using the User Datagram Protocol (UDP). It
is implemented with two UDP port numbers for its operations which are the same as for the
BOOTP protocol. UDP port number 67 is the destination port of a server, and UDP port number 68
is used by the client.
When a DHCP server receives a DHCPDISCOVER message from a client, which is an IP address
lease request, the server reserves an IP address for the client and makes a lease offer by sending
a DHCPOFFER message to the client. This message contains the client's MAC address, the IP
address that the server is offering, the subnet mask, the lease duration, and the IP address of the
DHCP server making the offer.
188
Cisco 350-018 Exam

References: :http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
Topic 3, Application and Infrastructure Security
QUESTION NO: 210

Which three statements describe the security weaknesses of WEP? (Choose three.)
A.
Key strength is weak and non-standardized.
B.
The WEP ICV algorithm is not optimal for cryptographic integrity checking.
C.
There is no key distribution mechanism.
D.
Its key rotation mechanism is too predictable.
E.
For integrity, it uses MD5, which has known weaknesses.
Answer: A,B,C
Explanation:
Key management is not specified in the WEP standard. Since without interoperable key
management, keys will tend to be long-lived and of poor quality.
The CRC-32 ICV is a linear function of the message meaning that an attacker can modify an
encrypted message and easily fix the ICV so the message appears authentic. Having able to
modify encrypted packets provides for a nearly limitless number of very simple attacks. An
attacker can easily make the victims wireless access point decrypt packets for him.
QUESTION NO: 211

When implementing WLAN security, what are three benefits of using the TKIP instead of WEP?
189
Cisco 350-018 Exam

(Choose three.)
A.
TKIP uses an advanced encryption scheme based on AES.
B.
TKIP provides authentication and integrity checking using CBC-MAC.
C.
TKIP provides per-packet keying and a rekeying mechanism.
D.
TKIP provides message integrity check.
E.
TKIP reduces WEP vulnerabilities by using a different hardware encryption chipset.
F.
TKIP uses a 48-bit initialization vector.
Answer: C,D,F
Explanation:
190
Cisco 350-018 Exam
QUESTION NO: 212

Which three nonproprietary EAP methods do not require the use of a client-side certificate for
mutual authentication? (Choose three.)
A.
LEAP
B.
EAP-TLS
C.
PEAP
D.
EAP-TTLS
E.
EAP-FAST
Answer: C,D,E
Explanation:
191
Cisco 350-018 Exam

References: Reference:http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1300series/prod_qas09186a00802030dc.html
QUESTION NO: 213

Which option explains the passive scan technique that is used by wireless clients to discover
available wireless networks?
A.
listening for access point beacons that contain available wireless networks
B.
sending a null probe request
C.
sending a null association request
D.
listening for access point probe response frames that contain available wireless networks
Answer: A
Explanation:
During passive scans, the radio listens for beacons and probe responses. If you use only passive
mode, the radio scans once per second, and audits packets on the wireless network. Passive
scans are always enabled and cannot be disabled because this capability is also used to connect
clients to access points.
QUESTION NO: 214

192
Cisco 350-018 Exam
Which message could contain an authenticated initial_contact notify during IKE main mode
negotiation?
A.
message 3
B.
message 5
C.
message 1
D.
none, initial_contact is sent only during quick mode
E.
none, notify messages are sent only as independent message types
Answer: B
Explanation:
Main Mode Message 5(MM5) - Initiator Sends Its Identity

Includes:
*Sep 21 08:33:43.425: ISAKMP (1011): received packet from 2001: DB8::2 dport
500 sport 500 Global (R) MM_KEY_EXCH
*Sep 21 08:33:43.425: ISAKMP: (1011):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
193
Cisco 350-018 Exam

*Sep 21 08:33:43.425: ISAKMP: (1011): Old State = IKE_R_MM4 New State =
IKE_R_MM5
*Sep 21 08:33:43.425: ISAKMP: (1011): processing ID payload. message ID = 0
*Sep 21 08:33:43.425: ISAKMP (1011): ID payload
next-payload : 8
type : 5
address : 2001: DB8::2
protocol : 17
port : 500
length : 24
*Sep 21 08:33:43.425: ISAKMP: (0):: peer matches *none* of the profiles
*Sep 21 08:33:43.425: ISAKMP: (1011): processing HASH payload. message ID = 0
*Sep 21 08:33:43.425: ISAKMP: (1011): processing NOTIFY INITIAL_CONTACT
protocol 1 spi 0, message ID = 0, sa = 0x6D12A00
*Sep 21 08:33:43.425: ISAKMP: (1011): SA authentication status: authenticated
*Sep 21 08:33:43.425: ISAKMP: (1011): SA has been authenticated with 2001:
DB8::2
*Sep 21 08:33:43.425: ISAKMP: (1011): SA authentication status: authenticated
*Sep 21 08:33:43.425: ISAKMP: (1011): Process initial contact, bring down
existing phase 1 and 2 SA's with local 2001: DB8::3 remote 2001: DB8::2
remote port 500
*Sep 21 08:33:43.425: ISAKMP: Trying to insert a peer 2001: DB8::3/2001:
DB8::2/500/, and inserted successfully 8E45588.
*Sep 21 08:33:43.425: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Sep 21 08:33:43.425: ISAKMP: (1011): Old State = IKE_R_MM5 New State =
IKE_R_MM5
194
Cisco 350-018 Exam
QUESTION NO: 215

Which three statements are true? (Choose three.)

A.
Because of a "root delay" of 0ms, this router is probably receiving its time directly from a Stratum 0
or 1 GPS reference clock.
B.
This router has correctly synchronized its clock to its NTP master.
C.
The NTP server is running authentication and should be trusted as a valid time source.
D.
Specific local time zones have not been configured on this router.
E.
This router will not act as an NTP server for requests from other devices.
Answer: B,C,E
Explanation:
195
Cisco 350-018 Exam
References:
Reference:http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf0
12.html#wp1080718
QUESTION NO: 216

196
Cisco 350-018 Exam

What will be the default action?

A.
HTTP traffic to the Facebook, Youtube, and Twitter websites will be dropped.
B.
HTTP traffic to the Facebook and Youtube websites will be dropped.
C.
HTTP traffic to the Youtube and Twitter websites will be dropped.
D.
HTTP traffic to the Facebook and Twitter websites will be dropped.
197
Cisco 350-018 Exam

Answer: D
Explanation:
As we know to block websites we need to configure the command under class-map type option
Match regex domainlist & order(1 or 2 or).So facebook & twitter are blocked here.
QUESTION NO: 217

Which Cisco ASA feature can be used to update non-compliant antivirus/antispyware definition
files on an AnyConnect client?
A.
dynamic access policies
B.
dynamic access policies with Host Scan and advanced endpoint assessment
C.
Cisco Secure Desktop
D.
advanced endpoint assessment
Answer: B
Explanation:
DAP and Endpoint Security
The security appliance obtains endpoint security attributes by using posture assessment methods
that you configure. These include Cisco Secure Desktop and NAC. You can use a match of a
prelogin policy, Basic Host Scan entry, Host Scan Extension, or any combination of these and any
other policy attributes to assign access rights and restrictions. At minimum, configure DAPs to
assign to each prelogin policy and Basic Host Scan entry.
Endpoint Assessment, a Host Scan extension, examines the remote computer for a large
collection of antivirus and antispyware applications, associated definitions updates, and firewalls.
You can use this feature to combine endpoint criteria to satisfy your requirements before the
security appliance assigns a specific DAP to the session.
DAP and Anti-Virus, Anti-Spyware, and Personal Firewall Programs
198
Cisco 350-018 Exam

The security appliance uses a DAP policy when the user attributes matches the configured AAA
and endpoint attributes. The Prelogin Assessment and Host Scan modules of Cisco Secure
Desktop return information to the security appliance about the configured endpoint attributes, and
the DAP subsystem uses that information to select a DAP record that matches the values of those
attributes. Most, but not all, anti-virus, anti-spyware, and personal firewall programs support active
scan, which means that the programs are memory-resident, and therefore always running. Host
Scan checks to see if an endpoint has a program installed, and if it is memory-resident as follows:
If the installed program does not support active scan, Host Scan reports the presence of the
software. The DAP system selects DAP records that specify the program.
If the installed program does support active scan, and active scan is enabled for the program, Host
Scan reports the presence of the software. Again the security appliance selects DAP records that
specify the program.
If the installed program does support active scan and active scan is disabled for the program, Host
Scan ignores the presence of the software. The security appliance does not select DAP records
that specify the program. Further, the output of thedebug tracecommand, which includes a lot of
information about DAP, does not indicate the program presence, even though it is installed.
QUESTION NO: 218

Which message of the ISAKMP exchange is failing?

199
Cisco 350-018 Exam

A.
main mode 1
B.
main mode 3
C.
aggressive mode 1
D.
main mode 5
E.
aggressive mode 2
Answer: B
Explanation:
Main mode message 3 (MM3) - NAT discovery and Diffie-Hellman exchange.

Includes:
- NAT discovery payload and hash.
- DH exchange initiation.
Here the DH value is not matching the one computed at the host end and this is why the
negotiation is failing.
QUESTION NO: 219

200
Cisco 350-018 Exam
Which statement about this Cisco Catalyst switch 802.1X configuration is true?
A.
If an IP phone behind the switch port has an 802.1X supplicant, MAC address bypass will still be
used to authenticate the IP Phone.
B.
If an IP phone behind the switch port has an 802.1X supplicant, 802.1X authentication will be used
to authenticate the IP phone.
C.
The authentication host-mode multi-domain command enables the PC connected behind the IP
phone to bypass 802.1X authentication.
D.
Using the authentication host-mode multi-domain command will allow up to eight PCs connected
behind the IP phone via a hub to be individually authentication using 802.1X.
Answer: B
Explanation:
QUESTION NO: 220

The ASA can be configured to drop IPv6 headers with routing-type 0 using the MPF. Choose the
correct configuration.
201
Cisco 350-018 Exam

A.
policy-map type inspect ipv6 IPv6_PMAPmatch header routing-type eq 0drop log
B.
policy-map type inspect icmpv6 ICMPv6_PMAPmatch header routing-type eq 0drop log
C.
policy-map type inspect ipv6-header HEADER_PMAPmatch header routing-type eq 0drop log
D.
policy-map type inspect http HEADER_PMAPmatch routing-header 0drop log
E.
policy-map type inspect ipv6 IPv6_PMAPmatch header type 0drop log
F.
policy-map type inspect ipv6-header HEADER_PMAPmatch header type 0drop log
Answer: A
Explanation:
These commands say to drop IPv6 headers when matched by using match header routing-type eq
0.
QUESTION NO: 221

202
Cisco 350-018 Exam
With the client protected by the firewall, an HTTP connection from the client to the server on TCP
port 80 will be subject to which action?
203
Cisco 350-018 Exam

A.
inspection action by the HTTP_CMAP
B.
inspection action by the TCP_CMAP
C.
drop action by the default class
D.
inspection action by both the HTTP_CMAP and TCP_CMAP
E.
pass action by the HTTP_CMAP
F.
drop action due to class-map misclassification
Answer: B
Explanation:
Here we have defined two types of traffic to be intercepted. One for HTTP and another for TCP.
When the traffic will go for TCP port 80, it will be intercepted by TCP_CMAP.
QUESTION NO: 222

Which statement best describes the problem?
204
Cisco 350-018 Exam

A.
Context vpn1 is not in service.
B.
There is no gateway that is configured under context vpn1.
C.
The config has not been properly updated for context vpn1.
D.
The gateway that is configured under context vpn1 is not inservice.
Answer: A
Explanation:
To display the operational status and configuration parameters for Secure Socket Layer (SSL)
virtual private network (VPN) context configurations, use theshowwebvpncontextcommand in
privileged EXEC mode.VPN1 context has both the status (AS & OS) as down so the VPN1 is not
in service.
QUESTION NO: 223

205
Cisco 350-018 Exam
Which two statements about this Cisco Catalyst switch configuration are correct? (Choose two.)
A.
The default gateway for VLAN 200 should be attached to the FastEthernet 5/1 interface.
B.
Hosts attached to the FastEthernet 5/1 interface can communicate only with hosts attached to the
FastEthernet 5/4 interface.
C.
Hosts attached to the FastEthernet 5/2 interface can communicate with hosts attached to the
FastEthernet 5/3 interface.
206
Cisco 350-018 Exam

D.
Hosts attached to the FastEthernet 5/4 interface can communicate only with hosts attached to the
FastEthernet 5/2 and FastEthernet 5/3 interfaces.
E.
Interface FastEthernet 5/1 is the community port.
F.
Interface FastEthernet 5/4 is the isolated port.
Answer: B,C
Explanation:
In Fastethernet 5/1 and 5/4, host association 200 and 400 are common so they can communicate
to each other. In FastEthernet 5/2 & 5/3 host association 200 & 600 are common so that can
communicate to each other.
QUESTION NO: 224

Which additional configuration component is required to implement a MACSec Key Agreement
policy on user-facing Cisco Catalyst switch ports?
A.
PKI
B.
TACACS+
C.
multi-auth host mode
D.
port security
E.
802.1x
Answer: E
Explanation:
The Catalystswitches support 802.1AE encryption with MACsec Key Agreement (MKA) on
207
Cisco 350-018 Exam

downlink ports for encryption between the switch and host devices.The MKA Protocol manages
the encryption keys used by the underlying MACsec protocol. The basic requirements of MKA are
defined in 802.1x-REV.
QUESTION NO: 225

Which statement is true?

A.
This packet decoder is using relative TCP sequence numbering?
B.
This TCP client is proposingthe use of TCP window scaling?
C.
This packet represents an active FTP data session?
D.
This packet contains no TCP payload.
Answer: D
208
Cisco 350-018 Exam

Explanation:
When using the network protocol analyzer Wireshark, if youre specifically looking for the payload,
look for the [PSH,ACK] tag in the Info column.Once you click on the row with that tag, you will
see the Data node in the packet window. The other tags ([ACK], [SYN], [FIN,ACK]) shown in the
Info column are TCP control packets and do not include any data/payload. They are used for
handshaking.
QUESTION NO: 226

When configuring an Infrastructure ACL (iACL) to protect the IPv6 infrastructure of an enterprise
network, where should the iACL be applied??
A.
all infrastructure devices in both the inbound and outbound direction
B.
all infrastructure devices in the inbound direction
C.
all infrastructure devices in the outbound direction
D.
all parameter devices in both the inbound and outbound direction
E.
all parameter devices in the inbound direction
F.
all parameter devices in the outbound direction
Answer: E
Explanation:
In an effort to protect routers from various risksboth accidental and maliciousinfrastructure
protection ACLs should be deployed at network ingress points. These IPv4 and IPv6 ACLs deny
access from external sources to all infrastructure addresses, such as router interfaces. At the
same time, the ACLs permit routine transit traffic to flow uninterrupted and provide basicRFC 1918
,RFC 3330
, and anti-spoof filtering.
209
Cisco 350-018 Exam

Data received by a router can be divided into two broad categories:
In normal operations, the vast majority of traffic simply flows through a router en route to its
ultimate destination.
However, the route processor (RP) must handle certain types of data directly, most notably routing
protocols, remote router access (such as Secure Shell [SSH]), and network management traffic
such as Simple Network Management Protocol (SNMP). In addition, protocols such as Internet
Control Message Protocol (ICMP) and IP options can require direct processing by the RP. Most
often, direct infrastructure router access is required only from internal sources. A few notable
exceptions include external Border Gateway Protocol (BGP) peering, protocols that terminate on
the actual router (such as generic routing encapsulation [GRE] or IPv6 over IPv4 tunnels), and
potentially limited ICMP packets for connectivity testing such as echo-request or ICMP
unreachables and time to live (TTL) expired messages for traceroute.
Note:Remember that ICMP is often used for simple denial-of-service (DoS) attacks and should
only be permitted from external sources if necessary.
All RPs have a performance envelope in which they operate. Excessive traffic destined for the RP
can overwhelm the router. This causes high CPU usage and ultimately results in packet and
routing protocol drops that cause a denial of service. By filtering access to infrastructure routers
from external sources, many of the external risks associated with a direct router attack are
mitigated. Externally sourced attacks can no longer access infrastructure equipment. The attack is
dropped on ingress interfaces into the autonomous system (AS).
The filtering techniques described in this document are intended to filter data destined for network
infrastructure equipment. Do not confuse infrastructure filtering with generic filtering. The singular
purpose of the infrastructure protection ACL is to restrict on a granular level what protocols and
sources can access critical infrastructure equipment.
Network infrastructure equipment encompasses these areas:
References: Reference:http://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-iacl.html
QUESTION NO: 227

What feature on the Cisco ASA is used to check for the presence of an up-to-date antivirus vendor
on an AnyConnect client?
A.
Dynamic Access Policies with no additional options
B.
210
Cisco 350-018 Exam

Dynamic Access Policies with Host Scan enabled
C.
advanced endpoint assessment
D.
LDAP attribute maps obtained from Antivirus vendor
Answer: B
Explanation:
The ASA integrates the HostScan features into dynamic access policies (DAPs). Depending on
the configuration, the ASA uses one or more endpoint attribute values in combination with optional
AAA attribute values as conditions for assigning a DAP. The HostScan features supported by the
endpoint attributes of DAPs include OS detection, policies, basic HostScan results, and endpoint
assessment.
QUESTION NO: 228

Which statement is true regarding Cisco ASA operations using software versions 8.3 and later?
A.
The global access list is matched first before the interface access lists.
B.
Both the interface and global access lists can be applied in the input or output direction.
C.
When creating an access list entry using the Cisco ASDM Add Access Rule window, choosing
"global" as the interface will apply the access list entry globally.
D.
NAT control is enabled by default.
E.
The static CLI command is used to configure static NAT translation rules.
Answer: C
Explanation:
Global access rules allow you to apply a global rule to ingress traffic without the need to specify an
211
Cisco 350-018 Exam

interface to which the rule must be applied. Using global access rules provides the following
benefits:
When migrating to the adaptive security appliance from a competitor appliance, you can maintain
a global access rule policy instead of needing to apply an interface-specific policy on each
interface.
Global access control policies are not replicated on each interface, so they save memory space.
Global access rules provides flexibility in defining a security policy. You do not need to specify
which interface a packet comes in on, as long as it matches the source and destination IP
addresses.
Global access rules use the same mtrie and stride tree as interface-specific access rules, so
scalability and performance for global rules are the same as for interface-specific rules.
You can configure global access rules in conjunction with interface access rules, in which case,
the specific interface access rules are always processed before the general global access rules.
QUESTION NO: 229

Which three multicast features are supported on the Cisco ASA? (Choose three.)
A.
PIM sparse mode?
B.
IGMP forwarding?
C.
Auto-RP
D.
NAT of multicast traffic?
Answer: A,B,D
Explanation:
PIM sparse mode (PIM-SM) is reasonably complex in how multicast distribution trees are formed
212
Cisco 350-018 Exam

because a variety of multicast distribution trees are used to forward traffic for a multicast group.
IGMP messages stop as soon as you run into a PIM enabled router. From there the PIM router
sends join messages towards the RP or source and a distribution tree gets built. IGMP only goes
beyond one hop when IGMP forwarding/proxying is enabled (which is described later). Some
consumer level Linksys routers also employ an IGMP proxy to allow multicast traffic to penetrate
within a local NAT, when configured to do so.
QUESTION NO: 230

Which three configuration tasks are required for VPN clustering of AnyConnect clients that are
connecting to an FQDN on the Cisco ASA?? (Choose three.)
A.
The redirect-fqdn command must be entered under the vpn load-balancing sub-configuration.
B.
Each ASA in the VPN cluster must be able to resolve the IP of all DNS hostnames that are used in
the cluster.
C.
The identification and CA certificates for the master FQDN hostname must be imported into each
VPN cluster-member device?.
D.
The remote-access IP pools must be configured the same on each VPN cluster-member interface.
Answer: A,B,C
Explanation:
Please refer to the link to understand the working of Anyconnect in load balancing cluster.
References: Reference:https://supportforums.cisco.com/document/29886/asa-vpn-loadbalancingclustering-digital-certificates-deployment-guide
QUESTION NO: 231

213
Cisco 350-018 Exam

Which three statements are true about objects and object groups on a Cisco ASA appliance that is
running Software Version 8.4 or later? (Choose three.)
A.
TCP, UDP, ICMP, and ICMPv6 are supported service object protocol types.
B.
IPv6 object nesting is supported.
C.
Network objects support IPv4 and IPv6 addresses.
D.
Objects are not supported in transparent mode.
E.
Objects are supported in single- and multiple-context firewall modes.
Answer: A,C,E
Explanation:
By grouping like objects together, you can use the object group in an ACE instead of having to
enter an ACE for each object separately. You can create the following types of object groups:
Protocol
Network
Service
ICMP type
For example, consider the following three object groups:
MyServicesIncludes the TCP and UDP port numbers of the service requests that are allowed
access to the internal network.
TrustedHostsIncludes the host and network addresses allowed access to the greatest range of
services and servers.
PublicServersIncludes the host addresses of servers to which the greatest access is provided.
214
Cisco 350-018 Exam

After creating these groups, you could use a single ACE to allow trusted hosts to make specific
service requests to a group of public servers.
You can also nest object groups in other object groups.
Guidelines and Limitations for Objects and Groups
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent firewall modes.
IPv6 Guidelines
Supports IPv6, with limitations.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cl
i_config/acl_objects.html
QUESTION NO: 232

Which command is used to replicate HTTP connections from the Active to the Standby Cisco ASA
appliance in failover?
A.
monitor-interface http
B.
failover link fover replicate http
C.
failover replication http
D.
interface foverreplicate http standby
E.
No command is needed, as this is the default behavior.
215
Cisco 350-018 Exam

Answer: C
Explanation:
To allow HTTP connections to be included in the state information replication, you need to enable
HTTP replication. Because HTTP connections are typically short-lived, and because THTTP
clients typically retry failed connection attempts, HTTP connections are not automatically included
in the replicated state information.
QUESTION NO: 233

policy-map type inspect ipv6 IPv6-map
match header routing-type range 0 255
drop
class-map outside-class
match any
policy-map outside-policy
class outside-class
inspect ipv6 IPv6-map
service-policy outside-policy interface outside
216
Cisco 350-018 Exam
Given the Cisco ASA configuration above, which commands need to be added in order for the
Cisco ASA appliance to deny all IPv6 packets with more than three extension headers?
A.
policy-map type inspect ipv6 IPv6-mapmatch ipv6 headercount > 3
B.
policy-map outside-policyclass outside-classinspect ipv6 header count gt 3
C.
class-map outside-classmatch ipv6 header count greater 3
D.
policy-map type inspect ipv6 IPv6-mapmatch header count gt 3drop
Answer: D
Explanation:
As you can see match header count set to 3, that means message cannot be greater than the
specified number of header fields.
217
Cisco 350-018 Exam
QUESTION NO: 234

Which C3PL configuration component is used to tune the inspection timers such as setting the tcp
idle-time and tcp synwait-time on the Cisco ZBFW?
A.
class-map type inspect
B.
parameter-map type inspect
C.
service-policy type inspect
D.
policy-map type inspect tcp
E.
inspect-map type tcp
Answer: B
Explanation:
Parameter-maps specify inspection behavior for ZFW, for parameters such as DoS protection,
TCP connection/UDP session timers, and audit-trail logging settings.
QUESTION NO: 235

Which three NAT types support bidirectional traffic initiation? (Choose three.)
A.
static NAT
B.
NAT exemption
C.
policy NAT with nat/global
D.
static PAT
218
Cisco 350-018 Exam

E.
identity NAT
Answer: A,B,D
Explanation:
Static NATis shown below:
i.e. one to one mapping of ip address.

Identity NAT:If you enable NAT control, then inside hosts must match a NAT rule when accessing
outside hosts. You might want to bypass NAT when you enable NAT control so that local IP
addresses appear untranslated. You also might want to bypass NAT if you are using an
application that does not support NAT.
STATIC PAT:Static PAT is the same as static NAT, except that it enables you to specify the
protocol (TCP or UDP) and port for the real and mapped addresses. Static PAT enables you to
identify the same mapped address across many different static statements, provided that the port
is different for each statement. You cannot use the same mapped address for multiple static NAT
statements.
219
Cisco 350-018 Exam
QUESTION NO: 236

Which IPS module can be installed on the Cisco ASA 5520 appliance?
A.
IPS-AIM
B.
AIP-SSM
C.
AIP-SSC
D.
NME-IPS-K9
E.
IDSM-2
Answer: B
Explanation:
Using Cisco IPS Sensor Software Version 6.x, the Cisco AIP-SSM combines inline prevention
services with innovative technologies to improve accuracy. The result is total confidence in the
protection offered by your intrusion prevention system (IPS) solution, without the fear of legitimate
traffic being dropped. When deployed within Cisco ASA 5500 Series appliances, the AIP-SSM
offers comprehensive protection of your network by collaborating with other network security
resources, providing a proactive approach to protecting your network.
References: Reference:http://www.cisco.com/c/en/us/products/interfaces-modules/asa-advancedinspection-prevention-aip-security-services-module/index.html
220
Cisco 350-018 Exam
QUESTION NO: 237

Which two options best describe the authorization process as it relates to network access?
(Choose two.)
A.
the process of identifying the validity of a certificate, and validating specific fields in the certificate
against an identity store
B.
the process of providing network access to the end user
C.
applying enforcement controls, such as downloadable ACLs and VLAN assignment, to the network
access session of a user
D.
the process of validating the provided credentials
Answer: B,C
Explanation:
Policies consist mainly of rules that determine the action of the policy. You create access services
to define authentication and authorization policies for requests. A global service selection policy
contains rules that determine which access service processes an incoming request. You can
create a standalone authorization policy for an access service, which is a standard first-match rule
table. You can also create an authorization policy with an exception policy.
The rules can contain any conditions and multiple results:
Authorization profileDefines the user-defined attributes and, optionally, the downloadable ACL
that the Access-Accept message should return.
Security Group Tag (SGT)If you have installed Cisco TrustSec, the authorization rules can
define which SGT to apply to the request.
QUESTION NO: 238

If ISE is not Layer 2 adjacent to the Wireless LAN Controller, which two options should be
221
Cisco 350-018 Exam

configured on the Wireless LAN Controller to profile wireless endpoints accurately? (Choose two.)
A.
Configure the Call Station ID Type to bE. "IP Address".
B.
Configure the Call Station ID Type to bE. "System MAC Address".
C.
Configure the Call Station ID Type to bE. "MAC and IP Address".
D.
Enable DHCP Proxy.
E.
Disable DHCP Proxy.
Answer: B,E
Explanation:
Please go through the below mentioned link to get complete understanding about ISE designing
for Wireless LAN controller.
References: Reference:http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/designzone-security/howto_11_universal_wlc_config.pdf
QUESTION NO: 239

222
Cisco 350-018 Exam
To configure the Cisco ASA, what should you enter in the Name field, under the Group
Authentication option for the IPSec VPN client?
A.
group policy name
B.
crypto map name
C.
isakmp policy name
D.
crypto ipsec transform-set name
E.
tunnel group name
Answer: E
Explanation:
223
Cisco 350-018 Exam

The Name in the VPN client refers to the name of the tunnel group configured on the ASA. Group
name is case sensitive, so please make sure that you type is correctly.
QUESTION NO: 240

On R1, encrypt counters are incrementing. On R2, packets are decrypted, but the encrypt counter
is not being incremented. What is the most likely cause of this issue?
A.
a routing problem on R1
B.
a routing problem on R2
C.
incomplete IPsec SA establishment
D.
crypto engine failure on R2
E.
IPsec rekeying is occurring
Answer: B
Explanation:
224
Cisco 350-018 Exam

When R2 is receiving packets, the decrypt counters are increasing but encrypt counters are not
increasing and there can be several issues behind that. Some of them are:
QUESTION NO: 241

Which two methods are used for forwarding traffic to the Cisco ScanSafe Web Security service?
(Choose two.)
A.
Cisco AnyConnect VPN Client with Web Security and ScanSafe subscription
B.
Cisco ISR G2 Router with SECK9 and ScanSafe subscription
C.
Cisco ASA adaptive security appliance using DNAT policies to forward traffic to ScanSafe
subscription servers
D.
Cisco Web Security Appliance with ScanSafe subscription
Answer: B,C
Explanation:
Cloud Connection Methods
Includes software for on-premises appliances like Cisco ASA 5500-X Series Next-Generation
Firewalls, Cisco ISR G2 routers, and Cisco WSA devices, redirecting traffic to Cisco CWS for web
security functions.
225
Cisco 350-018 Exam
References: Reference:http://www.cisco.com/c/en/us/products/collateral/security/scan-safe-websecurity/data_sheet_c78-729637.html
QUESTION NO: 242

Which four statements about SeND for IPv6 are correct? (Choose four.)
A.
It protects against rogue RAs.
B.
NDP exchanges are protected by IPsec SAs and provide for anti-replay.
C.
It defines secure extensions for NDP.
D.
It authorizes routers to advertise certain prefixes.
E.
It provides a method for secure default router election on hosts.
F.
Neighbor identity protection is provided by Cryptographically Generated Addresses that are
derived from a Diffie-Hellman key exchange.
G.
It is facilitated by the Certification Path Request and Certification Path Response ND messages.
Answer: A,C,D,E
Explanation:
226
Cisco 350-018 Exam

Secure Neighbor Discovery is a protocol that enhances NDP with three additional capabilities:
Address ownership proof
Makes stealing IPv6 addresses "impossible"
Used in router discovery, DAD, and address resolution
Based upon Cryptographically Generated Addresses (CGAs)
Alternatively also provides non-CGAs with certificates
Message protection
Message integrity protection
Replay protection
Request/response correlation
Used in all NDP messages
Router authorization
Authorizes routers to act as default gateways
Specifies prefixes that routers are authorized to announce "on-link"
While SeND provides a significant uplift to the IPv6 neighbor discovery technology by introducing
the above enhancements, it does not, for example, provide any end-to-end security and provides
no confidentiality.
It is important to understand that SeND isnota new protocol and still remains a protocol operating
on the link. Secure Neighbor Discovery is just an "extension" to NDP and defines a set of new
attributes:
New network discovery options
CGA, Nonce1, Timestamp, and RSA
Purpose: These options provide a security shield against address theft and replay attacks.
New network discovery messages
CPS (Certificate Path Solicitation), CPA2(Certificate Path Advertisement)
Purpose: Identifying valid and authorized IPv6 routers and IPv6 prefixes of the network segment.
These two messages complement the already existing NDP messages (NS, NA, RA, RS, and
Redirect).
New rules
Purpose: These rules describe the preferred behavior when a SeND node receives a message
227
Cisco 350-018 Exam

supported by SeND or not supported by SeND.
SeND technology works by having a pair of private and public keys for each IPv6 node in
combination with the new options (CGA, Nonce, Timestamp, and RSA). Nodes that are using
SeND cannot choose their own interface identifier because the interface identifier is
cryptographically generated based upon the current IPv6 network prefix and the "public" key.
However, the CGA interface identifier alone is not sufficient to guarantee that the CGA address is
used by the appropriate node.
For this purpose SeND messages are signed by usage of the RSA public and private key pair. For
example if node 1 wants to know the MAC address of node 2, it will traditionally send a neighbor
solicitation request to the node 2 solicited node multicast address. Node 2 will respond with a
corresponding neighbor advertisement containing the MAC address to IPv6 address mapping.
Node 2 will in addition add the CGA parameters (which include among others the public key) and
a private key signature of all neighbor advertisement fields. When node 1 receives this neighbor
advertisement it uses the public key to verify with the CGA address the private key signature of
node 2. Once this last step has been successfully completed, the binding on node 1 of the MAC
address and CGA address of node 2 can be successfully finalized.
Note that the above mechanism is simply an explanation to verify the correct relationship between
a node MAC address and its CGA IPv6 address. SeND does not check any of the node's
privileges to be allowed, or not allowed, on the network. If this is required, other means of
infrastructure protection will be required (such as 802.1x).
QUESTION NO: 243

What is the recommended network MACSec policy mode for high security deployments?
A.
should-secure
B.
must-not-secure
C.
must-secure
D.
monitor-only
E.
high-impact
Answer: C
228
Cisco 350-018 Exam

Explanation:
The switch will attempt MKA. If MKA succeeds, the switch will send and receive encrypted traffic
only. If MKA times out or fails, the switch will treat this result as an authorization failure by
terminating the IEEE 802.1X-authenticated session and retrying authentication after a quiet period.
No other authentication methods will be tried, and no traffic will be allowed from that endpoint
unless a specific MACsec fallback authentication or authorization technique is configured.
QUESTION NO: 244

Which PKCS is invoked during IKE MM5 and MM6 when digital certificates are used as the
authentication method?
A.
PKCS#7
B.
PKCS#10
C.
PKCS#13
D.
PKCS#11
E.
PKCS#3
Answer: A
Explanation:
The PKCS #7 standard describes a general syntax for data that may havecryptographyapplied to
it, such asdigital signaturesanddigital envelopes. The syntax admits recursion, so that, for
example, one envelope can be nested inside another, or one party can sign digital data that has
already been put into an envelope. It also allows arbitrary attributes, such as signing time, to be
authenticated along with the content of a message. Further, it provides for other attributes, such
ascountersignatures, to be associated with a signature.
229
Cisco 350-018 Exam

QUESTION NO: 245
User A at Company A is trying to transfer files to Company B, using FTP. User A can connect to
the FTP server at Company B correctly, but User A cannot get a directory listing or upload files.
The session hangs.
What are two possible causes for this problem? (Choose two.)
A.
Active FTP is being used, and the firewall at Company A is not allowing the returning data
connection to be initiated from the FTP server at Company B.
B.
Passive FTP is being used, and the firewall at Company A is not allowing the returning data
connection to be initiated from the FTP server at Company B.
C.
At Company A, active FTP is being used with a non-application aware firewall applying NAT to the
source address of User A only.
D.
The FTP server administrator at Company B has disallowed User A from accessing files on that
server.
E.
Passive FTP is being used, and the firewall at Company B is not allowing connections through to
port 20 on the FTP server.
Answer: A,C
Explanation:
In Active FTP mode, the client connects from a random unprivileged port (N>1023) to the
command port (21) of the FTP server. Then the client starts to listen to port N+1 and sends the
FTP command port N+1 to the FTP server. The server then connects back to the specified data
ports of the client from its local data port, which is port 20.
QUESTION NO: 246

Which four IPv6 messages should be allowed to transit a transparent firewall? (Choose four.)
A.
router solicitation with hop limit = 1
230
Cisco 350-018 Exam

B.
router advertisement with hop limit = 1
C.
neighbor solicitation with hop limit = 255
D.
neighbor advertisement with hop limit = 255
E.
listener query with link-local source address
F.
listener report with link-local source address
Answer: C,D,E,F
Explanation:
Neighbor solicitation messages (ICMPv6 Type 135) are sent on the local link by nodes attempting
to discover the link-layer addresses of other nodes on the local link. The neighbor solicitation
message is sent to the solicited-node multicast address. The source address in the neighbor
solicitation message is the IPv6 address of the node sending the neighbor solicitation message.
The neighbor solicitation message also includes the link-layer address of the source node.
After receiving a neighbor solicitation message, the destination node replies by sending a neighbor
advertisement message(ICPMv6 Type 136) on the local link. The source address in the neighbor
advertisement message is the IPv6 address of the node sending the neighbor advertisement
message; the destination address is the IPv6 address of the node that sent the neighbor
solicitation message. The data portion of the neighbor advertisement message includes the linklayer address of the node sending the neighbor advertisement message.
After the source node receives the neighbor advertisement, the source node and destination node
can communicate.
Neighbor solicitation messages are also used to verify the reachability of a neighbor after the linklayer address of a neighbor is identified. When a node wants to verifying the reachability of a
neighbor, the destination address in a neighbor solicitation message is the unicast address of the
neighbor.
Neighbor advertisement messages are also sent when there is a change in the link-layer address
of a node on a local link. When there is such a change, the destination address for the neighbor
advertisement is the all-nodes multicast address.
QUESTION NO: 247

231
Cisco 350-018 Exam

Refer to the exhibit of an ISAKMP debug.
Which message of the exchange is failing?

A.
main mode 1
B.
main mode 3
C.
aggressive mode 1
D.
main mode 5
E.
aggressive mode 2
Answer: B
Explanation:
Main mode message 3 (MM3) - NAT discovery and Diffie-Hellman exchange.
Includes:
- NAT discovery payload and hash.
- DH exchange initiation.
Here the DH value is not matching the one computed at the host end and this is why the
negotiation is failing.
232
Cisco 350-018 Exam
QUESTION NO: 248

Which two ISE Probes would be required to distinguish accurately the difference between an iPad
and a MacBook Pro? (Choose two.)
A.
DHCP or DHCPSPAN
B.
SNMPTRAP
C.
SNMPQUERY
D.
NESSUS
E.
HTTP
F.
DHCP TRAP
Answer: A,E
Explanation:
DHCP Switched Port Analyzer (SPAN) probe, when initialized on a Cisco ISE node, listens to
network traffic, which are coming from network access devices on a specific interface. You need to
configure network access devices to forward DHCP SPAN packets to the Cisco ISE profiler from
the DHCP servers. The profiler receives these DHCP SPAN packets and parses them to capture
the attributes of an endpoint, which can be used for profiling endpoints.
HTTP Switched Port Analyzer (SPAN) collects HTTP attributes of an HTTP request-header
message along with IP addresses in the IP header (L3 header), which can be associated to an
endpoint based on the MAC address of an endpoint in the L2 header. This information is useful for
identifying different mobile and portable IP enabled devices such as iPods, iPads and iPhones, as
well as computers with different operating systems.
QUESTION NO: 249

233
Cisco 350-018 Exam

An internal DNS server requires a NAT on a Cisco IOS router that is dual-homed to separate ISPs
using distinct CIDR blocks. Which NAT capability is required to allow hosts in each CIDR block to
contact the DNS server via one translated address?
A.
NAT overload
B.
NAT extendable
C.
NAT TCP load balancing
D.
NAT service-type DNS
E.
NAT port-to-application mapping
Answer: B
Explanation:
The extendable keyword allows the user to configure several ambiguous static translations, where
an ambiguous translations are translations with the same local or global address.
QUESTION NO: 250

234
Cisco 350-018 Exam
Which three command sets are required to complete this IPv6 IPsec site-to-site VTI? (Choose
three.)
A.
interface Tunnel0tunnel mode ipsec ipv6
B.
crypto isakmp-profilematch identity address ipv6 any
C.
interface Tunnel0ipv6 enable
D.
ipv6 unicast-routing
E.
interface Tunnel0ipv6 enable-ipsec
Answer: A,C,D
Explanation:
QUESTION NO: 251

235
Cisco 350-018 Exam

Which option correctly identifies the point on the exhibit where Control Plane Policing (input) is
applied to incoming packets?
A.
point 6
B.
point 7
C.
point 4
D.
point 1
E.
points 5 and 6
Answer: A
Explanation:
QUESTION NO: 252

236
Cisco 350-018 Exam

Management Frame Protection is available in two deployment modes, Infrastructure and Client.
Which three statements describe the differences between these modes? (Choose three.)
A.
Infrastructure mode appends a MIC to management frames.
B.
Client mode encrypts management frames.
C.
Infrastructure mode can detect and prevent common DoS attacks.
D.
Client mode can detect and prevent common DoS attacks.
E.
Infrastructure mode requires Cisco Compatible Extensions version 5 support on clients.
Answer: A,B,D
Explanation:
Management Frame Protection provides security for the management messages passed between
access point (AP) and Client stations. MFP consists of two functional components: Infrastructure
MFP and Client MFP.
Infrastructure MFP provides infrastructure support. Infrastructure MFP utilizes a message integrity
check (MIC) across broadcast and directed management frames. This check assists in detecting
of rogue devices and denial-of-service attacks. Client MFP provides client support.
Client MFP protects authenticated clients from spoofed frames, by preventing many of the
common attacks against WLANs from becoming effective.
Management Frame Protection operation requires a wireless domain service (WDS). MFP is
configured at the wireless LAN solution engine (WLSE), but you can manually configure MFP on
an AP and WDS.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/routers/access/3200/software/wireless/3200Wirel
essConfigGuide/ManageFrameProt.html
QUESTION NO: 253

237
Cisco 350-018 Exam

The address of an inside client is translated from a private address to a public address by a NAT
router for access to an outside web server. What term describes the destination address (client)
after the outside web server responds, and before it hits the NAT router?
A.
inside local
B.
inside global
C.
outside local
D.
outside global
Answer: B
Explanation:
NAT connects two networks and translates the private (inside local) addresses into public
addresses (inside global) before packets are forwarded to another network. In other word Address
translation allows you to translate your internal private addresses to public addresses before these
packets leave your network.
QUESTION NO: 254

After a client discovers a supportable wireless network, what is the correct sequence of operations
that the client will take to join it?
A.
association, then authentication
B.
authentication, then association
C.
probe request, then association
D.
authentication, then authorization
238
Cisco 350-018 Exam

Answer: B
Explanation:
1. Turn on the wireless station.

2. The station listens for messages from any access points that are in range.
3. The station finds a message from an access point that has a matching SSID.
4. The station sends an authentication request to the access point.
5. The access point authenticates the station.
6. The station sends an association request to the access point.
7. The access point associates with the station.
8. The station can now communicate with the Ethernet network through the access point.
An access point must authenticate a station before the station can associate with the access point
or communicate with the network.
QUESTION NO: 255

In HTTPS session establishment, what does the server hello message inform the client?
A.
that the server will accept only HTTPS traffic
B.
which versions of SSL/TLS the server will accept
C.
which ciphersuites the client may choose from
D.
which cipher suite the server has chosen to use
E.
the PreMaster secret to use in generating keys
Answer: D
239
Cisco 350-018 Exam

Explanation:
The server responds by sending a "Server hello" message to the client, along with the server's
random value. The server sends its certificate to the client for authentication and may request a
certificate from the client. The server sends the "Server hello done" message.
QUESTION NO: 256

Which statement regarding the output is true?

A.
Every 1800 seconds the secondary name server will query the SOA record of the primary name
server for updates.
B.
If the secondary name server has an SOA record with the serial number of 10973815, it will initiate
a zone transfer on the next cycle.
C.
Other DNS servers will cache records from this domain for 864000 seconds (10 days) before
requesting them again.
D.
Email queries concerning this domain should be sent to "admin@postmaster.cisco.com".
240
Cisco 350-018 Exam

E.
Both primary and secondary name servers will clear (refresh) their caches every 7200 seconds to
ensure that up-to-date information is always in use.
Answer: B
Explanation:
The SOA resource record contains the following information:

Source host - The host where the file was created.
Contact e-mail - The e-mail address of the person responsible for administering the domain's zone
file. Note that a "." is used instead of an "@" in the e-mail name.
Serial number - The revision number of this zone file. Increment this number each time the zone
file is changed. It is important to increment this value each time a change is made, so that the
changes will be distributed to any secondary DNS servers.
Refresh Time - The time, in seconds, a secondary DNS server waits before querying the primary
DNS server's SOA record to check for changes. When the refresh time expires, the secondary
DNS server requests a copy of the current SOA record from the primary. The primary DNS server
complies with this request. The secondary DNS server compares the serial number of the primary
DNS server's current SOA record and the serial number in it's own SOA record. If they are
different, the secondary DNS server will request a zone transfer from the primary DNS server. The
default value is 3,600.
Retry time - The time, in seconds, a secondary server waits before retrying a failed zone transfer.
Normally, the retry time is less than the refreshtime. The default value is 600.
Expire time - The time, in seconds, that a secondary server will keep trying to complete a zone
transfer. If this time expires prior to a successful zone transfer, the secondary server will expire its
zone file. This means the secondary will stop answering queries, as it considers its data too old to
be reliable. The default value is 86,400.
Minimum TTL - The minimum time-to-live value applies to all resource records in the zone file.
This value is supplied in query responses to inform other servers how long they should keep the
data in cache. The default value is 3,600.
The following is an example of a Microsoft DNS server generated default SOA resource record:
@ IN SOA nameserver.place.dom. postmaster.place.dom. (
241
Cisco 350-018 Exam

1 ; serial number
3600 ; refresh [1h]
600 ; retry [10m]
86400 ; expire [1d]
3600 ) ; min TTL [1h]
Parentheses allow the SOA record to wrap to multiple lines.

In the above example:
Source Host = nameserver.place.dom.Contact Email = postmaster.place.dom.
QUESTION NO: 257

According to RFC 4890, which four ICMPv6 types are recommended to be allowed to transit a
firewall? (Choose four.)
A.
Type 1 - destination unreachable
B.
Type 2 - packet too big
C.
Type 3 - time exceeded
D.
Type 0 - echo reply
E.
Type 8 - echo request
F.
Type 4 - parameter problem
Answer: A,B,C,F
Explanation:
242
Cisco 350-018 Exam

Error messages that are essential to the establishment and
maintenance of communications:
o Destination Unreachable (Type 1) - All codes
o Packet Too Big (Type 2)
o Time Exceeded (Type 3) - Code 0 only
o Parameter Problem (Type 4) - Codes 1 and 2 only
QUESTION NO: 258

Which action is performed first on the Cisco ASA appliance when it receives an incoming packet
on its outside interface?
A.
check if the packet is permitted or denied by the inbound ACL applied to the outside interface
B.
check if the packet is permitted or denied by the global ACL
C.
check if the packet matches an existing connection in the connection table
D.
check if the packet matches an inspection policy
E.
check if the packet matches a NAT rule
F.
check if the packet needs to be passed to the Cisco ASA AIP-SSM for inspections
Answer: C
Explanation:
If a packet is received on the outside interface then it will check if there is any existing connection
built for the same packet, if yes then it will be allowed else interface access-list will be looked for
checking the action to be taken.
243
Cisco 350-018 Exam
QUESTION NO: 259

Which three statements about the Cisco ASDM screen seen in the exhibit are true? (Choose
three.)
A.
This access rule is applied to all the ASA interfaces in the inbound direction.
B.
The ASA administrator needs to expand the More Options tag to configure the inbound or
outbound direction of the access rule.
C.
The ASA administrator needs to expand the More Options tag to apply the access rule to an
interface.
D.
The resulting ASA CLI command from this ASDM configuration is access-list global_access line 1
extended permit ip host 1.1.1.1 host 2.2.2.1.
E.
This access rule is valid only on the ASA appliance that is running software release 8.3 or later.
F.
This is an outbound access rule.
244
Cisco 350-018 Exam

Answer: A,D,E
Explanation:
The exhibit shows interface as any i.e. this rule is applicable to all the interfaces in inbound
direction. Because it is applicable to all the interfaces, we can also say that it is applied globally
where 1.1.1.1 is the source and 2.2.2.1 is the destination, so we can write:access-list
global_access line 1 extended permit ip host 1.1.1.1 host 2.2.2.1
This access-list is applicable only on 8.3 and later versions of the ASA.
QUESTION NO: 260

If an incoming packet from the outside interface does not match an existing connection in the
connection table, which action will the Cisco ASA appliance perform next?
A.
drop the packet
B.
check the outside interface inbound ACL to determine if the packet is permitted or denied
C.
perform NAT operations on the packet if required
D.
check the MPF policy to determine if the packet should be passed to the SSM
E.
perform stateful packet inspection based on the MPF policy
Answer: B
Explanation:
245
Cisco 350-018 Exam

If there is no existing connection when packet hits the ingress interface then the next thing to be
checked is the ACL to see the action i.e. whether the packet is permitted or denied on the
interface access-lists.
References: Reference:http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-seriesnext-generation-firewalls/113396-asa-packet-flow-00.html
QUESTION NO: 261

Choose the correct description of the implementation that produced this output on the Cisco ASA
appliance.
A.
246
Cisco 350-018 Exam

stateful failover using active-active for multi-context
B.
stateful failover using active-standby for multi-context
C.
stateful failover using active-standby for single-context
D.
stateless failover using interface-level failover for multi-context
Answer: A
Explanation:
Active/Active failover is only available to security appliances in multiple context mode. In an

Active/Active failover configuration, both security appliances can pass network traffic.
In Active/Active failover, you divide the security contexts on the security appliance into failover
groups. A failover group is simply a logical group of one or more security contexts. You can create
a maximum of two failover groups on the security appliance. The admin context is always a
member of failover group 1. Any unassigned security contexts are also members of failover group
1 by default.
The failover group forms the base unit for failover in Active/Active failover. Interface failure
monitoring, failover, and active/standby status are all attributes of a failover group rather than the
unit. When an active failover group fails, it changes to the standby state while the standby failover
group becomes active. The interfaces in the failover group that becomes active assume the MAC
and IP addresses of the interfaces in the failover group that failed. The interfaces in the failover
group that is now in the standby state take over the standby MAC and IP addresses.
References: Reference:http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-seriesnext-generation-firewalls/91336-pix-activeactive-config.html
QUESTION NO: 262

When you are configuring QoS on the Cisco ASA appliance, which four are valid traffic selection
criteria? (Choose four.)
A.
VPN group
247
Cisco 350-018 Exam

B.
tunnel group
C.
IP precedence
D.
DSCP
E.
default-inspection-traffic
F.
qos-group
Answer: B,C,D,E
Explanation:
Tunnel GroupMatches traffic based on the tunnel group.

TheIP Precedencedialog box appears when you selectIP Precedenceon theTraffic Match
Criteriadialog box, or choose the corresponding tab when editing a service policy rule. This dialog
box lets you identify the traffic to which a service policy rule applies based on the IP precedence.
TheIP DiffServ Code Points (DSCP) dialog box lets you match traffic based on the values
assigned for Differentiated Services model of QoS.
Default Inspection TrafficUses the criteria specified in the default inspection traffic policy.
QUESTION NO: 263

Which command is required in order for the Botnet Traffic Filter on the Cisco ASA appliance to
function properly?
A.
dynamic-filter inspect tcp/80
B.
dynamic-filter whitelist
C.
inspect botnet
248
Cisco 350-018 Exam

D.
inspect dns dynamic-filter-snoop
Answer: D
Explanation:
Enable DNS snooping on the external interface

ASA(config)# policy-map botnet-policy
ASA(config-pmap)# class botnet-DNS
ASA(config-pmap-c)# inspect dns dynamic-filter-snoop
References: Reference:https://supportforums.cisco.com/document/33011/asa-botnet-configuration
QUESTION NO: 264

You have been asked to configure a Cisco ASA appliance in multiple mode with these settings:
A.
You need two customer contexts, named contextA and contextB.
B.
Allocate interfaces G0/0 and G0/1 to contextA.
C.
Allocate interfaces G0/0 and G0/2 to contextB.
D.
The physical interface name for G0/1 within contextA should be "inside".
E.
All other context interfaces must be viewable via their physical interface names.If the admin
context is already defined and all interfaces are enabled, which command set will complete this
configuration?
F.
context contextAconfig-url disk0:/contextA.cfgallocate-interface GigabitEthernet0/0 visibleallocateinterface GigabitEthernet0/1 insidecontext contextBconfig-url disk0:/contextB.cfgallocate-interface
GigabitEthernet0/0 visibleallocate-interface GigabitEthernet0/2 visible
249
Cisco 350-018 Exam

G.
context contextaconfig-url disk0:/contextA.cfgallocate-interface GigabitEthernet0/0 visibleallocateinterface GigabitEthernet0/1 insidecontext contextbconfig-url disk0:/contextB.cfgallocate-interface
H.
context contextAconfig-url disk0:/contextA.cfgallocate-interface GigabitEthernet0/0
invisibleallocate-interface GigabitEthernet0/1 insidecontext contextBconfig-url
disk0:/contextB.cfgallocate-interface GigabitEthernet0/0 invisibleallocate-interface
GigabitEthernet0/2 invisible
I.
context contextAconfig-url disk0:/contextA.cfgallocate-interface GigabitEthernet0/0allocateinterface GigabitEthernet0/1 insidecontext contextBconfig-url disk0:/contextB.cfgallocate-interface
GigabitEthernet0/0allocate-interface GigabitEthernet0/2
J.
context contextAconfig-url disk0:/contextA.cfgallocate-interface GigabitEthernet0/0 visibleallocateinterface GigabitEthernet0/1 insidecontext contextBconfig-url disk0:/contextB.cfgallocate-interface
Answer: A
Explanation:
Option A meets all the requirements that have been asked in the questions. Others fail to meet the
answer because context name is case sensitive.Invisible keyword makes the context hidden.
Correct interfaces have been assigned to the contexts.
QUESTION NO: 265

Which four configuration steps are required to implement a zone-based policy firewall
configuration on a Cisco IOS router? (Choose four.)
A.
Create the security zones and security zone pairs.
B.
Create the self zone.
C.
Create the default global inspection policy.
D.
250
Cisco 350-018 Exam

Create the type inspect class maps and policy maps.
E.
Assign a security level to each security zone.
F.
Assign each router interface to a security zone.
G.
Apply a type inspect policy map to each zone pair.
Answer: A,D,F,G
Explanation:
The below are the configuration tasks that you need to follow.
1. Configure Zones.
2. Assign router interfaces to Zones.
3. Create Zone pairs.
4. Configure Interzone access policy (Class Maps and Policy Maps)
5. Apply Policy Maps to Zone Pairs.
QUESTION NO: 266

251
Cisco 350-018 Exam
The client is protected by a firewall. An IPv6 SMTP connection from the client to the server on
TCP port 25 will be subject to which action?
A.
B.
inspection action by the TCP_CMAP
C.
inspection action by the SMTP_CMAP
252
Cisco 350-018 Exam

D.
drop action by the default class
E.
Answer: C
Explanation:
SMTP connection will be intercepted by the class map SMTP_CMAP and the action defined is to
inspect.
QUESTION NO: 267

Which Cisco IPS appliance signature engine defines events that occur in a related manner, within
a sliding time interval, as components of a combined signature?
A.
Service engine
B.
Sweep engine
C.
Multistring engine
D.
Meta engine
Answer: D
Explanation:
The Meta engine defines events that occur in a related manner within a sliding time interval. This
engine processes events rather than packets. As signature events are generated, the Meta engine
inspects them to determine if they match any or several Meta definitions. The Meta engine
generates a signature event after all requirements for the event are met.
All signature events are handed off to the Meta engine by the Signature Event Action Processor.
The Signature Event Action Processor hands off the event after processing the minimum hits
option. Summarization and event action are processed after the Meta engine hasprocessed the
component events.
253
Cisco 350-018 Exam
QUESTION NO: 268

What is the cause of the issue that is reported in this debug output?
A.
The identity of the peer is not acceptable.
B.
There is an esp transform mismatch.
C.
There are mismatched ACLs on remote and local peers.
D.
The SA lifetimes are set to 0.
Answer: C
Explanation:
w6d: IPSEC(validate_transform_proposal): proxy identities not supported

w6d: ISAKMP (0:2): IPSec policy invalidated proposal
This command specifies that the subnets defined on both the ends did not match and phase 2
fails. Tunnel cannot be built.
254
Cisco 350-018 Exam

QUESTION NO: 269
Refer to the exhibit:
Which shows a partial configuration for the EzVPN server. Which three missing ISAKMP profile
options are required to support EzVPN using DVTI? (Choose three.)
A.
match identity group
B.
trustpoint
C.
virtual-interface
D.
keyring
E.
enable udp-encapsulation
F.
isakmp authorization list
G.
virtual-template
255
Cisco 350-018 Exam

Answer: A,F,G
Explanation:
Basic configuration is shown below:

crypto isakmp client configuration group En-Ezvpn
key test-En-Ezvpn
crypto isakmp profile En-EzVpn-Isakmp-Profile
match identity group En-Ezvpn
isakmp authorization list default
client configuration address respond
virtual-template 1
References: Reference:http://www.cisco.com/c/en/us/support/docs/security-vpn/ezvpn/118240config-ezvpn-00.html
QUESTION NO: 270

In order to implement CGA on a Cisco IOS router for SeND, which three configuration steps are
required? (Choose three.)
A.
Generate an RSA key pair.
B.
Define a site-wide pre-shared key.
C.
Define a hash algorithm that is used to generate the CGA.
D.
Generate the CGA modifier.
E.
Assign a CGA link-local or globally unique address to the interface.
F.
256
Cisco 350-018 Exam

Define an encryption algorithm that is used to generate the CGA.
Answer: A,D,E
Explanation:
SeND technology works by having a pair of private and public keys for each IPv6 node in
combination with the new options (CGA, Nonce, Timestamp, and RSA). Nodes that are using
SeND cannot choose their own interface identifier because the interface identifier is
cryptographically generated based upon the current IPv6 network prefix and the "public" key.
However, the CGA interface identifier alone is not sufficient to guarantee that the CGA address is
used by the appropriate node.
For this purpose SeND messages are signed by usage of the RSA public and private key pair. For
example if node 1 wants to know the MAC address of node 2, it will traditionally send a neighbor
solicitation request to the node 2 solicited node multicast address. Node 2 will respond with a
corresponding neighbor advertisement containing the MAC address to IPv6 address mapping.
Node 2 will in addition add the CGA parameters (which include among others the public key) and
a private key signature of all neighbor advertisement fields. When node 1 receives this neighbor
advertisement it uses the public key to verify with the CGA address the private key signature of
node 2. Once this last step has been successfully completed, the binding on node 1 of the MAC
address and CGA address of node 2 can be successfully finalized.
QUESTION NO: 271

When you are configuring the COOP feature for GETVPN redundancy, which two steps are
required to ensure the proper COOP operations between the key servers? (Choose two.)
A.
Generate an exportable RSA key pair on the primary key server and export it to the secondary key
server.
B.
Enable dead peer detection between the primary and secondary key servers.
C.
Configure HSRP between the primary and secondary key servers.
D.
Enable IPC between the primary and secondary key servers.
E.
Enable NTP on both the primary and secondary key servers to ensure that they are synchronized
to the same clock source.
257
Cisco 350-018 Exam

Answer: A,B
Explanation:
COOP Key Server Configuration

Before deploying the COOP configurations, following needs to be considered.
Generate a named RSA key in one of the Key Server (as required for rekeys) and export it to all
the COOP Key Servers.
Election between the key servers is based on the highest-priority value configured. If they are
same, it is based on highest IP address. It is suggested to configure different priorities on all Key
Servers.
Periodic ISAKMP keepalive (Dead Peer Detection (DPD)) needs to be enabled on all the Key
Servers so that key Servers can keep track of the state of other Key Servers effectively.
The GETVPN related configuration should be same on all Key Servers. The KS does not have
the capability to verify that the configuration is in sync with other Key Servers.
References: Reference:http://www.cisco.com/c/en/us/products/collateral/security/group-encryptedtransport-vpn/deployment_guide_c07_554713.html
QUESTION NO: 272

During the establishment of an Easy VPN tunnel, when is XAUTH performed?
A.
at the end of IKEv1 Phase 2
B.
at the beginning of IKEv1 Phase 1
C.
at the end of Phase 1 and before Phase 2 starts in IKEv1 and IKEv2
D.
at the end of Phase 1 and before Phase 2 starts in IKEv1
Answer: D
258
Cisco 350-018 Exam

Explanation:
XAUTH is performed at the end of the phase 1 and before phase 2. Xauth is authentication that is
an extra step to verify user identity.
QUESTION NO: 273

A customer has an IPsec tunnel that is configured between two remote offices. The customer is
seeing these syslog messages on Router B:
%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=x, sequence
number=y
What is the most likely cause of this error?
A.
The customer has an LLQ QoS policy that is configured on the WAN interface of Router A.
B.
A hacker on the Internet is launching a spoofing attack.
C.
Router B has an incorrectly configured IP MTU value on the WAN interface.
259
Cisco 350-018 Exam

D.
There is packet corruption in the network between Router A and Router B.
E.
Router A and Router B are not synchronized to the same timer source.
Answer: A
Explanation:
The purpose of replay checks is to protect against malicious repetitions of packets. However, there
are some scenarios where a failed replay check might not be due to a malicious reason:
References: Reference:http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchangeike/116858-problem-replay-00.html
QUESTION NO: 274

Which four types of VPN natively provide encryption of user traffic? (Choose four.)
A.
MPLS
B.
IPsec
C.
L2TPv3
D.
SSL
E.
VPLS
F.
AToM
G.
GETVPN
H.
Microsoft PPTP
260
Cisco 350-018 Exam

Answer: B,D,G,H
Explanation:
Following are the VPNs that provide encryption of user traffic:
QUESTION NO: 275

Which three options are components of Mobile IPv6? (Choose three.)
A.
home agent
B.
correspondent node
C.
mobile node
D.
binding node
E.
discovery probe
Answer: A,B,C
Explanation:
The home agent is one of three key components in Mobile IPv6. The home agent works with the
correspondent node and mobile node to enable Mobile IPv6 functionality:
References: Reference:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mob_ip/configuration/15mt/mob-ip-15-mt-book/ip6-mobile-home-agent.html
QUESTION NO: 276

What are two uses of an RSA algorithm? (Choose two.)
261
Cisco 350-018 Exam

A.
Data encryption
B.
Digital signature verification
C.
Shared key generation
D.
Message hashing
Answer: A,B
Explanation:
The RSA algorithm is named after Ron Rivest, Adi Shamir and Len Adleman, who invented it in
1977 [RIVE78]. The basic technique was first discovered in 1973 by Clifford Cocks [COCK73] of
CESG (part of the British GCHQ) but this was a secret until 1997. The patent taken out by RSA
Labs has expired.
The RSA cryptosystem is the most widely-used public key cryptography algorithm in the world. It
can be used to encrypt a message without the need to exchange a secret key separately.
The RSA algorithm can be used for both public key encryption and digital signatures. Its security is
based on the difficulty of factoring large integers.
Party A can send an encrypted message to party B without any prior exchange of secret keys. A
just uses B's public key to encrypt the message and B decrypts it using the private key, which only
he knows. RSA can also be used to sign a message, so A can sign a message using their private
key and B can verify it using A's public key.
QUESTION NO: 277

What is needed to verify a digital signature that was created using an RSA algorithm?
A.
public key
B.
private key
262
Cisco 350-018 Exam

C.
both public and private key
D.
trusted third-party certificate
Answer: A
Explanation:
RSAis one of the first practicable public-key cryptosystems and is widely used for secure data
transmission. In such a cryptosystem, the encryption key is public and differs from the decryption
key which is kept secret. A user of RSA creates and then publishes a public key based on the two
large prime numbers, along with an auxiliary value. The prime numbers must be kept secret.
Anyone can use the public key to encrypt a message, but with currently published methods, if the
public key is large enough, only someone with knowledge of the prime numbers can feasibly
decode the message.
QUESTION NO: 278

Which algorithm is used to generate the IKEv2 session key?
A.
Diffie-Hellman
B.
Rivest, Shamir, and Adleman
C.
Secure Hash Algorithm
D.
Rivest Cipher 4
Answer: A
Explanation:
In computing,Internet Key Exchange(IKEorIKEv2) is the protocol used to set up a security

association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP.
IKE uses X.509 certificates for authentication - either pre-shared or distributed using DNS
(preferably with DNSSEC) and a DiffieHellman key exchange - to set up a shared session secret
from which cryptographic keys are derived.
263
Cisco 350-018 Exam
QUESTION NO: 279

Which statement is true about IKEv2 and IKEv1?
A.
IKEv2 can be configured to use EAP, but IKEv1 cannot.
B.
IKEv2 can be configured to use AES encryption, but IKEv1 cannot.
C.
IKEv2 can be configured to interoperate with IKEv1 on the other end.
D.
IKEv2 consumes more bandwidth than IKEv1.
Answer: A
Explanation:
EAP-IKEv2 is an EAP method based on the Internet Key Exchange protocol version 2 (IKEv2). It
provides mutual authentication and session key establishment between an EAP peer and an EAP
server.
QUESTION NO: 280

Which statement is true about IKEv2 preshared key authentication between two peers?
A.
IKEv2 allows usage of different preshared keys for local and remote authentication.
B.
IKEv2 allows usage of only one preshared key.
C.
IKEv2 allows usage of only one preshared key and only in hub-and-spoke topology.
D.
IKEv2 does not allow usage of preshared key authentication.
Answer: A
264
Cisco 350-018 Exam

Explanation:
In IKEv1, there is only one pre-shared-key that can be defined however in IKEv2, you can specify
pre-shared-key for local as well as for remote peer.
Command:
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key <PRESHARED KEY>
ikev2 local-authentication pre-shared-key <PRESHARED KEY>
References: Reference:https://www.fir3net.com/Firewalls/Cisco/cisco-how-to-configure-an-ikev2site-to-site-vpn.html
QUESTION NO: 281

How does 3DES use the DES algorithm to encrypt a message?
A.
encrypts a message with K1, decrypts the output with K2, then encrypts it with K3
B.
encrypts a message with K1, encrypts the output with K2, then encrypts it with K3
C.
encrypts K1 using K2, then encrypts it using K3, then encrypts a message using the output key
D.
encrypts a message with K1, encrypts the output with the K2, then decrypts it with K3
Answer: A
Explanation:
Triple DES uses a "key bundle" that comprises three DESkeys, K1, K2and K3, each of 56 bits
(excludingparity bits). The encryption algorithm is:
ciphertext = EK3(DK2(EK1(plaintext)))
265
Cisco 350-018 Exam

I.e., DES encrypt with K1, DESdecryptwith K2, then DES encrypt with K3.
Decryption is the reverse:
plaintext = DK1(EK2(DK3(ciphertext)))
I.e., decrypt with K3,encryptwith K2, then decrypt with K1.
Each triple encryption encryptsone blockof 64 bits of data.
In each case the middle operation is the reverse of the first and last. This improves the strength of
the algorithm when usingkeying option2, and providesbackward compatibilitywith DES with keying
option 3.
References: Reference:http://en.wikipedia.org/wiki/Triple_DES
QUESTION NO: 282

Which three statements about IKEv2 are correct? (Choose three.)
A.
INITIAL_CONTACT is used to synchronize state between peers.
B.
The IKEv2 standard defines a method for fragmenting large messages.
C.
The initial exchanges of IKEv2 consist of IKE_SA_INIT and IKE_AUTH.
D.
Rekeying IKE and child SAs is facilitated by the IKEv2 CREATE_CHILD_SA exchange.
E.
NAT-T is not supported.
F.
Attribute policy push (via the configuration payload) is only supported in REQUEST/REPLY mode.
Answer: A,C,D
Explanation:
INITIAL_CONTACT: notification to others so that the remote peers would reset any
266
Cisco 350-018 Exam

stateinformation, remote peer has with this node.Since this message needs to be cryptographically
protected.
IKE message flow always consists of a request followed by a response.
It is the responsibility of the requester to ensure reliability.Ifthe response is not received within a
timeout interval, the requesterneeds to retransmit the request (or abandon the connection).The
first request/response of an IKE session (IKE_SA_INIT) negotiates security parameters for the
IKE_SA, sends nonces, and sends Diffie-Hellman values.
The second request/response (IKE_AUTH) transmits identities, provesknowledge of the secrets
corresponding to the two identities, and sets up an SA for the first (and often only) AH and/or ESP
CHILD_SA.
The types of subsequent exchanges are CREATE_CHILD_SA (which creates a CHILD_SA) and
INFORMATIONAL (which deletes an SA, reports error conditions, or does other housekeeping).
Every request requires a response.
QUESTION NO: 283

What entities decrypt a transmission sent by a GDOI group member?
A.
all group members
B.
the key server only
C.
the peer that is indicated by the key server
D.
the key server and the peer that is indicated by the key server
Answer: A
Explanation:
Group Domain of Interpretation or GDOI is a cryptographic protocol for group key management.
The GDOI protocol is specified in an IETF Standard, RFC 6407, and is based on Internet Security
267
Cisco 350-018 Exam

Association and Key Management Protocol (ISAKMP), RFC 2408, and Internet Key Exchange
version 1 (IKE). Whereas IKE is run between two peers to establish a "pair-wise security
association", GDOI protocol is run between a group member and a "group controller/key server"
(controller) and establishes a security association among two or more group members. All group
member entities decrypt the transmission sent by a GDOI member.
QUESTION NO: 284

What applications take advantage of a DTLS protocol?
A.
delay-sensitive applications, such as voice or video
B.
applications that require double encryption
C.
point-to-multipoint topology applications
D.
applications that are unable to use TLS
Answer: A
Explanation:
DTLS is commonly used for delay-sensitive applications(voice & video).The greatest benefit that
DTLS can provide for standard TLS when operating delay-sensitive applications is the use of
UDP, which allows for faster transmission of application data without the additional overhead of
TCP.DTLS was actually invented to achieve a good user experience for delay-sensitive
applications that natively user UDP, once DTLS is enabled & negotiated ,all applications are
actually tunneled over the DTLS VPN session.
QUESTION NO: 285

What mechanism does SSL use to provide confidentiality of user data?
A.
268
Cisco 350-018 Exam

symmetric encryption
B.
asymmetric encryption
C.
RSA public-key encryption
D.
Diffie-Hellman exchange
Answer: A
Explanation:
Symmetric encryption (or pre-shared key encryption) uses a single key to both encrypt and
decrypt data. Both the sender and the receiver need the same key to communicate.
QUESTION NO: 286

Which three EAP methods require a server-side certificate? (Choose three.)
A.
PEAP with MS-CHAPv2
B.
EAP-TLS
C.
EAP-FAST
D.
EAP-TTLS
E.
EAP-GTP
Answer: A,B,D
Explanation:
EAP supports a bunch of authentication methods, only five are commonly used. They are: MD5, a
one-way authentication of supplicant to network using passwords; Ciscos proprietary username"Pass Any Exam. Any Time." - www.actualtests.com
269
Cisco 350-018 Exam

based LEAP; TLS, which uses PKI-issued (public key infrastructure) digital certificates for strong
mutual authentication; and TTLS and PEAP, which combine server-side certificates with some
other authentication such as passwords.
QUESTION NO: 287

Which statement is true about EAP-FAST?
A.
It supports Windows single sign-on.
B.
It is a proprietary protocol.
C.
It requires a certificate only on the server side.
D.
It does not support an LDAP database.
Answer: A
Explanation:
It Supports Windows single sign on for Cisco Aironet clients and Cisco Compatible clients.
QUESTION NO: 288

Which four attributes are identified in an X.509v3 basic certificate field? (Choose four.)
A.
key usage
B.
certificate serial number
C.
issuer
270
Cisco 350-018 Exam

D.
subject name
E.
signature algorithm identifier
F.
CRL distribution points
G.
subject alt name
Answer: B,C,D,E
Explanation:
QUESTION NO: 289

What are two reasons for a certificate to appear in a CRL? (Choose two.)
A.
CA key compromise
B.
cessation of operation
C.
validity expiration
D.
key length incompatibility
E.
certification path invalidity
Answer: A,B
Explanation:
271
Cisco 350-018 Exam

CRLs may be used in a wide range of applications and environments covering a broad spectrum
of interoperability goals and an even broader spectrum of operational and assurance
requirements.This profile establishes a common baseline for generic applications requiring broad
interoperability.The profile defines a set of information thatcan be expected in every CRL.Also, the
profile defines common locations within the CRL for frequently usedattributes as well as common
representations for these attributes.
CRL issuers issue CRLs.In general, the CRL issuer is the CA.CAs publish CRLs to provide status
information aboutthe certificates they issued.However, a CA may delegate this responsibilityto
another trusted authority.Whenever the CRL issuer is not the CA that issued the certificates, the
CRL is referred to as an indirect CRL.
Each CRL has a particular scope.The CRL scope is the set of certificates that could appear on a
given CRL.For example, the scope could be "all certificates issued by CA X", "all CA certificates
issued by CA X", "all certificates issued by CA X that have been revoked for reasons of key
compromise and CA compromise", or could be a set of certificates based on arbitrary local
information, such as "all certificates issued to the NIST employees located in Boulder".
QUESTION NO: 290

A Cisco IOS router is configured as follows:
ip dns spoofing 192.168.20.1
What will the router respond with when it receives a DNS query for its own host name?
A.
The router will respond with the IP address of the incoming interface.
B.
The router will respond with 192.168.20.1 only if the outside interface is down.
C.
The router will respond with 192.168.20.1.
D.
The router will ignore the DNS query and forward it directly to the DNS server.
272
Cisco 350-018 Exam

Answer: B
Explanation:
DNS spoofing allows a device to act as a proxy DNS server and spoof replies to any DNS
queries using either the configured IP address in the ip dns spoofing command or the IP address
of the incoming interface for the query. This functionality is useful for devices where the interface
toward the ISP is not up. Once the interface to the ISP is up, the device forwards DNS queries to
the real DNS servers.
The device will respond to the DNS query with the configured IP address when queried for any
host name other than its own but will respond to the DNS query with the IP address of the
incoming interface when queried for its own host name.
References: Reference:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddrcr-book/ipaddr-i3.html#wp2060850399
QUESTION NO: 291

Which configuration is the correct way to change a GET VPN Key Encryption Key lifetime to
10800 seconds on the key server?
A.
crypto isakmp policy 1lifetime 10800
B.
crypto ipsec security-association lifetime? seconds 10800
C.
crypto ipsec profile getvpn-profileset security-association lifetime seconds 10800!crypto gdoi group
GET-Groupidentity number 1234server localsa ipsec 1profile getvpn-profile
D.
?crypto gdoi group GET-Groupidentity number 1234server localrekey lifetime seconds 10800
E.
crypto gdoi group GET-Groupidentity number 1234server localset security-association lifetime
seconds 10800
Answer: D
Explanation:
273
Cisco 350-018 Exam

Key Encryption lifetime is defined by the command rekey lifetime seconds 10800 and that too
within the groups. Options other than D are not meeting this criterion.
QUESTION NO: 292

A Cisco Easy VPN software client is unable to access its local LAN devices once the VPN tunnel
is established. How can this issue be resolved?
A.
The IP address that is assigned by the Cisco Easy VPN Server to the client must be on the same
network as the local LAN of the client.
B.
The Cisco Easy VPN Server should apply split-tunnel-policy excludespecified with a split-tunnellist containing the local LAN addresses that are relevant to the client.
C.
The Cisco Easy VPN Server must push down an interface ACL that permits the traffic to the local
LAN from the client.
D.
The Cisco Easy VPN Server should apply a split-tunnel-policy tunnelall policy to the client.
E.
The Cisco Easy VPN client machine needs to have multiple NICs to support this.
Answer: B
Explanation:
When VPN is connected with tunnelall option, all your traffic starts flowing through the VPN tunnel
and you lose access to your local LAN. In order to make it to work, you need to specify that you
should not forward your local traffic through the VPN tunnel and you do this by applying splittunnel-policy excludespecified with an access-list that specify the local LAN address.
QUESTION NO: 293

error: % Invalid input detected at '^' marker.
274
Cisco 350-018 Exam

Above error is received when generating RSA keys for SSH access on a router using the crypto
key generate rsa command. What are the reasons for this error? (Choose two.)
A.
The hostname must be configured before generating RSA keys.
B.
The image that is used on the router does not support the crypto key generate rsa command.
C.
The command has been used with incorrect syntax.
D.
The crypto key generate rsa command is used to configure SSHv2, which is not supported on
Cisco IOS devices.
Answer: B,C
Explanation:
The error message is received when the router image is not a k9 image to support the security
features. Also, we can get this error message if the correct syntax is not used while generating key
pairs.
QUESTION NO: 294

crypto isakmp profile vpn1
vrf vpn1
keyring vpn1
match identity address 172.16.1.1 255.255.255.255
crypto map crypmap 1 ipsec-isakmp
set peer 172.16.1.1
set transform-set vpn1
set isakmp-profile vpn1
match address 101
!
275
Cisco 350-018 Exam

interface Ethernet1/2
crypto map crypmap
Which statements apply to the above configuration? (Choose two.)
A.
This configuration shows the VRF-Aware IPsec feature that is used to map the crypto ISAKMP
profile to a specific VRF.
B.
VRF and ISAKMP profiles are mutually exclusive, so the configuration is invalid.
C.
An IPsec tunnel can be mapped to a VRF instance.
D.
Peer command under the crypto map is redundant and not required.
Answer: A,C
Explanation:
In the profile configuration, we can see that vrf is used that says that this VPN profile is VRF aware
however the configuration is invalid because under interface Ethernet1/2, we can see crypto map
for the isakmp profile but there is no VRF command configured.
QUESTION NO: 295

MACsec, which is defined in 802.1AE, provides MAC-layer encryption over wired networks. Which
two statements about MACsec are true? (Choose two.)
A.
Only links between network access devices and endpoint devices can be secured by using
MACsec.
B.
MACsec is designed to support communications between network devices only.
C.
MACsec manages the encryption keys that the MKA protocol uses.
D.
276
Cisco 350-018 Exam

A switch that uses MACsec accepts either MACsec or non-MACsec frames, depending on the
policy that is associated with the client.
Answer: A,D
Explanation:
MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-ofband methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the
required session keys and manages the required encryption keys. MKA and MACsec are
implemented after successfulauthentication using the 802.1x Extensible Authentication Protocol
(EAP) framework. Only host facing links (links between network access devices and endpoint
devices such as a PC or IP phone) can be secured using MACsec.
A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy
associated with the client. MACsec frames are encrypted and protected with an integrity check
value (ICV). When the switch receives frames from the client, it decrypts them and calculates the
correct ICV by using session keys provided by MKA. The switch compares that ICV to the ICV
within the frame. If they are not identical, the frame is dropped. The switch also encrypts and adds
an ICV to any frames sent over the secured port (the access point used to provide the secure
MAC service to a client) using the current session key.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/37e/c
onsolidated_guide/b_37e_consolidated_3650_cg/b_37e_consolidated_3650_cg_chapter_011101
01.pdf
QUESTION NO: 296

Which two statements about OSPF authentication are true? (Choose two.)
A.
OSPF authentication is required in area 0.
B.
There are three types of OSPF authentication.
C.
In MD5 authentication, the password is encrypted when it is sent.
D.
Null authentication includes the password in clear-text.
277
Cisco 350-018 Exam

E.
Type-3 authentication is a clear-text password authentication.
F.
In MD5 authentication, the password never goes across the network.
Answer: B,F
Explanation:
These are the three different types of authentication supported by OSPF.

Authentication does not need to be set. However, if it is set, all peer routers on the same segment
must have the same password and authentication method.You can enable authentication in OSPF
in order to exchange routing update information in a secure manner. OSPF authentication can
either be none (or null), simple, or MD5. The authentication method "none" means that no
authentication is used for OSPF and it is the default method. With simple authentication, the
password goes in clear-text over the network. With MD5 authentication, the password does not
pass over the network. MD5 is a message-digest algorithm specified in RFC 1321. MD5 is
considered the most secure OSPF authentication mode.
References: Reference:http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-firstospf/13697-25.html
QUESTION NO: 297

Which option describes the main purpose of EIGRP authentication?
A.
to authenticate peers
B.
to allow faster convergence
C.
to provide redundancy
D.
to avoid routing table corruption
Answer: D
278
Cisco 350-018 Exam

Explanation:
The addition of authentication to your routers' EIGRP messages ensures that your routers only
accept routing messages from other routers that know the same pre-shared key. Without this
authentication configured, if someone introduces another router with different or conflicting route
information on to the network, the routing tables on your routers could become corrupt and a
denial of service attack could ensue. Thus, when you add authentication to the EIGRP messages
sent between your routers, it prevents someone from purposely or accidentally adding another
router to the network and causing a problem.
QUESTION NO: 298

What is the purpose of the BGP TTL security check?
A.
The BGP TTL security check is used for iBGP session.
B.
The BGP TTL security check protects against CPU utilization-based attacks.
C.
The BGP TTL security check checks for a TTL value in packet header of less than or equal to for
successful peering.
D.
The BGP TTL security check authenticates a peer.
E.
The BGP TTL security check protects against routing table corruption.
Answer: B
Explanation:
BGP Support for TTL Security Check feature introduces a lightweight security mechanism to
protect external Border Gateway Protocol (eBGP) peering sessions from CPU utilization-based
attacks using forged IP packets. Enabling this feature prevents attempts to hijack the eBGP
peering session by a host on a network segment that is not part of either BGP network or by a
host on a network segment that is not between the eBGP peers.You enable this feature by
configuring a minimum Time To Live (TTL) value for incoming IP packets received from a specific
eBGP peer. When this feature is enabled, BGP will establish and maintain the session only if the
TTL value in the IP packet header is equal to or greater than the TTL value configured for the
279
Cisco 350-018 Exam

peering session. If the value is less than the configured value, the packet is silently discarded and
no Internet Control Message Protocol (ICMP) message is generated. This feature is both effective
and easy to deploy.
QUESTION NO: 299


A.
The peer session is dropped when 80 prefixes are received.
B.
A warning message is displayed when 1000 prefixes are received.
C.
The peer session is dropped when 800 prefixes are received.
D.
An Initial warning message is displayed when 800 prefixes are received. A different message is
displayed when 1000 prefixesarereceived and the session will not be disconnected
E.
An Initial warning message is displayed when 80 prefixesarereceived. The same warning
message is displayed when 1000 prefixes are received and the session will be disconnected.
Answer: D
Explanation:
The command syntax used in order to configure the BGP Maximum-Prefix feature is:
neighbor{ip-address | peer-group-name}maximum-prefix
maximum [threshold] [restart restart-interval] [warning-only]
280
Cisco 350-018 Exam

Where:
For example, if themaximum-valueconfigured is 20 and the threshold 60, the router generates
warning messages when the number of BGP learned routes from the neighbor exceeds 60
percent of 20 (12) routes.
restart-intervalAn optional Time interval (in minutes) that a peering session is reestablished. The
range is from 1 to 65535 minutes.
warning-only(optional) Allows the router to generate a log message when the Maximum-Prefix
limit is exceeded, instead of terminating the peering session.
!--- Initially warns at 1500 and re-warns
!--- (different message) at 3000 prefixes received.
!--- However, the BGP Peer is not disconnected.
References: Reference:http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocolbgp/25160-bgp-maximum-prefix.html#a
QUESTION NO: 300

Which two statements describe GRE? (Choose two.)
A.
GRE acts as passenger protocol for a Layer 3 transport protocol.
B.
GRE acts as a tunneling protocol and encapsulates other protocols.
C.
GRE provides data confidentiality.
D.
Packet MTU must be adjusted to accommodate GRE overhead.
E.
GRE does not allow multicast to be sent across the tunnel.
F.
The GRE tunnel interface remains down until it can see the remote tunnel end.
281
Cisco 350-018 Exam

Answer: B,D
Explanation:
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that
can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an
Internet Protocol internetwork. Packet MTU is adjusted to accomodate GRE Overhead.
QUESTION NO: 301

Which two statements about NHRP are true? (Choose two.)
A.
NHRP is used for broadcast multi-access networks.
B.
NHRP allows NHC to dynamically learn the mapping of VPN IP to NBMA IP.
C.
NHRP allows NHS to dynamically learn the mapping of VPN IP to BMA IP.
D.
NHC registers with NHS.
E.
Traffic between two NHCs always flows through the NHS.
F.
NHRP provides Layer-2 to Layer-3 address mapping.
Answer: B,D
Explanation:
NHRP allows two functions to help support these NBMA networks:

1.
NHRP is an ARP-like protocol that allows Next Hop Clients (NHCs ) to dynamically register with
Next Hop Servers (NHSs). This allows the NHCs to join the NBMA network without configuration
changes on the NHSs, especially in cases where the NHC has a dynamic physical IP address or is
behind a Network Address Translation (NAT) router that dynamically changes the physical IP
address. In these cases it would be impossible to preconfigure the logical virtual private network
(VPN IP) to physical (NBMA IP) mapping for the NHC on the NHS. This function is called NHRP
282
Cisco 350-018 Exam

registration.
2.
NHRP is a resolution protocol that allows one NHC client (spoke) to dynamically discover the
logical VPN IP to physical NBMA IP mapping for another NHC client (spoke) within the same
NBMA network. Without this discovery, IP packets traversing from hosts behind one spoke to
hosts behind another spoke would have to traverse by way of the NHS (hub) router. This would
increase the utilization of the hub's physical bandwidth and CPU to process these packets that
come into the hub on the multipoint interface and go right back out the multipoint interface. This is
often called hair-pinning. With NHRP, systems attached to an NBMA network dynamically learn
the NBMA address of the other systems that are part of that network, allowing these systems to
directly communicate without requiring traffic to use an intermediate hop. This alleviates the load
on the intermediate hop (NHS) and can increase the overall bandwidth of the NBMA network to be
greater than the bandwidth of the hub router.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.htm
l
QUESTION NO: 302


A.
Devices that perform IEEE 802.1X should be in the MAC address database for successful
authentication.
B.
IEEE 802.1x devices must fail MAB to perform IEEE 802.1X authentication.
C.
If 802.1X fails, the device will be assigned to the default guest VLAN.
283
Cisco 350-018 Exam

D.
The device will perform subsequent IEEE 802.1X authentication if it passed MAB authentication.
E.
If the device fails IEEE 802.1X, it will start MAB again.
Answer: B
Explanation:
Case 1: Order MAB Dot1x with Default Priority

Currently, by default, the priority changes when the order is changed. If MAB is configured as the
first authentication method, then MAB will have priority over all other authentication methods.
Therefore, if the port is configured to attempt MAB before IEEE 802.1X authentication, then, by
default, any device that passes MAB will never be allowed to pass IEEE 802.1X authentication.
Figure 1 summarizes the behavior when the order (and consequently, the priority) is changed.
Figure 1.Order MAB Dot1x, Priority MAB Dot1x
As Figure 1 illustrates, if an endpoint needs to perform IEEE 802.1X authentication, then it must
fail MAB. Consequently, its MAC address must not be in the databases that are checked for MAB.
In addition, the authentication, authorization, and accounting (AAA) server should not have a
policy that allows unknown MAC addresses to pass MAB (for example, for a dynamic guest VLAN
assignment).
References: Reference:http://www.cisco.com/c/en/us/products/collateral/ios-nx-ossoftware/identity-based-networking-service/application_note_c27-573287.html
284
Cisco 350-018 Exam
QUESTION NO: 303

When is the supplicant considered to be clientless?
A.
when the authentication server does not have credentials to authenticate.
B.
when the authenticator is missing the dot1x guest VLAN under the port with which the supplicant
is connected.
C.
when the supplicant fails EAP-MD5 challenge with the authentication server.
D.
when the supplicant fails to respond to EAPOL messages from the authenticator.
E.
when the authenticator is missing the reauthentication timeout configuration under the port with
which the supplicant is connected.
Answer: D
Explanation:
When a new IP host is connected to the switch port, the router initiates the communication using
Extensible Authentication Protocol over LAN (EAPoL). The supplicant running on the device will
respond to it. Then the router proceeds with further authentication. If there is no response from the
device it is considered as a clientless device. Once the router gathers the credentials from the
device, it is forwarded to the RADIUS server for authentication. If the credentials are valid, the port
becomes enabled and gets attached to the trusted VLAN. If the credentials are invalid, the port is
shut. If the connected device does not respond to EAPoL messages (clientless device), the port is
shut down or assigned to the guest VLAN if it is configured on the port.
References: Reference:http://www.cisco.com/c/en/us/products/collateral/ios-nx-ossoftware/layered-perimeter-security-managed-services/prod_white_paper0900aecd805a5ab5.html
QUESTION NO: 304

When routing is configured on ASA, which statement is true?
285
Cisco 350-018 Exam

A.
If the default route is not present, then the routing table is checked.
B.
If the routing table has two matching entries, the packet is dropped.
C.
If routing table has two matching entries with same prefix length, the first entry is used.
D.
If routing table has two matching entries with different prefix lengths, the entry with the longer
prefix length is used.
Answer: D
Explanation:
When multiple entries of a prefix list match a given prefix, the entry with the lowest sequence
number is used. For efficiency, you may want to put the most common matches or denials near
the top of the list by manually assigning them a lower sequence number. By default, sequence
numbers are automatically generated in increments of 5, beginning with 5.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/a
sdm_64_config/route_maps.html
QUESTION NO: 305

Which statement about the ASA redundant interface is true?
A.
It is a logical interface that combines two physical interfaces, both of which are active.
B.
It can only be used for failover links.
C.
By default, the first physical interface that is configured in the pair is the active interface.
D.
The redundant interface uses the MAC address of the second physical interface in the pair.
286
Cisco 350-018 Exam

Answer: C
Explanation:
A logical redundant interface consists of a pair of physical interfaces: an active and a standby
interface. When the active interface fails, the standby interface becomes active and starts passing
traffic. You can configure a redundant interface to increase the ASA reliability.
QUESTION NO: 306

Which two pieces of information are communicated by the ASA failover link? (Choose two.)
A.
unit state
B.
connections State
C.
routing tables
D.
power status
E.
MAC address exchange
Answer: A,E
Explanation:
Active/Standby failover lets you use a standby security appliance to take over the functionality of a
failed unit. When the active unit fails, it changes to the standby state while the standby unit
changes to the active state. The unit that becomes active assumes the IP addresses (or, for
transparent firewall, the management IP address) and MAC addresses of the failed unit and
begins passing traffic. The unit that is now in standby state takes over the standby IP addresses
and MAC addresses. Because network devices see no change in the MAC to IP address pairing,
no ARP entries change or time out anywhere on the network.
287
Cisco 350-018 Exam

QUESTION NO: 307
When is a connection entry created on ASA for a packet that is received on the ingress interface?
A.
When the packet is checked by the access-list.
B.
When the packet reaches the ingress interface internal buffer.
C.
When the packet is a SYN packet or UDP packet.
D.
When a translation rule exists for the packet.
E.
When the packet is subjected to inspection.
Answer: D
Explanation:
The packet is verified for the translation rules. If a packet passes through this check, then a
connection entry is created for this flow, and the packet moves forward. Otherwise, the packet is
dropped and the information is logged.
QUESTION NO: 308

Which two statements about the multiple context mode running Version 9.x are true? (Choose
two.)
A.
RIP is not supported.
B.
An interface cannot be shared by multiple contexts.
C.
Remote access VPN is supported.
D.
Only the admin and context configuration files are supported.
288
Cisco 350-018 Exam

E.
OSPFv3 is supported.
F.
Multicast feature is supported
G.
Site-To-Site VPN feature is supported
Answer: A,G
Explanation:
Multiple context mode does notsupport the following features:

Dynamic routing protocols.Security contexts support only static routes. You cannot enable OSPF
or RIP in multiple context mode.
VPN
Multicast
QUESTION NO: 309

Which two options describe how the traffic for the shared interface is classified in ASA multi
context mode? (Choose two.)
A.
Traffic is classified at the source address in the packet.
B.
Traffic is classified at the destination address in the packet.
C.
Traffic is classified at the destination address in the context.
D.
Traffic is classified by copying and sending the packet to all the contexts.
E.
Traffic is classified by sending the MAC address for the shared interface.
Answer: C,E
289
Cisco 350-018 Exam

Explanation:
If you share aninsideinterface and do not use unique MAC addresses, the classifier imposes some
major restrictions. The classifier relies on the address translation configuration to classify the
packet within a context, and you must translate thedestinationaddresses of the traffic. Because
you do not usually perform NAT on outside addresses, sending packets from inside to outside on
a shared interface is not always possible; the outside network is large, (the Web, for example),
and addresses are not predictable for an outside NAT configuration. If you share an inside
interface, we suggest you use unique MAC addresses.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/c
ontexts.html
QUESTION NO: 310

Which two statements correctly describe ASA resource management in multiple context mode?
(Choose two.)
A.
The class sets the resource maximum limit for a context to which it belongs.
B.
A resource cannot be oversubscribed or set to be unlimited in the class.
C.
The resource limit can only be set as a percentage in the class and not as an absolute value.
D.
Context belongs to a default class if not assigned to any other class.
E.
The default class provides unlimited access for all the resources.
Answer: A,D
Explanation:
By default, all security contexts have unlimited access to the resources of the ASA, except where
maximum limits per context are enforced; the only exception is VPN resources, which are disabled
290
Cisco 350-018 Exam

by default. If you find that one or more contexts use too many resources, and they cause other
contexts to be denied connections, for example, then you can configure resource management to
limit the use of resources per context. For VPN resources, you must configure resource
management to allow any VPN tunnels.
All contexts belong to the default class if they are not assigned to another class; you do not have
to actively assign a context to the default class. If a context belongs to a class other than the
default class, those class settings always override the default class settings. However, if the other
class has any settings that are not defined, then the member context uses the default class for
those limits. For example, if you create a class with a 2 percent limit for all concurrent connections,
but no other limits, then all other limits are inherited from the default class. Conversely, if you
create a class with a limit for allresources, the class uses no settings from the default class.
References:
:http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/h
a_contexts.html#40167
QUESTION NO: 311

Which two statements about ASA transparent mode are true? (Choose two.)
A.
Transparent mode acts as a Layer-3 firewall.
B.
The inside and outside interface must be in a different subnet.
C.
IP traffic will not pass unless it is permitted by an access-list.
D.
ARP traffic is dropped unless it is permitted.
E.
A configured route applies only to the traffic that is originated by the ASA.
F.
In multiple context mode, all contexts need to be in transparent mode.
Answer: C,E
Explanation:
291
Cisco 350-018 Exam

In transparent mode, the security appliance acts like a "bump in the wire," or a "stealth firewall,"
and is not a router hop. The security appliance connects the same network on its inside and
outside interfaces. No dynamic routing protocols or NAT are used. However, like routed mode,
transparent mode also requires access lists to allow any traffic through the security appliance,
except for ARP packets, which are allowed automatically. Transparent mode can allow certain
types of traffic in an access list that are blocked by routed mode, including unsupported routing
protocols. Transparent mode can also optionally use EtherType access lists to allow non-IP traffic.
Transparent mode only supports two interfaces, an inside interface and an outside interface, in
addition to a dedicated management interface, if available for your platform.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/fwmode.html
QUESTION NO: 312

Which statement correctly describes a botnet filter category?
A.
Unlisted addresses: The addresses are malware addresses that are not identified by the dynamic
database and are hence defined statically.
B.
Ambiguous addresses: In this case, the same domain name has multiple malware addresses but
not all the addresses are in the dynamic database. These addresses are on the graylist.
C.
Known malware addresses: These addresses are identified as blacklist addresses in the dynamic
database and static list.
D.
Known allowed addresses: These addresses are identified as whitelist addresses that are bad
addresses but still allowed.
Answer: C
Explanation:
Addresses monitored by the Botnet Traffic Filter include:
References: erence:http://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/guide/asabotnet.html
292
Cisco 350-018 Exam
QUESTION NO: 313

Why does the EasyVPN session fail to establish between the client and server?
A.
incomplete ISAKMP profile configuration on the server
B.
incorrect IPsec phase-2 configuration on the server
C.
incorrect group configuration on the client
D.
ISAKMP key mismatch
E.
293
Cisco 350-018 Exam

incorrect ACL in the ISAKMP client group configuration
Answer: B
Explanation:
Phase 2 configuration is incomplete. It should be:
Crypto ipsec profile ipsecprof
Set transform-set TS
Set isakmp-profile ezvpnprof
The commands highlighted in red are missing from the configuration.
QUESTION NO: 314

What is the reason for the failure of the DMVPN session between R1 and R2?
A.
tunnel mode mismatch
294
Cisco 350-018 Exam

B.
IPsec phase-1 configuration is missing peer address on R2
C.
IPsec phase-1 policy mismatch
D.
E.
incorrect tunnel source interface on R1
Answer: E
Explanation:
The tunnel source interface needs to be FastEthernet0/1.
QUESTION NO: 315

What is the reason for the failure of the DMVPN session between R1 and R2?
A.
295
Cisco 350-018 Exam

B.
IPsec phase-1 configuration missing peer address on R2
C.
D.
E.
Answer: C
Explanation:
There is Phase 1 policy mismatch. Under the crypto isakmp policy 1, on one side it is group 3 and
on another side it is group 2.
QUESTION NO: 316

Which statement about the exhibit is true?
296
Cisco 350-018 Exam

A.
The tunnel configuration is incomplete and the DMVPN session will fail between R1 and R2.
B.
IPsec phase-2 will fail to negotiate due to a mismatch in parameters.
C.
A DMVPN session will establish between R1 and R2 provided that the BGP and EIGRP
configurations are correct.
D.
A DMVPN session will establish between R1 and R2 provided that the BGP configuration is
correct.
E.
A DMVPN session will fail to establish because R2 is missing the ISAKMP peer address.
Answer: C
Explanation:
A DMVPN session will establish between R1 and R2 provided that the BGP and EIGRP
configurations are correct.
QUESTION NO: 317

Identify the behavior of the ACL if it is applied inbound on E0/0.
297
Cisco 350-018 Exam

A.
The ACL will drop both initial and noninitial fragments for port 80 only.
B.
The ACL will pass both initial and noninitial fragments for port 80 only.
C.
The ACL will pass the initial fragment for port 80 but drop the noninitial fragment for any port.
D.
The ACL will drop the initial fragment for port 80 but pass the noninitial fragment for any port.
Answer: C
Explanation:
The first packet will be permitted but the other packets will be dropped because of the top most
access-list that has an action of denying the traffic.
QUESTION NO: 318

Identify the behavior of the ACL if it is applied inbound on E0/0.

A.
B.
The ACL will pass both initial and non-initial fragments for port 80 only.
C.
298
Cisco 350-018 Exam

D.
Answer: B
Explanation:
Here the fragments will be allowed but only for the port 80. Other ports are not allowed and
whatever is not allowed is assumed to be denied.
QUESTION NO: 319

Which statement about DHCP snooping is true?
A.
The dynamic ARP inspection feature must be enabled for DHCP snooping to work.
B.
DHCP snooping is enabled on a per-VLAN basis.
C.
DHCP snooping builds a binding database using information that is extracted from intercepted
ARP requests.
D.
DHCP snooping is enabled on a per-port basis.
E.
DHCP snooping is does not rate-limit DHCP traffic from trusted ports.
Answer: B
Explanation:
DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs.
You can enable the feature on a single VLAN or a range of VLANs.
QUESTION NO: 320

299
Cisco 350-018 Exam

Which two statements about PCI DSS are true? (Choose two.)
A.
PCI DSS is a US government standard that defines ISP security compliance.
B.
PCI DSS is a proprietary security standard that defines a framework for credit, debit, and ATM
cardholder information.
C.
PCI DSS is a criminal act of cardholder information fraud.
D.
One of the PCI DSS objectives is to restrict physical access to credit, debit,and ATM cardholder
information.
E.
PCI DSS is an IETF standard for companies to protect credit, debit, and ATM cardholder
information.
Answer: B,D
Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies
and procedures intended to optimize the security of credit, debit and cash card transactions and
protect cardholders against misuse of their personal information. The PCI DSS was created jointly
in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.
References: :http://searchfinancialsecurity.techtarget.com/definition/PCI-DSS-Payment-CardIndustry-Data-Security-Standard
QUESTION NO: 321

300
Cisco 350-018 Exam
A.
Incomplete IPsec phase-1 configuration on the server
B.
Incorrect IPsec phase-2 configuration on the server
C.
Incorrect group configuration on the client
D.
ISAKMP key mismatch
E.
Incorrect ACL in the ISAKMP client group configuration
Answer: C
Explanation:
On client, the configuration says:group ezvpngrop key ciscohowever the configuration has to
301
Cisco 350-018 Exam

be:group ezvpngroup key cisco. The name of the group is case sensitive as well as it has to be the
same on the client end but looks like the admin has made a tying mistake while configuring the
client.
QUESTION NO: 322

A.
Incomplete ISAKMP profile configuration on the server
B.
C.
302
Cisco 350-018 Exam

D.
ISAKMP key mismatch
E.
Incorrect virtual-template configuration on the sever
Answer: A
Explanation:
Under the isakmp configuration on the server, this command is missing:
Isakmp configuration address respond
If this command is not applied then the client will not be able to obtain the ip address from the ip
pool definedon the server.
QUESTION NO: 323

Which two items are not encrypted by ESP in tunnel mode? (Choose two)
303
Cisco 350-018 Exam

A.
ESP header
B.
ESP trailer
C.
Original IP header
D.
Data
E.
TCP-UDP header
F.
Authentication Data
Answer: A,F
Explanation:
The ESP header is inserted into the packet between the IP header and any subsequent packet
contents. However, because ESP encrypts the data, the payload is changed. ESP does not
encrypt the ESP header, nor does it encrypt the ESP authentication.
QUESTION NO: 324

Which three statements about the RSA algorithm are true to provide data confidentiality? (Choose
three.)
A.
The RSA algorithm provides encryption and authentication.
B.
The RSA algorithm provides authentication but not encryption.
C.
The RSA algorithm creates a pair of public-private keys and the public key is shared to perform
encryption.
D.
The private key is never shared after it is generated.
E.
304
Cisco 350-018 Exam

The public key is used to decrypt the message that was encrypted by the private key.
F.
The private key is used to decrypt the message that was encrypted by the public key.
Answer: C,D,F
Explanation:
RSA involves apublic keyand aprivate key.The public key can be known by everyone and is used
for encrypting messages. Messages encrypted with the public key can only be decrypted in a
reasonable amount of time using the private key. The keys for the RSA algorithm are generated
the following way:
Thepublic keyconsists of the modulusnand the public (or encryption) exponente. Theprivate
keyconsists of the modulusnand the private (or decryption) exponentd, which must be kept
secret.p,q, and (n) must also be kept secret because they can be used to calculated.
Ref:http://en.wikipedia.org/wiki/RSA_%28cryptosystem%29.
QUESTION NO: 325

305
Cisco 350-018 Exam

Which item is not authenticated by ESP in tunnel mode?
A.
ESP header
B.
ESP trailer
C.
New IP header
D.
Original IP header
E.
Data
F.
TCP-UDP header
Answer: C
Explanation:
AH provides authentication for as much of the IP header as possible, as well asfor next level
protocol data.However, some IP header fields may change in transit and the value of these fields,
when the packet arrives at the receiver, may not be predictable by the sender. The values of such
fields cannot be protected by AH.Thus, the protection provided to the IP header by AH is
piecemeal. ESP does not protect any IP header fields unless those fields are encapsulated by
ESP (e.g., via use of tunnel mode).
QUESTION NO: 326

Which two statements correctly describe ASA resource management in multiple context mode?
(Choose two.)
A.
The class sets the resource maximum limit for a context to which it belongs.
B.
A resource cannot be oversubscribed or set to be unlimited in the class.
C.
306
Cisco 350-018 Exam

The resource limit can only be set as a percentage in the class and not as an absolute value.
D.
Context belongs to a default class if not assigned to any other class.
E.
The default class provides unlimited access for all the resources.
Answer: A,D
Explanation:
By default, all securitycontexts have unlimited access to the resources of the ASA, except where
maximum limits per context are enforced; the only exception is VPN resources, which are disabled
by default. If you find that one or more contexts use too many resources, and they cause other
contexts to be denied connections, for example, then you can configure resource management to
limit the use of resources per context. For VPN resources, you must configure resource
management to allow any VPN tunnels.
All contexts belong to the default class if they are not assigned to another class; you do not have
to actively assign a context to the default class.If a context belongs to a class other than the
default class, those class settings always override the default class settings. However, if the other
class has any settings that are not defined, then the member context uses the default class for
those limits. For example, if you create a class with a 2 percent limit for all concurrent connections,
but no other limits, then all other limits are inherited from the default class. Conversely, if you
create a class with a limit for allresources, the class uses no settings from the default class.
References:
:http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/h
a_contexts.html#40167
QUESTION NO: 327

Event Action Rule is a component of which IPS application?
A.
InterfaceApp
B.
MainApp
C.
SensorApp
307
Cisco 350-018 Exam

D.
NotificationApp
E.
AuthenticationApp
F.
SensorDefinition
Answer: C
Explanation:
Event action rules are a group of settings you configure for the event action processing component
of the sensor. These rules dictate the actions the sensor performs when an event occurs.
The event action processing component is responsible for the following functions:
Calculating the risk rating
Adding event action overrides
Filtering event action
Executing the resulting event action
Summarizing and aggregating events
Maintaining a list of denied attackers

References: :http://www.cisco.com/c/en/us/td/docs/security/ips/60/configuration/guide/cli/cliguide/cliEvAct.html
QUESTION NO: 328

For what reason is BVI required in the Transparent Cisco IOS Firewall?
308
Cisco 350-018 Exam

A.
BVI is required for the inspection of IP traffic.
B.
BVI is required if routing is disabled on the firewall.
C.
BVI is required if more than two interfaces are in the same bridge group.
D.
BVI is required for the inspection of non-IP traffic.
E.
BVI cannot be used to manage the device.
Answer: C
Explanation:
Here are a few important limitations to be aware of:
References: :http://www.enterprisenetworkingplanet.com/netsp/article.php/3769801/IOSTransparent-Firewalling-Simplifies-Your-Network.htm
QUESTION NO: 329

Depending on configuration, which of the following two behaviors can the ASA classifier exhibit
when receiving unicast traffic on an interface shared by multiple contexts? (Choose two.)
A.
Traffic is classified using the destination address of the packet using the connection table.
B.
Traffic is classified using the destination address of the packet using the NAT table.
C.
Traffic is classified using the destination address of the packet using the routing table.
D.
Traffic is classified by copying and sending the packet to all the contexts.
E.
Traffic is classified using the destination MAC address of the packet.
309
Cisco 350-018 Exam

Answer: B,E
Explanation:
Configuring static multicast routes lets you separate multicast traffic from unicast traffic. For
example, when a path between a source and destination does not support multicast routing, the
solution is to configure two multicast devices with a GRE tunnel between them and to send the
multicast packets over the tunnel.
When using PIM, the ASA expects to receive packets on the same interface where it sends
unicast packets back to the source. In some cases, such as bypassing a route that does not
support multicast routing, you may want unicast packets to take one path and multicast packets to
take another.
Static multicast routes are not advertised or redistributed.
QUESTION NO: 330

Which Cisco IPS appliance signature engine inspects IPv6 Layer 3 traffic?
A.
Atomic IP
B.
Meta
C.
Atomic IP Advanced
D.
Fixed
E.
Service
Answer: C
Explanation:
AtomicThe Atomic engines are now combined into four engines with multi-level selections. You
can combine Layer 3 and Layer 4 attributes within one signature, for example IP + TCP. The
Atomic engine uses the standardized Regex support.
310
Cisco 350-018 Exam

Atomic ARPInspects Layer 2 ARP protocol. The Atomic ARP engine is different because most
engines are based on Layer 3 IP protocol.
Atomic IP AdvancedInspects IPv6 Layer 3 and ICMPv6 Layer 4 traffic.
Atomic IPInspects IP protocol packets and associated Layer 4 transport protocols.

This engine lets you specify values to match for fields in the IP and Layer 4 headers, and lets you
use Regex to inspect Layer 4 payloads.
References: :http://www.cisco.com/c/en/us/td/docs/security/ips/70/configuration/guide/cli/cliguide7/cli_signature_engines.html#wp1014328
QUESTION NO: 331

Which statement about the TACACS+ AV pair is true?
A.
AV pair value is integer.
B.
Cisco ACS does not support accounting AV pairs.
C.
AV pair values could be both strings and integers.
D.
AV pair does not have value type.
Answer: D
Explanation:
All TACACS+ values are strings. The concept of value "type" does not exist in TACACS+ as it
does in Remote Access Dial-In User Service (RADIUS).
References:
:http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0
080204ccc.html
311
Cisco 350-018 Exam
QUESTION NO: 332

In Cisco IOS firewall the HTTP inspection engine has the ability to protect against which of the
following?
A.
Tunneling over port 443.
B.
Tunneling over port 80.
C.
HTTP file transfers authorized by the configured security policy.
D.
Authorized request methods.
Answer: B
Explanation:
The HTTP Inspection Engine feature allows users to configure their Cisco IOS Firewall to detect
and prohibit HTTP connections--such as tunneling over port 80, unauthorized request methods,
and non-HTTP compliant file transfers--that are not authorized within the scope of the security
policy configuration. Tunneling unauthorized protocols through port 80 and over HTTP exposes a
network to significant security risks.
References: :http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/configuration/15-mt/https-15mt-book/nm-https-inspection-engine.html
QUESTION NO: 333

312
Cisco 350-018 Exam
Which option describes the behavior of the ACL if it is applied inbound on E0/0?
A.
B.
The ACL will pass both initial and noninitial fragments for port 80 only.
C.
D.
Answer: C
Explanation:
QUESTION NO: 334

Which two statements about the storm control implementation on the switch are true? (Choose
two.)
A.
Traffic storm level is the percentage of total available bandwidth of the port.
B.
313
Cisco 350-018 Exam

Traffic storm level is the rate at which layer 3 traffic is received on the port.
C.
Traffic storm control monitors only the broadcast traffic.
D.
Traffic storm control monitors the broadcast, multicast, and unicast traffic.
E.
Traffic storm level is the rate at which layer 2 traffic is received on the port.
F.
A Lower storm control level means more traffic is allowed to pass through.
Answer: A,D
Explanation:
A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading
network performance. The traffic storm control feature prevents LAN ports from being disrupted by
a broadcast, multicast, or unicast traffic storm on physical interfaces.
Traffic storm control (also called traffic suppression) monitors incoming traffic levels over a 1second traffic storm control interval, and during the interval it compares the traffic level with the
traffic storm control level that you configure. The traffic storm control level is a percentage of the
total available bandwidth of the port. Each port has a single traffic storm control level that is used
for all types of traffic (broadcast, multicast, and unicast).
Traffic storm control monitors the level of each traffic type for which you enable traffic storm
control in 1-second traffic storm control intervals.
References: :http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/122SX/configuration/guide/book/storm.html
QUESTION NO: 335

314
Cisco 350-018 Exam
Why does the Easy VPN session fail to establish between the client and server?
A.
Incomplete ISAKMP profile configuration on the server
B.
C.
D.
ISAKMP key mismatch
E.
Incorrect virtual-template configuration on the sever
Answer: A
Explanation:
Under the isakmp configuration on the server, this command is missing:
315
Cisco 350-018 Exam

Isakmp configuration address respond
If this command is not applied then the client will not be able to obtain the ip address from the ip
pool defined on the server.
QUESTION NO: 336

Why is there no encrypted session between host 10.10.10.1 and 20.20.20.1?

A.
Incorrect or missing phase 2 configuration on the server.
B.
Incorrect or missing Virtual-Template configuration on the server.
C.
Incorrect or missing phase 1 configuration on server.
316
Cisco 350-018 Exam

D.
Incorrect or missing Virtual-Template configuration on the client.
E.
Incorrect or missing group configuration on the server.
Answer: E
Explanation:
The phase one of the tunnel is coming up however the phase 2 is not negotiating. It is because of
the incorrect group configuration on the server.
QUESTION NO: 337

Which three types of traffic are generally policed via CoPP policies? (Choose three.)
A.
Transit traffic
B.
Routing protocol traffic
C.
IPsec traffic
D.
Traffic that is destined to any of the device's interfaces.
E.
Traffic from a management protocol such as Telnet or SNMP
Answer: B,D,E
Explanation:
References: Reference:http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
317
Cisco 350-018 Exam

QUESTION NO: 338
Why is there no encrypted session between host 10.10.10.1 and 20.20.20.1?

A.
Incorrect or missing group configuration on the client.
B.
Incorrect or missing phase 2 configuration on the server.
C.
Incorrect or missing Virtual-Template configuration on the server.
D.
Incorrect or missing phase 1 configuration on server.
E.
Incorrect or missing Virtual-Template configuration on the client.
F.
Incorrect or missing group configuration on the server.
318
Cisco 350-018 Exam

Answer: E
Explanation:
The phase one of the tunnel is coming up however the phase 2 is not negotiating. It is because of
the incorrect group configuration on the server.
QUESTION NO: 339

Which option describes the behavior of the ACL if it is applied inbound on E0/0?
A.
B.
The ACL will pass both initial fragments for port 80 and non-initial fragments.
C.
D.
Answer: B
Explanation:
319
Cisco 350-018 Exam
QUESTION NO: 340

Which AS-PATH access-list regular expression should be applied on R2 to allow only updates that
originate from AS-65001 or an AS that attaches directly to AS-65001?
A.
^65001_[0-9]*$
B.
_65001^[0-9]*
C.
65001_[0.9]$
D.
^65001_*$
Answer: A
Explanation:
Please refer to the link given to understand the regular expressions and permitting of updates.
References: Reference:http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol"Pass Any Exam. Any Time." - www.actualtests.com
320
Cisco 350-018 Exam

bgp/13754-26.html
QUESTION NO: 341

What is the purpose of aaa server radius dynamic-author command?
A.
Enables the device to dynamically receive updates from a policy server
B.
Enables the switch to automatically authorize the connecting device if all the configured RADIUS
servers are unavailable
C.
Impairs the ability to configure RADIUS local AAA
D.
This command disables dynamic authorization local server configuration mode.
Answer: A
Explanation:
Dynamic authorization allows an external policy server to dynamically send updates to a device.
Once theaaaserverradiusdynamic-authorcommand is configured, dynamic authorization local
server configuration mode is entered. Once in this mode, the RADIUS application commands can
be configured.
References: Reference:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe3se-3850-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_01.html
QUESTION NO: 342

On Cisco routers, there are two mutually exclusive types of RSA key pairs: special-usage keys
and general-purpose keys. When you generate RSA key pairs, you are prompted to select either
special-usage keys or general-purpose keys. Which set of statements is true?
321
Cisco 350-018 Exam

A.
If you generate special-usage keys, two pairs of RSA keys are generated. One pair is used with
any IKE policy that specifies RSA signatures as the authentication method. The other pair is used
with any IKE policy that specifies RSA encrypted keys as the authentication method.
B.
If you generate a named key pair, only one pair of RSA keys is generated. This pair is used with
IKE policies that specify either RSA signatures or RSA encrypted keys. Therefore, a generalpurpose key pair might be used more frequently than a special-usage key pair.
C.
If you generate general-purpose keys, you must also specify the usage-key keyword or the
general-key keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the
Cisco IOS Software to maintain a different key pair for each identity certificate.
D.
special-usage key pair is default in Cisco IOS
Answer: A
Explanation:
General-keys:Specifies that a general-purpose key pair will be generated, which is the default.
Usage-keys:Specifies that two RSA special-usage key pairs, one encryption pair and one
signature pair, will be generated.
If you generate special-usage keys, two pairs of RSA keys are generated. One pair is used with
any IKE policy that specifies RSA signatures as the authentication method. The other pair is used
with any IKE policy that specifies RSA encrypted keys as the authentication method.
QUESTION NO: 343

Cisco firewalls and routers can respond to a TCP SYN packet that is destined for a protected
resource, by using a SYN-ACK packet to validate the source of the SYN packet. What is this
feature called?
A.
IP reverse path verification
B.
TCP reverse path verification
C.
322
Cisco 350-018 Exam

TCP sequence number randomization
D.
TCP intercept
Answer: D
Explanation:
The TCP intercept feature is a mechanism to protect the end hosts from TCP SYN-flooding
attacks, a type of DoS attack.
A SYN-flooding attack occurs when a hacker floods aserver with a barrage of requestsfor
connection. Because thesemessages have unreachable return addresses, the connections cannot
beestablished. The resulting volumeof unresolved open connectionseventually overwhelms the
server and can cause it to deny service tovalid requests, thereby preventing legitimate users from
connecting to aweb site, accessing e-mail, using FTP service, and so on.
The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP
connection requests.
References: Reference:https://supportforums.cisco.com/document/12021641/tcp-interceptfeature-asa-device
QUESTION NO: 344

Which set of commands is required on an ASA to fix the problem that the exhibit shows?
A.
323
Cisco 350-018 Exam

ciscoasa(config)# webvpnciscoasa(config-webvpn)# enable <outside-interfacename>ciscoasa(config)# webvpn
B.
ciscoasa(config-webvpn)#anyconnect enableciscoasa(config)# webvpnciscoasa(config-webvpn)#
enable <outside-interface-name>
C.
ciscoasa(config-webvpn)# anyconnect enableciscoasa(config)# webvpn
D.
ciscoasa(config-webvpn)#anyconnect enableciscoasa(config-webvpn)#anyconnect image
<anyconnect-package-file-location> 1
Answer: B
Explanation:
The message on the client shows that the Anyconnect configuration has been done but it has not
been enabled on the ASA. To enable this, we enable it at two locations. First is by entering the
command, anyconnect enable and second one is by entering into webvpn and selecting the
interface on which you want to enable it.
QUESTION NO: 345

Client1 has an IPsec VPN tunnel established to a Cisco ASA adaptive security appliance in
Chicago. The remote access VPN client wants to access www.cisco.com, but split tunneling is
disabled. Which of these is the appropriate configuration on the Cisco ASA adaptive security
appliance if the VPN client's public IP address is 209.165.201.10 and it is assigned a private
address from 192.168.1.0/24?
A.
same-security-traffic permit intra-interfaceip local pool ippool 192.168.1.1-192.168.1.254global
324
Cisco 350-018 Exam

(outside) 1 209.165.200.230nat (inside) 1 192.168.1.0 255.255.255.0
B.
(outside) 1 209.165.200.230nat (outside) 1 192.168.1.0 255.255.255.0
C.
(inside) 1 209.165.200.230nat (inside) 1 192.168.1.0 255.255.255.0
D.
(outside) 1 209.165.200.230nat (outside) 1 209.165.201.10 255.255.255.255
E.
(outside) 1 209.165.200.230nat (inside) 1 209.165.201.10 255.255.255.255
F.
(inside) 1 209.165.200.230nat (inside) 1 209.165.201.10 255.255.255.255
Answer: B
Explanation:
This command same-security-traffic permit intra-interface enables the traffic to leave the same
interface from which it came. If this command is not applied, then the ASA will drop the packet
assuming it to be a malicious traffic. Command for the pool configuration is same for all the
options. For the traffic that is coming in as 192.168.1.0/24, you need to specify the global ip so that
they can go out to the internet taking the public ip 209.165.200.230. You can do this by using the
commands:
global (outside) 1 209.165.200.230
nat (outside) 1 192.168.1.0 255.255.255.0
Here nat (outside) is used because the VPN user is sitting on the outside interface and is trying to
access cisco website which is reachable through the same interface.
References: Reference:http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-seriesnext-generation-firewalls/67986-pix7x-asa-client-stick.html
325
Cisco 350-018 Exam

QUESTION NO: 346
Which statement about the Cisco Secure Desktop hostscan endpoint assessment feature is true?
A.
Advanced endpoint assessment gives you the ability to turn on an antivirus active scan function if
it has been disabled.
B.
Advanced endpoint assessment cannot force the antivirus software to automatically update the dat
file if it has not been updated in n days.
C.
With basic endpoint assessment, you cannot check for multiple antivirus vendors products and
version.
D.
Advanced endpoint assessment cannot enable the firewall if it has been disabled.
Answer: A
Explanation:
You can configure a scan for antivirus, personal firewall, and antispyware applications and
updates as a condition for the completion of a Cisco AnyConnect or clientless SSL VPN
connection. Following the prelogin assessment, CSD loads Endpoint Assessment checks and
reports the results back to the security appliance for use in assigning a DAP.
To enableor disable Host Scan Extensions
Step 1
ChooseSecure Desktop Manager > Host Scan.
Step 2
Check one of the following options in the Host Extensions area of the Host Scan window:
Endpoint AssessmentIf you check this option the remote PC scans for a large collection of
antivirus, antispyware, and personal firewall applications, and associated updates.
Advanced Endpoint AssessmentThis option is present only if the configuration includes a key for
an Advanced Endpoint Assessment license. It includes all of the Endpoint Assessment features,
and lets you configure an attempt to update noncompliant PCs to meet the version requirements
you specify. To turn on this option after acquiring a key from Cisco, chooseConfiguration>Device
Management>System Image/Configuration>Activation Key, enter the key in the New Activation
Key field, and clickUpdate Activation Key.
326
Cisco 350-018 Exam

When you check this option, Secure Desktop Manager inserts a check mark next to both options.
To disable the host scan extensions, uncheck both options in the Host Extensions area of the Host
Scan window.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/csd/csd341/configuration/guide/Book/CS
Dhscan.html
QUESTION NO: 347

Which port is used by default to communicate between VPN load-balancing ASAs?
A.
TCP 9022
B.
UDP 9023
C.
TCP 9023
D.
UDP 9022
Answer: B
Explanation:
hostname(config-load-balancing)#cluster portport_number
hostname(config-load-balancing)#
This command specifies the UDP port for the virtual cluster in which this device is participating.
The default value is 9023. If another application is using this port, enter the UDP destination port
number you want to use for load balancing.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/vpn
sysop.html
327
Cisco 350-018 Exam
QUESTION NO: 348

Which three statements apply to the behavior of Cisco AnyConnect client auto-reconnect?
(Choose three.)
A.
By default, Cisco AnyConnect attempts to re-establish a VPN connection when you lose
connectivity to the secure gateway.
B.
With respect to VPN load balancing and Cisco AnyConnect reconnect, the client reconnects to the
cluster member with the highest priority.
C.
Cisco AnyConnect reconnects when the network interface changes, whether the IP of the NIC
changes or whether connectivity switches from one NIC to another; for example, wireless to wired
or vice versa.
D.
With respect to VPN load balancing and Cisco AnyConnect reconnect, the client reconnects
directly to the cluster member to which it was previously connected.
E.
By default, Cisco AnyConnect attempts to re-establish a VPN connection following a system
resume.
Answer: A,C,D
Explanation:
Unlike the IPsec VPN client, AnyConnect can recover from VPN session disruptions and can
reestablish a session, regardless of the media used for the initial connection. For example, it can
reestablish a session on wired, wireless, or 3G. The auto reconnectfunction is enabled by default.
You can also define the reconnect behavior during and aftersystem suspend or system resume.
Asystem suspendis a low-power standby, Windows hibernation, or Mac OS or Linux sleep.
Asystem resumeis a recovery following a system suspend.Cisco AnyConnect reconnects when
the network interface changes, whether the IP of the NIC changes or whether connectivity
switches from one NIC to another; for example, wireless to wired or vice versa.
QUESTION NO: 349

328
Cisco 350-018 Exam

You are trying to set up a site-to-site IPsec tunnel between two Cisco ASA adaptive security
appliances, but you are not able to pass traffic. You try to troubleshoot the issue by enabling
debug crypto isakmp and see the following messages:
CiscoASA# debug crypto isakmp
[IKEv1]: Group = 209.165.200.231, IP = 209.165.200.231, Tunnel RejecteD. Conflicting protocols
specified by tunnel-group and group-policy
[IKEv1]: Group = 209.165.200.231, IP = 209.165.200.231, QM FSM error (P2 struct &0xb0cf31e8,
mess id 0x97d965e5)!
[IKEv1]: Group = 209.165.200.231, IP = 209.165.200.231, Removing peer from correlator table
failed, no match!
What could be the potential problem?
A.
The policy group mapped to the site-to-site tunnel group is configured to use both IPsec and SSL
VPN tunnels.
B.
The policy group mapped to the site-to-site tunnel group is configured to use both IPsec and L2TP
over IPsec tunnels.
C.
The policy group mapped to the site-to-site tunnel group is configured to just use the SSL VPN
tunnel.
D.
The site-to-site tunnel group is configured to use both IPsec and L2TP over IPsec tunnels.
E.
The site-to-site tunnel group is configured to just use the SSL VPN tunnel.
Answer: C
Explanation:
The error message in the debug says QM FSM error (P2 struct) i.e. Phase 2 negotiation failed. In
phase 2, there can be various reasons for non negotiation.
Furthermore, here another log says that Tunnel RejecteD. Conflicting protocols specified by
tunnel-group and group-policy i.e. IPSec is not defined as the tunnel policy on one end.
329
Cisco 350-018 Exam
QUESTION NO: 350

When you work on a change-management process, you generally identify potential change,
review the change request, implement change, then review the change and close the process. In
which step should the stakeholder be involved?
A.
Identifying potential change
B.
Reviewing the change request
C.
Implementation
D.
Reviewing and closing
E.
Depends on the stakeholder request
Answer: E
Explanation:
Whenever a change is planned, stake holder needs to be updated about the same. Once you
share the complete scenario with the stakeholder, it totally depends upon the stakeholder where
he wantsto get involved.
QUESTION NO: 351

Many guidelines can be used to identify the areas that security policies should cover. In which four
areas is coverage most important? (Choose four.)
A.
Physical
B.
Host
C.
330
Cisco 350-018 Exam

User
D.
Document
E.
Incident handling and response
F.
Security awareness training
Answer: A,B,C,D
Explanation:
Although all six options are good enough to be selected as answers, the closest ones are
Physical, Host, User and Document.
QUESTION NO: 352

Based on the show command output, which statement is true?

331
Cisco 350-018 Exam

A.
A NAT/PAT device is translating the local VPN endpoint.
B.
A NAT/PAT device is translating the remote VPN endpoint.
C.
A NAT/PAT device exists in the path between VPN endpoints.
D.
No NAT/PAT device exists in the path between VPN endpoints.
Answer: C
Explanation:
The output mentions one line i.e. in use settings = {Tunnel UDP-Encaps, }, this UDP
encapsulation is used whenever there is a natting device inbetween.
QUESTION NO: 353

Interface tunnel 1
ip address 10.1.1.1 255.255.255.252
ip mtu 1400
Tunnel source 172.16.1.1
Tunnel destination 172.16.1.2
Tunnel key 1111
Based on the above configuration, if the input packet size is 1300 bytes, what is the size of the
packet leaves the tunnel after encapsulation?
A.
1324
B.
1325
C.
1326
332
Cisco 350-018 Exam

D.
1328
Answer: D
Explanation:
1328 will be the correct answer.GRE adds 28 bytes of overhead because of the additional 4-byte
Key field (which is not typically included in the GRE header when using a point-to-point tunnel).
QUESTION NO: 354

You run the show ipv6 port-map telnet command and you see that the port 23 (system-defined)
message and the port 223 (user-defined) message are displayed. Which command is in the router
configuration?
A.
ipv6 port-map port telnet 223
B.
ipv6 port-map port 23 port 23223
C.
ipv6 port-map telnet port 23 233
D.
ipv6 port-map telnet port 223
Answer: D
Explanation:
Port-to-application Mapping, existing in Cisco IOS, allows you to customize TCP or UDP port
numbers for network services or applications. Using the port information, PAM establishes a table
of default port-toapplication mapping information at the firewall. The information in the PAM table
enables Context-based Access Control (CBAC) supported services to run on nonstandard ports.
PAM also supports host or subnet specific port mapping, which allows you to apply PAM to a
single host or subnet using standard ACLs. Host or subnet specific port mapping is done using
standard ACL. Eg: create an access-list and then apply it:
Router1(config)#ipv6 port-map application-name port port[list acl-name]
333
Cisco 350-018 Exam
QUESTION NO: 355

At the end of the Cisco TrustSec authentication process, which three pieces of information do both
authenticator and supplicant know? (Choose three.)
A.
Peer device ID
B.
Peer Cisco TrustSec capability information
C.
SAP key
D.
Server device ID
E.
Service ID
F.
Server peers information
Answer: A,B,C
Explanation:
Device Identities
Cisco TrustSec does not use IP addresses or MAC addresses as device identities. Instead, you
assign a name (device ID) to each Cisco TrustSec-capable switch to identify it uniquely in the
Cisco TrustSec domain. This device ID is used for the following:
Looking up the authorization policy
Looking up passwords in the databases during authentication

Security Association Protocol (SAP) negotiationWhen both sides of a link support encryption,
the supplicant and the authenticator negotiate the necessary parameters to establish a security
association (SA).
One endpoint device and one networking device are outside the domain because they are not
Cisco TrustSec-capable devices or because they have been refused access. The authentication
server is considered to be outside of the Cisco TrustSec domain; it is either a Cisco Identities
334
Cisco 350-018 Exam

Service Engine (Cisco ISE), or a Cisco Secure Access Control System (Cisco ACS).
QUESTION NO: 356

You are preparing Control Plane Protection configurations for implementation on the router, which
has the EBGP peering address 1.1.1.2. Which ACL statement can you use to classify the related
traffic into the EBGP traffic compartment?
A.
permit tcp host 1.1.1.1 gt 1024 host 1.1.1.2 eq bgppermit tcp host 1.1.1.1 eq bgp host 1.1.1.2 gt
1024
B.
1024
C.
permit tcp host 10.1.1.1 gt 1024 host 10.1.1.2 eq bgppermit tcp host 10.1.1.1 eq bgp host 10.1.1.2
gt 1024
D.
1024
Answer: A
Explanation:
The Control Plane Protection feature is an extension of the policing functionality provided by the
existing Control-plane Policing feature. The Control-plane Policing feature allows Quality of
Service (QoS) policing of aggregate control-plane traffic destined to the route processor. The
Control Plane Protection feature extends this policing functionality by allowing finer policing
granularity.
References: Reference:http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
QUESTION NO: 357

335
Cisco 350-018 Exam

Which command enables fast-switched PBR?
A.
Router(config-if)# ip route-cache policy
B.
Router(config-if)# ip policy route-map map-tag
C.
Router(config-if)# no ip route-cache policy
D.
Router(config-if)# no ip policy route-map map-tag
Answer: A
Explanation:
Enables fast-switching for packets that are forwarded using Policy Based Routing (PBR) - Not
required if CEF is enabled, since modern IOS codes do PBR in CEF - No special configuration is
required to enable CEF-switched PBR, it is on by default since IOS 12.0 as soon as you enable
CEF and PBR on the router.
QUESTION NO: 358

Which of these configurations shows how to configure MPP when only SSH, SNMP, and HTTP
are allowed to access the router through the Gigabit Ethernet 0/3 interface and only HTTP is
allowed to access the router through the Gigabit Ethernet 0/2 interface?
A.
Router(config-cp-host)# management-interface GigabitEthernet 0/3 allow http ssh
snmpRouter(config-cp-host)# management-interface GigabitEthernet 0/2 allow http
B.
Router(config-cp-host)# management-interface GigabitEthernet 0/3 allow http ssh tftp
snmpRouter(config-cp-host)# management-interface GigabitEthernet 0/2 allow http
C.
Router(config-cp-host)# management-interface GigabitEthernet 0/3 allow http ssh
snmpRouter(config-cp-host)# management-interface GigabitEthernet 0/2 allow http ssh
D.
Router(config-cp-host)# management-interface GigabitEthernet 0/3http ssh snmpRouter(config"Pass Any Exam. Any Time." - www.actualtests.com
336
Cisco 350-018 Exam

cp-host)# management-interface GigabitEthernet 0/2http
Answer: A
Explanation:
QUESTION NO: 359

Which series of steps illustrates the correct flow for incident management?
A.
Identify, log, categorize, prioritize, initial diagnosis, escalate, investigate and diagnose, resolve and
recover, close
B.
Categorize, log, identify, prioritize, initial diagnosis, escalate, investigate and diagnose, resolve
and recover, close
C.
Identify, log, categorize, prioritize, initial diagnosis, investigate and diagnose, escalate, resolve and
recover, close
D.
Identify, categorize, prioritize, log, initial diagnosis, escalate, investigate and diagnose, resolve and
recover, close
Answer: A
Explanation:
The correct answer to this question is1, however students often disagree with that answer choice.
The rationale behind the answer is simply, The correct order is given in the diagram in the
incident management process, and in the subsections of [SO] 4.2.5. In this post, I will provide a
better explanation of why choiceais the correct answer.
First of all, the flow of activities in the incident management process is described in the Service
Operation book section 4.2.5, andshown visually in Figure 4.3.Figure 4.3 shows the following flow
of activities for incident management:
337
Cisco 350-018 Exam
As shown in Figure 4.3, the correct flow of activities in the incident management process begins
with identification, which is followed by logging, which in turn is followed by categorization. Initial
diagnosis occurs later in the process flow following prioritization.
While the Service Operation book is clear about the flow of activities, the logic behind why the
activities are in this order is not completely clear. Very few people disagree that the incident
management process begins with identification, which in turn is followed by logging. The
disagreement primarily exists in what follows logging, whether it is categorization or initial
diagnosis. A good way to summarize the flow of activities is that they flow from general to specific.
It often helps to clarify what the steps in the process do. Categorization allocates the type of
338
Cisco 350-018 Exam

incident that is occurring. In practice, organizations often use a multi-level categorization scheme,
where the top-level consists of a few broad high-level categories.Subsequent levels of
categorization might provide an additional level of detail. Practically, Ive always thought of
categorization as a way of identifying at a high-level what general area an incident should belong
to. For example, common top-level categories include things like hardware, software, network,
user induced, supplier induced, etc.. In fact, I once worked at a large organization that
processes about 50,000 incident tickets per month with a set of 8 top-level categories. In other
words, when categorization is done, were really just trying to identify a general area to which the
incident most likely belongs.Categorization can be revisited, and often changes throughout the
lifecycle of an incident.
Prioritization accounts for the impact and urgency of the incident and assigns a pre-defined code
that guides an organizations response to an incident. In any population of incidents, an effective
prioritization scheme tells the organization which incident to work on first. The ability to do this is
critically important in high-volume environments where the organization has limited and shared
resources capable of responding to numerous, simultaneous incidents. In other words,
organizations have to make decisions about how to marshal resources based on their impact to
the business and how quickly service must be restored.
Initial diagnosis is described in the Service Operation book in section 4.2.5.5 as the activity where
the service desk attempts to understand all symptoms of the incident in an effort to uncover what
is wrong and attempt to correct it. During this activity, the service desk staff might use the known
error database to speed incident resolution, or diagnostic scripts to identify the service fault.
The logical reason why these steps are in this order is because during categorization and
prioritization we try to uncover enough details about the incident so that it can be routed correctly
throughout the process. For example, organizations might choose to handle hardware or network
incidents differently than they handle software incidents. The same is true for prioritization.
Prioritization seeks to establish facts about the incident in terms of its impact and urgency such
that proper routing decisions can be made; for example, the highest priority is what is typically
known as a major incident, which will often follow a specific procedure dedicated to handling
major incidents.
Therefore, the early steps in the incident management process are focused on properly routing the
incident. Knowing the category and priority help organizations make effective decisions about
routing incidents. Improperly routed incidents will result in delayed resolution of service, which
impacts users and customers and decreases satisfaction. For example, it would not make sense
for a service desk to attempt initial diagnosis if they are not properly trained or equipped to
investigate that category of incident. In fact, a service desk spending time doing initial diagnosis
for incident categories where they are improperly trained and do not have effective scripts and
tools will often result in delayed restoration of service, increased impact to users, and a negative
impact to customer satisfaction.
Clearly, according to ITIL, categorization occurs early in the incident management process, and
there are good reasons why this is the case.
References: Reference:http://blog.globalknowledge.com/professional-development/itil/incidentmanagement-process-flow-which-comes-first-categorization-or-initial-diagnosis/
339
Cisco 350-018 Exam
Topic 4, Threats, Vulnerability Analysis, and Mitigation
QUESTION NO: 360

Which two EAP methods may be susceptible to offline dictionary attacks? (Choose two.)
A.
EAP-MD5
B.
LEAP
C.
PEAP with MS-CHAPv2
D.
EAP-FAST
Answer: A,B
Explanation:
PEAP uses a TLS channel to protect the user credentials. Other Password based methods such
as EAP-MD5 & LEAP do not create TLS channel and are exposed to offline dictionary attacks on
the user credentials.Using the TLS channel from the client to the authentication server, PEAP offer
end-to-end protection, not just over the wireless datalink.
QUESTION NO: 361

340
Cisco 350-018 Exam
Which three fields of the IP header labeled can be used in a spoofing attack? (Choose one.)
A.
6, 7, 11
B.
6, 11, 12
C.
3, 11, 12
D.
4, 7, 11
Answer: A
Explanation:
On the internet, information circulates thanks to theIP protocol, which ensures data encapsulation
in structures called packets (or more preciselyIP datagrams). Here is the structure of a datagram:
Version
Header length
341
Cisco 350-018 Exam

Type of service
Total length
Identification
Flag
Fragment offset
Time to live
Protocol
Header checksum
Source IP address
Destination IP address
Data
Spoofing an IP address comes down to modifying thesourcefield to simulate a datagram coming
from another IP address. Yet on the internet, packets are generally sent via theTCP protocol,
which guarantees so-called "reliable" transmission.
Before accepting a packet, a machine must first acknowledge receipt of the packet from the
sending machine, and wait for the latter to confirm receipt of the acknowledgement.
QUESTION NO: 362

What type of attack consists of injecting traffic that is marked with the DSCP value of EF into the
network?
A.
brute-force attack
B.
QoS marking attack
C.
DHCP starvation attack
D.
SYN flood attack
342
Cisco 350-018 Exam

Answer: B
Explanation:
QoS enabled networks are vulnerable to QoS marking attacks.Basically, with the QoS marking
attack , hacker attampts to obtain enhanced service by changing the markings on the packet to
gain a better class of service treatment than what they are paying or subscribing for.
QUESTION NO: 363

An exploit that involves connecting to a specific TCP port and gaining access to an administrative
command prompt is an example of which type of attack?
A.
botnet
B.
Trojan horse
C.
privilege escalation
D.
DoS
Answer: C
Explanation:
Privilege escalationis the act of exploiting a bug, design flaw or configuration oversight in an
operating system or software application to gain elevated access to resources that are normally
protected from an application or user. The result is that an application with more privileges than
intended by the application developer or system administrator can perform unauthorized actions.
QUESTION NO: 364

Which two of the following provide protect against man-in-the-middle attacks? (Choose two.)
343
Cisco 350-018 Exam

A.
TCP initial sequence number randomization?
B.
TCP sliding-window checking
C.
Network Address Translation
D.
IPsec VPNs
E.
Secure Sockets Layer
Answer: D,E
Explanation:
IPSec prevents packet modification to thwart man-in-the-middle attacks. However, this strong
security feature also generates operational problems. NAT frequently breaks IPSec because it
modifies packets by substituting public IP addresses for private ones. Many IPSec products
implement NAT traversal extensions, but support for this feature isn't universal, and
interoperability is still an issue.
SSL is almost as tough against man-in-the-middle attacks, without IPSec's NAT conflict. SSL rides
on TCP, so it's insulated from IP and port modifications, and thus passes easily through NAT. SSL
carries sequence numbers inside encrypted packets to prevent packet injection, and TLS uses
message authentication to detect payload changes.
QUESTION NO: 365

Which three options are security measures that are defined for Mobile IPv6? (Choose three.)
A.
IPsec SAs are used for binding updates and acknowledgements.
B.
The use of IKEv1 or IKEv2 is mandatory for connections between the home agent and mobile
node.
C.
Mobile nodes and the home agents must supportESP in transport mode with non-NULL payload
authentication.
344
Cisco 350-018 Exam

D.
Mobile IPv6 control messages are protected by SHA-2.
E.
IPsec SAs are used to protect dynamic home agent address discovery.
F.
IPsec SAs can be used to protect mobile prefix solicitations and advertisements.
Answer: A,C,F
Explanation:
A mobile node can identify itself using its home address as an identifier. The Mobile IPv6 protocol
messages use this identifier in their registration messages. However, for certain deployments it is
essential that the mobile node has the capability to identify itself using a logical identifier, such as
NAI, rather than a network address. The mobile node identifier option for Mobile IPv6 allows a
mobile node to be identified by NAI rather than IPv6 address. This feature enables the network to
give a dynamic IPv6 address to a mobile node and authenticate the mobile node using
authentication, authorization, and accounting (AAA). This option should be used when either
Internet Key Exchange (IKE) or IPsec is not used for protecting BUs or binding acknowledgments
(BAs).
n order to provide roaming services, a standardized method, such as NAI or a mobile node home
address, is needed for identifying users. Roaming may be loosely defined as the ability to use any
one of multiple Internet service providers (ISPs) while maintaining a formal, customer-vendor
relationship with only one. Examples of where roaming capabilities might be required include ISP
confederations and ISP-provided corporate network access support. Other entities interested in
roaming capability may include the following:
References: Reference:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/152mt/ipv6-15-2mt-book/ip6-mobile.html
QUESTION NO: 366

Which three statements are true about DES? (Choose three.)
A.
A 56-bit key is used to encrypt 56-bit blocks of plaintext.
B.
A 56-bit key is used to encrypt 64-bit blocks of plaintext.
345
Cisco 350-018 Exam

C.
Each block of plaintext is processed through 16 rounds of identical operations.
D.
Each block of plaintext is processed through 64 rounds of identical operations.
E.
ECB, CBC, and CBF are modes of DES.
F.
Each Block of plaintext is processed through 8 rounds of identical operations.
G.
CTR, CBC, and OFB are modes of DES.
Answer: B,C,E
Explanation:
DES uses a 64-bit key, but eight of those bits are used for parity checks, effectively limiting the key
to 56-bits. Hence, it would take a maximum of 2^56, or 72,057,594,037,927,936, attempts to find
the correct key.
To encrypt a plaintextmessage, DES groups it into 64-bit blocks. Each block is enciphered using
the secret key into a 64-bit ciphertextby means of permutation and substitution. The process
involves 16 rounds and can run in four different modes, encrypting blocks individually or making
each cipher block dependent on all the previous blocks.
QUESTION NO: 367

Comparing and contrasting IKEv1 and IKEv2, which three statements are true? (Choose three.)
A.
IKEv2 adds EAP as a method of authentication for clients; IKEv1 does not use EAP.
B.
IKEv1 and IKEv2 endpoints indicate support for NAT-T via the vendor_ID payload.
C.
IKEv2 and IKEv1 always ensure protection of the identities of the peers during the negotiation
process.
D.
IKEv2 provides user authentication via the IKE_AUTH exchange; IKEv1 uses the XAUTH
346
Cisco 350-018 Exam

exchange.
E.
IKEv1 and IKEv2 both use INITIAL_CONTACT to synchronize SAs.
F.
IKEv1 supports config mode via the SET/ACK and REQUEST/RESPONSE methods; IKEv2
supports only REQUEST/RESPONSE.
Answer: A,D,E
Explanation:
In IKEv1, there was a clearly demarcated Phase 1 exchange, which contains six packets followed
by a Phase 2 exchange is made up of three packets; the IKEv2 exchange is variable. At best, it
can exchange as few as four packets. At worst, this can increase to as many as 30 packets (if not
more), depending on the complexity of authentication, the number of Extensible Authentication
Protocol (EAP) attributes used, as well as the number of SAs formed. IKEv2 combines the Phase
2 information in IKEv1 into the IKE_AUTH exchange, and it ensures that after the IKE_AUTH
exchange is complete, both peers already have one SA built and ready to encrypt traffic. This SA
is only built for the proxy identities that match the trigger packet. Any subsequent traffic that
matches other proxy identities then triggers the CREATE_CHILD_SA exchange, which is the
equivalent of the Phase 2 exchange in IKEv1. There is no Aggressive Mode or Main Mode.
References: Reference:http://www.cisco.com/image/gif/paws/115936/understanding-ikev2-packetexch-debug.pdf
QUESTION NO: 368

Which three statements about GDOI are true? (Choose three.)
A.
GDOI uses TCP port 848.
B.
The GROUPKEY_PULL exchange is protected by an IKE phase 1 exchange.
C.
The KEK protects the GROUPKEY_PUSH message.
D.
The TEK is used to encrypt and decrypt data traffic.
347
Cisco 350-018 Exam

E.
GDOI does not support PFS.
Answer: B,C,D
Explanation:
1) A Phase 2 exchange creates Re-key and Data-Security Protocol SAs.

The new Phase 2 exchange, called "GROUPKEY-PULL," downloads keys for a group's "Re-key"
SA and/or "Data-security" SA.The Re-key SA includes a key encrypting key, or KEK, common to
the group; a Data-security SA includes a data encryption key, or TEK, used by a data-security
protocol to encrypt or decrypt data traffic [Section 2.1 RFC2407].The SA for the KEK or TEK
includes authentication keys, encryption keys, cryptographic policy, and attributes.The
GROUPKEY-PULL exchange uses "pull" behavior since the member initiates the retrieval of these
SAs from a GCKS.
2) A datagram subsequently establishes additional Rekey and/or Data-Security Protocol SAs.
The GROUPKEY-PUSH datagram is "pushed" from the GCKS to the members to create or
updatea Re-key or Data-security SA.A Re-key SA protects GROUPKEY-PUSH messages.Thus, a
GROUPKEY-PULL is necessary to establish at least one Re-key SA in order to protect
subsequent GROUPKEY-PUSH messages.The GCKS encrypts the GROUPKEY-PUSH message
using the KEK Re-key SA.GDOI accommodates the use of arrays of KEKs for group key
management algorithms using the Logical Key Hierarchy (LKH) algorithm to efficiently add and
remove group members [RFC2627].Implementation of the LKH algorithm is OPTIONAL.
Although the GROUPKEY-PUSH specified by this document can be used to refresh a Re-key SA,
the most common use of GROUPKEY-PUSH is to establish a Data-security SAfor a data security
protocol.GDOI can accommodate future extensions to support a variety of data security
protocols.This document only specifies data-security SAs for one security protocol, IPsec ESP.A
separate RFC will specify support for other data security protocols such as a future secureRealtime Transport Protocol.A security protocol uses the TEK and "owns" the data-security SA in the
same way that IPsec ESP uses the IKE Phase 2 keys and owns the Phase 2 SA; for GDOI, IPsec
ESP uses the TEK.
Thus, GDOI is a group security association management protocol: All GDOI messages are used to
create, maintain, or delete security associations for a group.As described above, these security
associations protect one or more key-encrypting keys, traffic-encrypting keys, or data shared by
group members for multicast and groups security applications.
348
Cisco 350-018 Exam
QUESTION NO: 369

To prevent a potential attack on a Cisco IOS router with the echo service enabled, what action
should you take?
A.
Disable the service with the no ip echo command.
B.
Disable the service with the no echo command.
C.
Disable tcp-small-servers.
D.
Disable this service with a global access-list.
Answer: C
Explanation:
The Cisco IOS disables theservice tcp-small-serverscommand by default. Enabling this command
turns on the following services on the router: Echo, Discard, Chargen, and Daytime.
QUESTION NO: 370

Which query type is required for an nslookup on an IPv6 addressed host?
A.
type=AAAA
B.
type=ANY
C.
type=PTR
D.
type=NAME-IPV6
Answer: A
349
Cisco 350-018 Exam

Explanation:
An AAAA-record is used to specify the IPv6 address for a host (equivalent of the A-record type for
IPv4).
QUESTION NO: 371

Which option is used to collect wireless traffic passively, for the purposes of eavesdropping or
information gathering?
A.
network taps
B.
repeater Access Points
C.
wireless sniffers
D.
intrusion prevention systems
Answer: C
Explanation:
A wireless sniffer is a type of packet analyzer. A packet analyzer (also known as a packet sniffer)
is a piece of software or hardware designed to intercept data as it is transmitted over a network
and decode the data into a format that is readable for humans. Wireless sniffers are packet
analyzers specifically created for capturing data on wireless networks. Wireless sniffers are also
commonly referred to as wireless packet sniffers or wireless network sniffers.
QUESTION NO: 372

Which traffic class is defined for non-business-relevant applications and receives any bandwidth
that remains after QoS policies have been applied?
350
Cisco 350-018 Exam

A.
scavenger class
B.
best effort
C.
discard eligible
D.
priority queued
Answer: A
Explanation:
Scavenger class is intended for undesirable traffic (i.e., virus, worms, etc.) and non-productive or
employee-distracting applications. The scavenger class of traffic will reside in the same queue as
the default class of traffic. Some switches (with adjustable thresholds) will allow you to have
multiple classes in each queue and still penalize one class more than another. You need to check
the capabilities of your switches to determine if you have adjustable thresholds on your queues;
otherwise it doesnt do us much good.
QUESTION NO: 373

In the context of a botnet, what is true regarding a command and control server?
A.
It can launch an attack using IRC or Twitter.
B.
It is another name for a zombie.
C.
It is used to generate a worm.
D.
It sends the command to the botnets via adware.
Answer: A
Explanation:
351
Cisco 350-018 Exam

A botnet is a collection of Internet-connected programs communicating with other similar programs
in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat
(IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service
attacks. The word botnet is a combination of the words robot and network. The term is usually
used with a negative or malicious connotation.
QUESTION NO: 374

Which option is used for anti-replay prevention in a Cisco IOS IPsec implementation?
A.
session token
B.
one-time password
C.
time stamps
D.
sequence number
E.
nonce
Answer: D
Explanation:
Anti-replay protection is an important security service that IPSec protocol offers. IPSec anti-replay
disablement has security implications, and should only be used with caution.
Here are the steps to process incoming IPSec traffic on the receiving tunnel endpoint with antireplay enabled:
QUESTION NO: 375

352
Cisco 350-018 Exam
When configuring a Cisco IPS custom signature, what type of signature engine must you use to
block podcast clients from accessing the network?
A.
service HTTP
B.
service TCP
C.
string TCP
D.
fixed TCP
E.
service GENERIC
Answer: A
Explanation:
A signature micro-engine is a component of an IDS and IPS sensor that supports a group of
signatures that are in a common category. Each engine is customized for the protocol and fields
that it is designed to inspect and defines a set of legal parameters that have allowable ranges or
sets of values. The signature micro-engines look for malicious activity in a specific protocol.
Signatures can be defined for any of the supported signature micro-engines using the parameters
offered by the supporting micro-engine. Packets are scanned by the micro-engines that
understand the protocols contained in the packet.
353
Cisco 350-018 Exam

QUESTION NO: 376
An attacker configures an access point to broadcast the same SSID that is used at a public hotspot, and launches a deauthentication attack against the clients that are connected to the hot-spot,
with the hope that the clients will then associate to the AP of the attacker.
In addition to the deauthentication attack, what attack has been launched?
A.
man-in-the-middle
B.
MAC spoofing
C.
Layer 1 DoS
D.
disassociation attack
Answer: A
Explanation:
In cryptography and computer security, aman-in-the-middle attack(often abbreviated

toMITM,MitM,MIM,MiMorMITMA) is an attack where the attacker secretly relays and possibly
alters the communication between two parties who believe they are directly communicating with
each other.
As an attack that aims at circumventing mutual authentication, or lack thereof, a man-in-the-middle
attack can succeed only when the attacker can impersonate each endpoint to their satisfaction as
expected from the legitimate other end. Most cryptographic protocols include some form of
endpoint authentication specifically to prevent MITM attacks. For example, TLS can authenticate
one or both parties using a mutually trusted certification authority.
QUESTION NO: 377

Which statement best describes the concepts of rootkits and privilege escalation?
A.
Rootkits propagate themselves.
354
Cisco 350-018 Exam

B.
Privilege escalation is the result of a rootkit.
C.
Rootkits are a result of a privilege escalation.
D.
Both of these require a TCP port to gain access.
Answer: B
Explanation:
protected from an application or user.
QUESTION NO: 378

355
Cisco 350-018 Exam
What type of attack is being mitigated on the Cisco ASA appliance?

A.
HTTPS certificate man-in-the-middle attack
B.
HTTP distributed denial of service attack
C.
HTTP Shockwave Flash exploit
D.
HTTP SQL injection attack
Answer: D
Explanation:
ASA uses regular expressions (regex) together with Modular Policy Framework to inspect specific
HTTP data patterns in order to detect the SQL injection attack. It will basically check for the SQL
command UNION ALL SELECT. i.e.egex SQL_regex_1
356
Cisco 350-018 Exam

[uU][nN][iI][oO][nN]([%]2[0bB]|[+])([aA][lL][lL]([%]2[0bB]|[+]))?[sS][eE][lL][eE][cC][tT]regex
SQL_regex_2 [Ss][Ee][Ll][Ee][Cc][Tt](%2[0bB]|+)[^\r\x00-\x19\x7f\xff]+(%2[0bB]|+)[Ff][Rr][Oo][Mm](%2[0bB]|+).
QUESTION NO: 379

Which four values can be used by the Cisco IPS appliance in the risk rating calculation? (Choose
four.)
A.
attack severity rating
B.
target value rating
C.
signature fidelity rating
D.
promiscuous delta
E.
threat rating
F.
alert rating
Answer: A,B,C,D
Explanation:
Risk rating is a quantitative measure of your network's threat level before IPS mitigation. For each
event fired by IPS signatures, Cisco IPS Sensor Software calculates a risk rating number. The
factors used to calculate risk rating are:
Signature fidelity rating: This IPS-generated variable indicates the degree of attack certainty.
Attack severity rating: This IPS-generated variable indicates the amount of damage an attack
can cause.
Target value rating: This user-defined variable indicates the criticality of the attack target. This is
the only factor in risk rating that is routinely maintained by the user. You can assign a target value
rating per IP address in Cisco IPS Device Manager or Cisco Security Manager. The target value
rating can raise or lower the overall risk rating for a network device. You can assign the following
target values:
357
Cisco 350-018 Exam

75: Low asset value
100: Medium asset value
200: Mission-critical asset value
Attack relevancy rating: This IPS-generated value indicates the vulnerability of the attack target.
Promiscuous delta: The risk rating of an IPS deployed in promiscuous mode is reduced by the
promiscuous delta. This is because promiscuous sensing is less accurate than inline sensing. The
promiscuous delta can be configured on a per-signature basis, with a value range of 0 to 30. (The
promiscuous delta was introduced in Cisco IPS Sensor Software Version 6.0.)
Watch list rating: This IPS-generated value is based on data found in the Cisco Security Agent
watch list. The Cisco Security Agent watch list contains IP addresses of devices involved in
network scans or possibly contaminated by viruses or worms. If an attacker is found on the watch
list, the watch list rating for that attacker is added to the risk rating. The value for this factor is
between 0 and 35. (The watch list rating was introduced in Cisco IPS Sensor Software Version
6.0.)
The formula to calculate risk rating in Cisco IPS Sensor Software Version 6.0 is:
Risk rating can help enhance your productivity as it intelligently assesses the level of risk of each
event and helps you focus on high-risk events.
References: Reference:http://www.cisco.com/c/en/us/products/collateral/security/ips-4200-seriessensors/prod_white_paper0900aecd806e7299.html
QUESTION NO: 380

Which signature engine is used to create a custom IPS signature on a Cisco IPS appliance that
triggers when a vulnerable web application identified by the "/runscript.php" URI is run?
A.
AIC HTTP
B.
358
Cisco 350-018 Exam

Service HTTP
C.
String TCP
D.
Atomic IP
E.
META
F.
Multi-String
Answer: B
Explanation:
The Service HTTP engine is a service-specific string-based pattern-matching inspection engine.

The HTTP protocol is one of the most commonly used in today's networks. In addition, it requires
the most amount of preprocessing time and has the most number of signatures requiring
inspection making it critical to the system's overall performance.
The Service HTTP engine uses a Regex library that can combine multiple patterns into a single
pattern-matching table allowing a single search through the data. This engine searches traffic
directed to web services only to web services, or HTTP requests. You cannot inspect return traffic
with this engine. You can specify separate web ports of interest in each signature in this engine.
HTTP deobfuscation is the process of decoding an HTTP message by normalizing encoded
characters to ASCII equivalent characters. It is also known as ASCII normalization.
Before an HTTP packet can be inspected, the data must be deobfuscated or normalized to the
same representation that the target system sees when it processes the data. It is ideal to have a
customized decoding technique for each host target type, which involves knowing what operating
system and web server version is running on the target. The Service HTTP engine has default
deobfuscation behavior for the Microsoft IIS web server.
References: Reference:http://www.cisco.com/c/en/us/td/docs/security/ips/51/configuration/guide/idm/idmguide/dmSgEng.html#wp1041186
QUESTION NO: 381

Regarding VSAs, which statement is true?
359
Cisco 350-018 Exam

A.
VSAs may be implemented on any RADIUS server.
B.
VSAs are proprietary, and therefore may only be used on theRADIUS server of that vendor.For
example, a Cisco VSA may only be used on a Cisco RADIUS server, such as ACS or ISE.
C.
VSAs do not apply to RADIUS; they are a TACACS attribute.
D.
Each VSA is defined in an RFC and is considered to be a standard.
Answer: A
Explanation:
The Cisco RADIUS implementation supports one vendor-specific option using the format
recommended in the specification. Ciscos vendor-ID is 9, and the supported option has vendortype 1, which is named cisco-avpair. The value is a string of the following format: protocol :
attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of
authorization; protocols that can be used include IP, IPX, VPDN, VOIP, SHELL, RSVP, SIP,
AIRNET, OUTBOUND. Attribute and value are an appropriate attribute-value (AV) pair defined
in the Cisco TACACS+ specification, and sep is = for mandatory attributes and * for optional
attributes. This allows the full set of features available for TACACS+ authorization to also be used
for RADIUS.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scf
rdat3.pdf
QUESTION NO: 382

Which four items may be checked via a Cisco NAC Agent posture assessment? (Choose four.)
A.
Microsoft Windows registry keys
B.
the existence of specific processes in memory
C.
360
Cisco 350-018 Exam

the UUID of an Apple iPad or iPhone
D.
if a service is started on a Windows host
E.
the HTTP User-Agent string of a device
F.
if an Apple iPad or iPhone has been "jail-broken"
G.
if an antivirus application is installed on an Apple MacBook
Answer: A,B,D,G
Explanation:
With pre-configured Cisco checks and rules, or custom checks and rules that you configure, the
Agent can check if any application or service is running, whether a registry key exists, and/or the
value of a registry key. Cisco pre-configured rules provide support for Critical Windows OS
hotfixes.
Users download and install the Cisco NAC Agent/Clean Access Agent (read-only client software),
which can check the host registry, processes, applications, and services. The Clean Access Agent
can be used to perform antivirus or antispyware definition updates, distribute files uploaded to the
Clean Access Manager, distribute website links to websites in order for users to download files to
fix their systems, or simply distribute information/instructions.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/461/c
am/461cam-book/m_agntd.pdf
QUESTION NO: 383

Which of the following describes the DHCP "starvation" attack?
A.
Exhaust the address space available on the DHCP servers so that an attacker can inject their own
DHCP server for malicious reasons.
361
Cisco 350-018 Exam

B.
Saturate the network with DHCP requests to prevent other network services from working.
C.
Inject a DHCP server on the network for the purpose of overflowing DNS servers with bogus
learned host names.
D.
Send DHCP response packets for the purpose of overloading CAM tables.
Answer: A
Explanation:
A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses.
This is easily achieved with attack tools such as the gobbler. If enough requests are sent, the
network attacker can exhaust the address space available to the DHCP servers for a period of
time. This is a simple resource starvation attack just like a synchronization (SYN) flood attack.
Network attackers can then set up a rogue DHCP server on their system and respond to new
DHCP requests from clients on the network.
QUESTION NO: 384

Which Cisco technology protects against Spanning Tree Protocol manipulation?
A.
spanning-tree protection
B.
root guard and BPDU guard
C.
Unicast Reverse Path Forwarding
D.
MAC spoof guard
E.
port security
Answer: B
Explanation:
362
Cisco 350-018 Exam

When you enable root guard on a port, if superior configuration BPDUs to the current configuration
BPDUS generated by the root bridge are received, the switch blocks the port, discards the
superior BPDUs and assigns a state of root inconsistent to the port.Once superior configuration
BPDUs cease to be received, the blocked port once again resumes forwarding, meaning that the
root guard feature is fully automated, requiring no human intervention.
QUESTION NO: 385

Which statement is true about the Cisco NEAT 802.1X feature?
A.
The multidomain authentication feature is not supported on the authenticator switch interface.
B.
It allows a Cisco Catalyst switch to act as a supplicant to another Cisco Catalyst authenticator
switch.
C.
The supplicant switch uses CDP to send MAC address information of the connected host to the
authenticator switch.
D.
It supports redundant links between the supplicant switch and the authenticator switch.
Answer: B
Explanation:
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring
closet (such as conference rooms). This allows any type of device to authenticate on the port.
You can enable MDA or multiauth mode on the authenticator switch interface that connects to one
more supplicant switches. Multihost mode is not supported on the authenticator switch interface.
Use the dot1x supplicant force-multicast global configuration command on the supplicant switch
for Network Edge Access Topology (NEAT) to work in all host modes.
Figure 11-6Authenticator and Supplicant Switch using CISP
363
Cisco 350-018 Exam
1
Workstations (clients)
2
Supplicant switch (outside wiring closet)
3
Authenticator switch
4
Access control server (ACS)
5
Trunk port
QUESTION NO: 386

Which four techniques can you use for IP management plane security? (Choose four.)
A.
Management Plane Protection
B.
uRPF
C.
strong passwords
364
Cisco 350-018 Exam

D.
RBAC
E.
SNMP security measures
F.
MD5 authentication
Answer: A,C,D,E
Explanation:
Management plane security can be implemented using the following features:

Login and password policy
Restrict device accessibility. Limit the accessible ports and restrict the who and how methods of
access.
Role-based access control
Ensure access is only granted to authenticated users, groups, and services. Role-based access
control (RBAC) and authentication, authorization, and accounting (AAA) services provide
mechanisms to effectively authenticate access.
Authorize actions
Restrict the actions and views that are permitted by any particular user, group, or service.
Secure management access and reporting
Log and account for all access. Record who accessed the device, what occurred, and when it
occurred.
Ensure the confidentiality of data
Protect locally stored sensitive data from being viewed or copied. Use management protocols with
strong authentication to mitigate confidentiality attacks aimed at exposing passwords and device
configurations.
Present legal notification
Display legal notice developed with legal counsel.
QUESTION NO: 387

365
Cisco 350-018 Exam

Which three statements about remotely triggered black hole filtering are true? (Choose three.)
A.
It filters undesirable traffic.
B.
It uses BGP or OSPF to trigger a network-wide remotely controlled response to attacks.
C.
It provides a rapid-response technique that can be used in handling security-related events and
incidents.
D.
It requires uRPF.
Answer: A,C,D
Explanation:
Remotely triggered black hole (RTBH) filtering is a technique that provides the ability to drop
undesirable traffic before it enters a protected network.
Source-based black holes provide the ability to drop traffic at the network edge based on a specific
source address or range of source addresses. With destination-based black holing, all traffic to a
specific destination is dropped once the black hole has been activated, regardless of where it is
coming from. Obviously, this could include legitimate traffic destined for the target.
If the source address (or range of addresses) of the attack can be identified (spoofed or not), it
would be better to drop all traffic at the edge based on the source address, regardless of the
destination address. This would permit legitimate traffic from other sources to reach the target.
Implementation of source-based black hole filtering depends on Unicast Reverse Path Forwarding
(URPF), most often loose mode URPF.
QUESTION NO: 388

During a computer security forensic investigation, a laptop computer is retrieved that requires
content analysis and information retrieval. Which file system is on it, assuming it has the default
installation of Microsoft Windows Vista operating system?
A.
HSFS
366
Cisco 350-018 Exam

B.
WinFS
C.
NTFS
D.
FAT
E.
FAT32
Answer: C
Explanation:
Forensic analysis of the Windows NT File System (NTFS) could provide useful information leading
towards malware detection and presentation of digital evidence for the court of law. Since NTFS
records every event of the system, forensic tools are required to process an enormous amount of
information related to user / kernel environment, buffer overflows, trace conditions, network stack,
etc. This has led to imperfect forensic tools that are practical for implementation and hence
become popular, but are not comprehensive and effective. Many existing techniques have failed to
identify malicious code in hidden data of the NTFS disk image.
QUESTION NO: 389

Which Cisco IPS appliance feature can automatically adjust the risk rating of IPS events based on
the reputation of the attacker?
A.
botnet traffic filter
B.
event action rules
C.
anomaly detection
D.
reputation filtering
E.
global correlation inspection
367
Cisco 350-018 Exam

Answer: E
Explanation:
Its Based on a combination of traditional inspection and network reputation information. The risk
rating mechanism combines the two threat signals.
QUESTION NO: 390

Which three control plane subinterfaces are available when implementing Cisco IOS Control Plane
Protection? (Choose three.)
A.
CPU
B.
host
C.
fast-cache
D.
transit
E.
CEF-exception
F.
management
Answer: B,D,E
Explanation:
Host subinterface:This interface receives all control plane IP traffic that is directly destined for one
of the router interfaces (physical and loopback). Examples of control plane host IP traffic include
tunnel termination traffic; management traffic; and routing protocols such as SSH, SNMP, internal
BGP (iBGP), and EIGRP. All host traffic terminates on and is processed by the router.
Transit subinterface:This subinterface receives all control plane IP traffic that is software switched
by the route processor. This traffic consists of packets that are not directly destined to the router
itself but rather are traffic traversing through the router. Nonterminating tunnels handled by the
router are an example of this type of control plane traffic. Control Plane Protection allows specific
368
Cisco 350-018 Exam

aggregate policing of all traffic received at this subinterface.
CEF-exception subinterface:This control plane subinterface receives all traffic that is either
redirected as a result of a configured input feature in the CEF packet forwarding path for process
switching or directly enqueued in the control plane input queue by the interface driver (that is,
ARP, external BGP (eBGP), OSPF, LDP, Layer 2 keepalives, and all non-IP host traffic). Control
Plane Protection allows specific aggregate policing of this type of control plane traffic.
QUESTION NO: 391

What service is enabled on the router for a remote attacker to obtain this information?
A.
TCP small services
B.
finger
C.
maintenance operation protocol
D.
chargen
E.
Telnet
F.
CEF
Answer: B
Explanation:
369
Cisco 350-018 Exam

The Finger service is used to find out which users are logged into the router. A special DoS attack
called Finger of death uses the finger service to continuously transmit finger requests to a given
device consuming great amounts of processing resources.
QUESTION NO: 392

In an 802.11 wireless network, what would an attacker have to spoof to initiate a deauthentication
attack against connected clients?
A.
the BSSID of the AP where the clients are currently connected
B.
the SSID of the wireless network
C.
the MAC address of the target client machine
D.
the broadcast address of the wireless network
Answer: A
Explanation:
The deauthentication/disassociation flood attack targets one or all users on a specific BSSID
(MAC address of the access point).
References: Reference:http://www.sans.org/reading-room/whitepapers/wireless/80211-denialservice-attacks-mitigation-2108
QUESTION NO: 393

What is the commonly known name for the process of generating and gathering initialization
vectors, either passively or actively, for the purpose of determining the security key of a wireless
network?
370
Cisco 350-018 Exam

A.
WEP cracking
B.
session hijacking
C.
man-in-the-middle attacks
D.
disassociation flood frames
Answer: A
Explanation:
Wired Equivalent Privacy(WEP) is a security algorithm for IEEE 802.11 wireless networks.Its
intention was to provide data confidentiality comparable to that of a traditional wired network. WEP
uses the stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity.
QUESTION NO: 394

Which three options are the types of zones that are defined for anomaly detection on the Cisco
IPS Sensor? (Choose three.)
A.
inside
B.
outside
C.
internal
D.
external
E.
illegal
F.
baseline
371
Cisco 350-018 Exam

Answer: C,D,E
Explanation:
There are three used with anomaly detection. Each zone have different traffic pattern, and as a
result, thresholds in each zone are very likely to be different. It is the IP addresses that define
which networks are part of which zone. By default, all IP addresses are assigned to the external
zone. The internal zone should be configured with IP address range of internal networks. We can
also configure the illegal zone with IP addresses and address range that are not valid.
QUESTION NO: 395

Which four techniques can you use for IP data plane security? (Choose four.)
A.
Control Plane Policing
B.
interface ACLs
C.
uRPF
D.
MD5 authentication
E.
FPM
F.
QoS
Answer: B,C,E,F
Explanation:
Determining Where and When to Configure Access Lists

To provide the security benefits of ACLs, at a minimum an ACL should be configured on the
border routers, which are routers situated at the edges of the network. This setup provides a basic
buffer from the outside network or from a less-controlled area of the network into a more sensitive
area of the network.
372
Cisco 350-018 Exam

An ACL can be configured so that inbound traffic or outbound traffic, or both, are filtered on an
interface. ACLs should be defined on a per-protocol basis. In other words, an ACL should be
defined for every protocol enabled on an interface if that protocols traffic is to be controlled.
Unicast Reverse Path Forwarding (Unicast RPF)
On modern networks, one of the most common attack types involves the forging or spoofing of IP
source addresses. The configuration of ACLs for this purpose on large networks can be very
cumbersome and hard to maintain. In an attempt to develop a technology to deal with these
issues, Unicast Reverse Path Forwarding (URPF) was developed. Unicast RPF provides a source
validation step to packet handling; it does this by verifying the source information of a packet to
information contained within the Cisco Express Forwarding (CEF) Forwarding Information Base
(FIB). The CEF FIB is a table that contains packet-switching information that mirrors that of the
routing table; this is used by the device to increase the speed of packets being forwarding through
the device. Because Unicast RPF relies on CEF's FIB, CEF must be configured on the device
before Unicast RPF is configured
Flexible Packet Matching
Flexible Packet Matching (FPM) was created to be a more thorough and customized packet filter
option. FPM enables the user to configure match parameters based on arbitrary bits of a packet
and arbitrary depths within the packet header and payload. This technique can be used to mitigate
several different types of attack, including slow-path denial of service and zero-day virus and
malware.
FPM is implemented using a filtering policy that is divided into four tasks:
References: Reference:http://www.ciscopress.com/articles/article.asp?p=1716288&seqNum=2
QUESTION NO: 396

As defined by Cisco TrustSec, which EAP method is used for Network Device Admission Control
authentication?
A.
EAP-FAST
B.
EAP-TLS
C.
PEAP
373
Cisco 350-018 Exam

D.
LEAP
Answer: A
Explanation:
EAP-FAST (Flexible Authentication via Secure Tunneling) is a protocol proposal by Cisco Systems
as a replacement for LEAP. The protocol was designed to address the weaknesses of LEAP while
preserving the "lightweight" implementation. Use of server certificates is optional in EAP-FAST.
EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client
credentials are verified. EAP is an authentication framework providing for the transport and usage
of keying material and parameters generated by EAP methods.
QUESTION NO: 397

The Wi-Fi Alliance defined two certification programs, called WPA and WPA2, which are based on
the IEEE 802.11i standard. Which three statements are true about these certifications? (Choose
three.)
A.
WPA is based on the ratified IEEE 802.11i standard.
B.
WPA2 is based on the ratified IEEE 802.11i standard.
C.
WPA enhanced WEP with the introduction of TKIP.
D.
WPA2 requires the support of AES-CCMP.
E.
WPA2 supports only 802.1x/EAP authentication.
Answer: B,C,D
Explanation:
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols
and security certification programs developed by the Wi-Fi Alliance to secure wireless computer
networks. The Alliance defined these in response to serious weaknesses researchers had found in
the previous system, WEP (Wired Equivalent Privacy).
374
Cisco 350-018 Exam

WPA (sometimes referred to as the draft IEEE 802.11i standard) became available in 2003. The
Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more
secure and complex WPA2. WPA2 became available in 2004 and is a common shorthand for the
full IEEE 802.11i (or IEEE 802.11i-2004) standard.
The WPA protocol implements much of the IEEE 802.11i standard. Specifically, the Temporal Key
Integrity Protocol (TKIP) was adopted for WPA. WEP used a 40-bit or 104-bit encryption key that
must be manually entered on wireless access points and devices and does not change. TKIP
employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each
packet and thus prevents the types of attacks that compromised WEP.
WPA2 has replaced WPA. WPA2, which requires testing and certification by the Wi-Fi Alliance,
implements the mandatory elements of IEEE 802.11i. In particular, it includes mandatory support
for CCMP, an AES-based encryption mode with strong security. Certification began in September,
2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi
trademark.
QUESTION NO: 398

Which three of these situations warrant engagement of a Security Incident Response team?
(Choose three.)
A.
loss of data confidentiality/integrity
B.
damage to computer/network resources
C.
denial of service (DoS)
D.
computer or network misuse/abuse
E.
pornographic blogs/websites
Answer: A,C,D
Explanation:
You should contact Security Incident Response team in below mentioned situations:
375
Cisco 350-018 Exam

References: Reference:https://informationsecurity.wustl.edu/wustl-community-members/securitypolicies-2/incident-response-plan/
QUESTION NO: 399

What action does a RADIUS server take when it cannot authenticate the credentials of a user?
A.
An Access-Reject message is sent.
B.
An Access-Challenge message is sent, and the user is prompted to re-enter credentials.
C.
A Reject message is sent.
D.
A RADIUS start-stop message is sent via the accounting service to disconnect the session.
Answer: A
Explanation:
If any condition is not met, the RADIUS server sends an "Access-Reject" response indicating that
this user request is invalid.If desired, the server MAY include a text message in the Access-Reject
which MAY be displayed by the client to the user.No other
Attributes (except Proxy-State) are permitted in an Access-Reject.
QUESTION NO: 400

Which transport mechanism is used between a RADIUS authenticator and a RADIUS
authentication server?
A.
UDP, with only the password in the Access-Request packet encrypted
B.
376
Cisco 350-018 Exam

UDP, with the whole packet body encrypted
C.
TCP, with only the password in the Access-Request packet encrypted
D.
EAPOL, with TLS encrypting the entire packet
E.
UDP RADIUS encapsulated in the EAP mode enforced by the authentication server.
Answer: A
Explanation:
RADIUS is a client/server protocol that runs in the application layer, using UDP as transport. The
Remote Access Server, the Virtual Private Network server, the Network switch with port-based
authentication, and the Network Access Server (NAS), are all gateways that control access to the
network, and all have a RADIUS client component that communicates with the RADIUS server.
References: Reference:http://en.wikipedia.org/wiki/RADIUS
QUESTION NO: 401

How are the username and password transmitted if a basic HTTP authentication is used?
A.
Base64 encoded username and password
B.
MD5 hash of the combined username and password
C.
username in cleartext and MD5 hash of the password
D.
cleartext username and password
Answer: A
Explanation:
377
Cisco 350-018 Exam

The client sends the user name and password as unencrypted base64 encoded text. It should only
be used with HTTPS, as the password can be easily captured and reused over HTTP.
QUESTION NO: 402

Which field in an HTTPS server certificate is compared to a server name in the URL?
A.
Common Name
B.
Issuer Name
C.
Organization
D.
Organizational Unit
Answer: A
Explanation:
The basic idea of the URL integrity check is that the server certificates identity must match the
server host name. This integrity check has an important impact on how you generate X.509
certificates for HTTPS:the certificate identity (usually the certificate subject DNs common name)
must match the host name on which the HTTPS server is deployed.
QUESTION NO: 403

378
Cisco 350-018 Exam
What is this configuration designed to prevent?

A.
Man in the Middle Attacks
B.
DNS Inspection
C.
Backdoor control channels for infected hosts
D.
Dynamic payload inspection
Answer: C
Explanation:
The Cisco ASA appliance with the Botnet Traffic Filter should be deployed at the edge of the
enterprise Internet edge, as the botnet database only contains information about external botnets.
It is also best to address the external threat as close to the source as possible. This feature is
restricted to IPv4 traffic.
The Botnet Traffic Filter is supported in all firewall modes (single and multiple), and in routed and
transparent modes.
The Cisco ASA appliance supports Botnet Traffic Filter in High Availability (HA) mode
379
Cisco 350-018 Exam

(Active/Active and Active/Standby). It is essential to note that the DNSRC is not replicated
between the ASA HA devices and must therefore be relearned upon a device failover event.
A typical Botnet Traffic Filter deployment will be where the ASA appliance is deployed between the
Internet and the corporate networks. The corporate networks in can be divided across multiple
interfaces and will, from the Botnet Traffic Filter's point of view, be considered internal networks.
The following steps will need to be taken when configuring Botnet Traffic Filter dynamic filtering:
1. Enable DNS client on ASA to allow it to resolve the address of CSIO's updater service, so the
dynamic filter update client to fetch updates.
2. Enable dynamic traffic filtering (Botnet Traffic Filter).
3. Enable the Botnet Traffic Filter database update.
4. Classify the traffic that will be subject to dynamic traffic filtering by creating an access control list
(ACL) that matches the traffic to be filtered.
5. Enable dynamic filtering on the Internet-facing (external) interface by using the classification
ACL defined in the previous step.
6. Enable DNS snooping on the external interface by adding to or modifying the DNS inspection
policy map for the external interface.
7. Define local whitelists and/or blacklists if needed.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/intr
o.html
QUESTION NO: 404

380
Cisco 350-018 Exam
What does this configuration prevent?

A.
HTTP downloads of files with the ".bat" extension on all interfaces
B.
HTTP downloads of files with the ".batch" extension on the inside interface
C.
FTP commands of GET or PUT for files with the ".bat" extension on all interfaces
D.
FTP commands of GET or PUT for files with the ".batch" extension on the inside interface
Answer: C
Explanation:
MPF provides a consistent and flexible way to configure security appliance features. For example,
you can use MPF to create a timeout configuration that is specific to a particular TCP application,
as opposed to one that applies to all TCP applications.
MPF supports these features:
The configuration of the MPF consists of four tasks:
References: Reference:http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-seriesnext-generation-firewalls/110572-asa-pix-mpf-00.html
381
Cisco 350-018 Exam
QUESTION NO: 405

Which two options correctly describe Remote Triggered Black Hole Filtering (RFC 5635)? (Choose
two.)
A.
RTBH destination based filtering can drop traffic destined to a host based on triggered entries in
the FIB.
B.
RTBH source based filtering will drop traffic from a source destined to a host based on triggered
entries in the RIB
C.
Loose uRPF must be used in conjunction with RTBH destination based filtering
D.
Strict uRPF must be used in conjunction with RTBH source based filtering
E.
RTBH uses a discard route on the edge devices of the network and a route server to send
triggered route updates
F.
When setting the BGP community attribute in a route-map for RTBH use the no-export community
unless BGP confederations are used then use local-as to advertise to sub-as confederations
Answer: A,E
Explanation:
Destination-Based Remotely Triggered Black Hole Filtering With a denial-of-service (DoS) attack,
in addition to service degradation of the target, there is possible collateral damage such as
bandwidth consumption, processor utilization, and potential service loss elsewhere in the network.
One method to mitigate the damaging effects of such an attack is to black hole (drop) traffic
destined to the IP address or addresses being attacked and to filter the infected host traffic at the
edge of the network closest to the source of the attack. The challenge is to find a way to quickly
drop the offending traffic at the network edge, document and track the black holed destination
addresses, and promptly return these addresses to service once the threat disappears.
Destination-based IP black hole filtering with remote triggering allows a network-wide destinationbased black hole to be propagated by adding a simple static route to the triggering device (trigger).
The trigger sends a routing update for the static route using iBGP to the other edge routers
configured for black hole filtering. This routing update sets the next hop IP address to another
preconfigured static route pointing to the null interface. This process is illustrated inFigure 1.
382
Cisco 350-018 Exam

Figure 1. Destination-Based Black Hole Filtering with Remote Triggering
The three steps in destination-based black hole filtering are summarized below. Step 1. The setup
(preparation) A trigger is a special device that is installed at the NOC exclusively for the purpose of
triggering a black hole. The trigger must have an iBGP peering relationship with all the edge
routers, or, if using route reflectors, it must have an iBGP relationship with the route reflectors in
every cluster. The trigger is also configured to redistribute static routes to its iBGP peers. It sends
the static route by means of an iBGP routing update. The Provider Edges (PEs) must have a static
route for an unused IP address space. For example, 192.0.2.1/32 is set to Null0. The IP address
192.0.2.1 is reserved for use in test networks and is not used as a deployed IP address.
The three steps in destination-based black hole filtering are summarized below.
Step 1. The setup (preparation) A trigger is a special device that is installed at the NOC
exclusively for the purpose of triggering a black hole. The trigger must have an iBGP peering
relationship with all the edge routers, or, if using route reflectors, it must have an iBGP relationship
with the route reflectors in every cluster. The trigger is also configured to redistribute static routes
to its iBGP peers. It sends the static route by means of an iBGP routing update. The Provider
Edges (PEs) must have a static route for an unused IP address space. For example, 192.0.2.1/32
is set to Null0. The IP address 192.0.2.1 is reserved for use in test networks and is not used as a
deployed IP address.
Step 2. The trigger An administrator adds a static route to the trigger, which redistributes the route
by sending a BGP update to all its iBGP peers, setting the next hop to the target destination
address under attack as 192.0.2.1 in the current example. The PEs receive their iBGP update and
set their next hop to the target to the unused IP address space 192.0.2.1. The route to this
address is set to null0 in the PE, using a static routing entry in the router configuration. The next
hop entry in the forwarding information base (FIB) for the destination IP (target) is now updated to
383
Cisco 350-018 Exam

null0. All traffic to the target will now be forwarded toNull0 at the edge and dropped.
Step 3. The withdrawal Once the trigger is in place, all traffic to the target destination is dropped at
the PEs. When the threat no longer exists, the administrator must manually remove the static
route from the trigger, which sends a BGP route withdrawal to its iBGP peers. This prompts the
edge routers to remove the existing route for the target that is pointed to 192.0.2.1 and to install a
new route based on the IGP routing information base (RIB).
References: Reference:http://www.cisco.com/web/about/security/intelligence/blackhole.pdf
QUESTION NO: 406

Which standard prescribes a risk assessment to identify whether each control is required to
decrease risks and if so, to which extent it should be applied?
A.
ISO 27001
B.
ISO 27002
C.
ISO 17799
D.
HIPPA
E.
ISO 9000
Answer: A
Explanation:
ISO 27001:2013is an information security standard that was published on the 25th September
2013. It supersedes ISO/IEC 27001:2005, and is published by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO
and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is a specification for an information security
management system (ISMS).Organisations which meet the standard may gain an official
certification issued by an independent and accredited certification body on successful completion
of a formal audit process.
384
Cisco 350-018 Exam
QUESTION NO: 407

EAP-MD5 provides one-way client authentication. The server sends the client a random challenge.
The client proves its identity by hashing the challenge and its password with MD5. What is the
problem with EAP-MD5?
A.
EAP-MD5 is vulnerable to dictionary attack over an open medium and to spoofing because there
is no server authentication.
B.
EAP-MD5 communication must happen over an encrypted medium, which makes it operationally
expensive.
C.
EAP-MD5 is CPU-intensive on the devices.
D.
EAP-MD5 not used by RADIUS protocol.
Answer: A
Explanation:
EAP-MD5-Challenge, which is described in RFC 2284, enables a RADIUS server to authenticate a

connection request by verifying an MD5 hash of a user's password. The server sends the client a
random challenge value, and the client proves its identity by hashing the challenge and its
password with MD5.
EAP-MD5-Challenge is typically used on trusted networks where risk of packet sniffing or active
attack are fairly low. Because of significant security vulnerabilities, EAP-MD5-Challenge is not
usually used on public networks or wireless networks, because third parties can capture packets
and apply dictionary attacks to identify password hashes. Because EAP-MD5-Challenge does not
provide server authentication, it is vulnerable to spoofing (a third party advertising itself as an
access point).
By default, the EAP-MD5-Challenge password protocol is available for use by the Native and Unix
authentication methods.
References: Reference:https://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrcadmin/html/EAP-029.html
385
Cisco 350-018 Exam
QUESTION NO: 408

With ASM, sources can launch attacks by sending traffic to any groups that are supported by an
active RP. Such traffic might not reach a receiver but will reach at least the first-hop router in the
path, as well as the RP, allowing limited attacks. However, if the attacking source knows a group
to which a target receiver is listening and there are no appropriate filters in place, then the
attacking source can send traffic to that group. This traffic is received as long as the attacking
source is listening to the group.
Based on the above description, which type of security threat is involved?
A.
DoS
B.
man-in-the-middle
C.
compromised key
D.
data modification
Answer: A
Explanation:
In computing, adenial-of-service(DoS) or distributeddenial-of-service(DDoS)attackis an attempt to

make a machine or network resource unavailable to its intended users. ADoS attackgenerally
consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to
the Internet.
QUESTION NO: 409

386
Cisco 350-018 Exam
Which two statements correctly describe the debug output that is shown in the exhibit? (Choose
two.)
A.
The request is from NHS to NNC.
B.
The request is from NHC to NHS.
C.
69.1.1.2 is the local non-routable address.
D.
192.168.10.2 is the remote NBMA address.
E.
192.168.10.1 is the local VPN address.
F.
This debug output represents a failed NHRP request.
Answer: B,E
Explanation:
Please refer to the link given in reference to understand the debugging of DMVPN.
References: Reference:http://www.cisco.com/c/en/us/support/docs/security-vpn/dynamic-multipoint-vpn-dmvpn/116957-technote-dmvpn-00.html
QUESTION NO: 410

Which is an example of a network reconnaissance attack?
387
Cisco 350-018 Exam

A.
botnets
B.
backdoor
C.
ICMP sweep
D.
firewalk
E.
inverse mapping
Answer: C
Explanation:
A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to
determine which of a range of IP addresses map to live hosts (computers). Whereas a single ping
will tell you whether one specified host computer exists on the network, a ping sweep consists of
ICMP (Internet Control Message Protocol) ECHO requests sent to multiple hosts. If a given
address is live, it will return an ICMP ECHO reply. Ping sweeps are among the older and slower
methods used to scan a network.
QUESTION NO: 411

Which ICMP message could be used with traceroute to map network topology?
A.
Echo Reply
B.
Redirect
C.
Time Exceeded
D.
Echo
E.
Router Selection
388
Cisco 350-018 Exam

F.
Address Mask Request
Answer: C
Explanation:
TheInternet Control Message Protocol(ICMP) is one of the main protocols of the Internet Protocol
Suite. It is used by network devices, like routers, to send error messages indicating, for example,
that a requested service is not available or that a host or router could not be reached. ICMP can
also be used to relay query messages. It is assigned protocol number 1. ICMP differs from
transport protocols such as TCP and UDP in that it is not typically used to exchange data between
systems, nor is it regularly employed by end-user network applications (with the exception of some
diagnostic tools like ping and traceroute).
QUESTION NO: 412

Which statement about the Firewalk attack is true?
A.
The firewall attack is used to discover hosts behind firewall device.
B.
The firewall attack uses ICMP sweep to find expected hosts behind the firewall.
C.
The firewall attack uses traceroute with a predetermined TTL value to discover hosts behind the
firewall.
D.
The firewall attack is used to find the vulnerability in the Cisco IOS firewall code.
E.
The firewall attack uses an ICMP echo message to discover firewall misconfiguration.
Answer: C
Explanation:
Traceroute is a networking utility designed to list the routers involved in making a connection from
one host to another across a network. It lists the number of hops the packets take and the IP
addresses of each router along the way. In order to determine this information traceroute relies on
389
Cisco 350-018 Exam

the IP time to live (TTL) feature [3]. The time to live feature was implemented in IP to prevent
packets from looping indefinitely in the network. As each device receives a packet it decrements
the time to live counter and if the counter is less than or equal to zero the packet is dropped and
an ICMP TTL Exceeded in Transit error message is generated and returned to the originator.
This error message will contain the IP address of the router dropping the packet as the originator.
Traceroute uses this behavior and manipulates the TTL counter so that each router on the way to
the target host will generate the error message and thus reveal its IP address. The Windows
version (tracert.exe) uses pings (ICMP Echo) as the packets being sent while Unix versions of
traceroute generally use UDP datagrams. The datagrams are sent to port 33434 by default and
the port number is incremented for each successive packet. It is common for traceroute to send 3
packets (to successive ports) with the same TTL value to guard against packet loss. Below is a
sample of the output from the Windows tracrt.exe program: C:\WINDOWS>tracert
quote.yahoo.com Tracing route to finance.yahoo.com [204.71.203.155] over a maximum of 30
hops:
Many firewalls are configured to block traceroute and ping traffic from the outside to prevent
attackers from learning the details of the internal networks and hosts. The following example
shows the tracert.exe output when a firewall or router access control list blocks the ping traffic:
390
Cisco 350-018 Exam
As you can see we are unable to complete the trace and begin receiving timeout messages at the
host which drops the ping packets. We are unable to determine any information beyond this
system.
QUESTION NO: 413

Which pair of ICMP messages is used in an inverse mapping attack?
A.
Echo-Echo Request
B.
Route Solicitation- Time Exceeded
C.
Echo-Time Exceeded
D.
Echo Reply-Host Unreachable
E.
Echo-Host Unreachable
Answer: D
Explanation:
391
Cisco 350-018 Exam

Inverse mapping makes it possible to map an internal network that is protected by a firewall using
this technique. An unsolicited ICMP_ECHOREPLY packet is a fake packet that will pass through
most firewalls. Most routers will send a HOST_UNREACHABLE packet back to the pinger if they
receive an unsolicited ICMP_ECHOREPLY packet sent to a nonexistent host system. If the host
exists, the router drops the packet and sends nothing back to the pinger. The hacker can use
these responses or lack of response to map active IP addresses on the inside by seeing which
HOST_UNREACHABLE packets are returned. That pattern might look like this:
00:58:16 prober> 172.20.179.41: icmp: echo reply
00:58:17 router> prober: icmp: host unreachable
03:11:50 prober> 172.20.54.94: icmp: echo reply
03:11:51 router> prober: icmp: host unreachable
QUESTION NO: 414

Which statement about a botnet attack is true?
A.
The botnet attack is an attack on a firewall to disable it's filtering ability.
B.
The botnet attack is a network sweeping attack to find hosts that are alive alive behind the filtering
device.
C.
The botnet attack is a collection of infected computers that launch automated attacks.
D.
The owner of the infected computer willingly participates in automated attacks.
E.
The botnet attack enhances the efficiency of the computer for effective automated attacks.
Answer: C
Explanation:
The word Botnet is formed from the words robot and network. Cybercriminals use special Trojan
viruses to breach the security of several users computers, take control of each computer, and
392
Cisco 350-018 Exam

organize all of the infected machines into a network of bots that the criminal can remotely
manage.
QUESTION NO: 415

Which statement about the SYN flood attack is true?
A.
The SYN flood attack is always directed from valid address.
B.
The SYN flood attack target is to deplete server memory so that legitimate request cannot be
served.
C.
The SYN flood attack is meant to completely deplete the TCB SYN-Received state backlog.
D.
The SYN flood attack can be launched for both UDP and TCP open ports on the server.
E.
SYN-Received state backlog for TCBs is meant to protect server CPU cycles.
Answer: C
Explanation:
Depleting the backlog is the goal of the TCP SYN flooding attack, which attempts to send enough
SYN segments to fill the entire backlog. The attacker uses source IP addresses in the SYNs that
are not likely to trigger any response that would free the TCBs from theSYN-RECEIVEDstate.
Because TCP attempts to be reliable, the target host keeps its TCBs stuck inSYN-RECEIVEDfor a
relatively long time before giving up on the half connection and reaping them. In the meantime,
service is denied to the application process on the listener for legitimate new TCP connection
initiation requests.
QUESTION NO: 416

The HTTP inspection engine has the ability to inspect traffic based on which three parameters?
393
Cisco 350-018 Exam

(Choose three.)
A.
Transfer Encoding
B.
Request Method
C.
Header
D.
Application Type
E.
Header Size
F.
Source Address
Answer: A,B,D
Explanation:
Transfer encoding:Permits or denies HTTP traffic according to the specified transfer-encoding of

the message.
Request method: Permits or denies HTTP traffic according to either the request methods or the
extension methods.
Application type: Allows you to configure inspection parameters for a given protocol. Currently,
only HTTP traffic can be inspected
QUESTION NO: 417

Which Cisco IOS IPS signature action denies an attacker session using the dynamic access list?
A.
produce-alert
B.
deny-attacker-inline
C.
394
Cisco 350-018 Exam

deny-connection-inline
D.
reset-tcp-action
E.
deny-session-inline
F.
deny-packet-inline
Answer: C
Explanation:
Deny connection inline:This action prevents further communication for the specific TCP flow. This
action is appropriate when there is the potential for a false alarm or spoofing and when an
administrator wants to prevent the action but not deny further communication.
QUESTION NO: 418

Which IPS appliance signature engine inspects IPv6 Layer 3 traffic?
A.
Atomic IP
B.
Meta
C.
Atomic IP Advanced
D.
Fixed
E.
Service
Answer: C
Explanation:
The Atomic IP Advanced engine parses and interprets the IPv6 header and its extensions, the
395
Cisco 350-018 Exam

IPv4 header and its options, ICMP, ICMPv6, TCP, and UDP, and seeks out anomalies that
indicate unusual activity.
QUESTION NO: 419

Which statement about the distributed SYN flood attack is true?
A.
A distributed SYN flood attack is carried out only by the valid address.
B.
A distributed SYN flood attack is carried out only by spoofed addresses.
C.
Botnet could be used to launch a distributed SYN flood attack.
D.
A distributed SYN flood attack does not completely deplete TCBs SYN-Received state backlog.
E.
A distributed SYN flood attack is the most effective SYN flood attack because it targets server
memory.
Answer: C
Explanation:
DDoS attacks can be broadly divided into three different types. The first,Application Layer DDoS
Attacksinclude Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or
OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the
goal of these attacks is to crash the web server, and the magnitude is measured in Requests per
second.
The second type of DDoS attack,Protocol DDoS Attacks,including SYN floods, fragmented packet
attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server
resources, or those of intermediate communication equipment, such as firewalls and load
balancers, and is measured in Packets per second.
The third type of DDoS attack is generally considered to most dangerous.Volume-based DDoS
Attacksinclude UDP floods, ICMP floods, and other spoofed-packet floods. The volume-based
attacks goal is to saturate the bandwidth of the attacked site, and magnitude is measured in Bits
per second.
396
Cisco 350-018 Exam
QUESTION NO: 420

Which statement about the prelogin assessment module in Cisco Secure Desktop is true?
A.
It assigns an IP address to the remote device after successful authentication.
B.
It checks for any viruses on the remote device and reports back to the security appliance.
C.
It checks the presence or absence of specified files on the remote device.
D.
It clears the browser cache on the remote device after successful authentication.
E.
It quarantines the remote device for further assessment if specific registry keys are found.
Answer: C
Explanation:
Prelogin assessment is the assessment done when the administrator creates a rule on the firewall
to allow only those users to connect, who meet the predefined criteria. For example, if user is
connecting and admin has configured a rule that allow only those who have a file named as
test.txt with a value 123123123, then only those users will be able to connect who will have this
file at the specified location with the same value mentioned in it.
QUESTION NO: 421

Which option is an example of network reconnaissance attack?
A.
botnets
B.
ping of death
C.
SYN flooding
397
Cisco 350-018 Exam

D.
inverse mapping
Answer: D
Explanation:
Inverse Mapping is a technique used to map internal networks or hosts that are protected by a
filtering device. Usually some of those systems are not reachable from the Internet. We use
routers, which will give away internal architecture information of a network, even if the question
they were asked does not make any sense, for this scanning type.
QUESTION NO: 422

Which statement about Cisco IPS signatures is true?
A.
All of the built-in signatures are enabled by default.
B.
Tuned signatures are built-in signatures whose parameters cannot be adjusted.
C.
Once the signature is removed from the sensing engine it cannot be restored.
D.
It is recommended to retire a signature not being used to enhance the sensor performance.
Answer: D
Explanation:
QUESTION NO: 423

Which statement correctly describes a category for the ASA Botnet Traffic Filter feature?
A.
Unlisted addresses: The addresses are malware addresses that are not identified by the dynamic
398
Cisco 350-018 Exam

database and are hence defined statically.
B.
Ambiguous addresses: In this case, the same domain name has multiple malware addresses.
These addresses are on the graylist.
C.
Known malware addresses: These addresses are identified as blacklist addresses in the dynamic
database and static list.
D.
Known allowed addresses: These addresses are identified as whitelist addresses that are bad
addresses but still allowed.
Answer: C
Explanation:
QUESTION NO: 424

Which is a core function of the risk assessment process?
A.
performing regular network upgrades
B.
performing network optimization
C.
performing network posture validation
D.
establishing network baselines
E.
prioritizing network roll-outs
Answer: C
Explanation:
The termpostureis used to refer to the collection of attributes that play a role in the conduct and
"health" of the endpoint device that is seeking access to the network.Posture validation, or posture
assessment, refers to the act of applying a set of rules to the posture data to provide an
399
Cisco 350-018 Exam

assessment (posture token) of the level of trust that you can place in that endpoint. The posture
token is one of the conditions in the authorization rules for network access. Posture validation,
together with the traditional user authentication, provides a complete security assessment of the
endpoint device and the user.
QUESTION NO: 425

Which three basic security measures are used to harden MSDP? (Choose three.)
A.
MSDP SA filters
B.
MSDP state limitation
C.
MSDP MD5 neighbor authentication
D.
MSDP neighbor limitation
E.
loopback interface as MSDP originator-ID
Answer: A,B,C
Explanation:
To secure the control plane, we harden MSDP via three basic security measures:
1) MSDP SA Filters
It is a best common practice to filter the content of MSDP messages via MSDP SA filters. The
main idea of this filter is to avoid propagating multicast state for applications and groups that are
not Internet-wide applications and do not need to be forwarded beyond the source domain. Ideally,
from a security point of view, the filters should only allow known groups (and potentially senders),
and deny any unknown senders and/or groups.
2) MSDP State Limitation
When MSDP is enabled between ASs it is recommended to limit the amount of state that will be
built in the router due to Source-Active (SA) messages received from neighbors.
3) MSDP MD5 Neighbor Authentication
400
Cisco 350-018 Exam

We support and recommend the use of MD5 password authentication on MSDP peers. This uses
the TCP MD5 signature option, equivalent to the use described in RFC 2385 for securing BGP.
References: Reference:http://www.cisco.com/web/about/security/intelligence/multicast_toolkit.html
QUESTION NO: 426

In an operating system environment, which three attacks give a user elevated privileges to access
resources that are otherwise blocked? (Choose three.)
A.
backdoor
B.
rootkit
C.
privilege escalation
D.
DoS
E.
smurf
Answer: A,B,C
Explanation:
Abackdoorin a computer system (or cryptosystem or algorithm) is a method of bypassing normal

authentication, securing unauthorized remote access to a computer, obtaining access to plaintext,
and so on, while attempting to remain undetected. The backdoor may take the form of a hidden
part of a program, a separate program (e.g., Back Orifice) may subvert the system through a
rootkit.
Arootkitis a stealthy type of software, typically malicious, designed to hide the existence of certain
processes or programs from normal methods of detection and enable continued privileged access
to a computer.
protected from an application or user.
401
Cisco 350-018 Exam
QUESTION NO: 427

Which two statements about the Cisco AnyConnect client Trusted Network Detection feature are
true? (Choose two.)
A.
The feature relies only on the DNS server list to detect whether the client machine is in a trusted or
untrusted network.
B.
An attacker can theoretically host a malicious DHCP server and return data that triggers the client
to believe that it resides in a trusted network.
C.
If an attacker knows the DNS server value that is configured in the Cisco AnyConnect profile and
provisions the DHCP server to return both a real and spoofed value, then Cisco AnyConnect
considers the endpoint to be in an untrusted network.
D.
The feature does not provide AnyConnect ability to automatically establish VPN connection when
the user is outside the trusted network.
Answer: B,C
Explanation:
The Secure Trusted Network Detection feature detects when an endpoint is on the corporate LAN,
either physically or by means of a VPN connection. If the Secure Trusted Network Detection
feature is enabled, any network traffic originating from the corporate LAN bypasses Cisco Cloud
Web Security scanning proxies. The security of that traffic gets managed by other methods and
devices sitting on the corporate LAN rather than Cisco Cloud Web Security. TND is detected with
the domain name. If you are in your companies domain, you will be marked as if you are in trusted
network and when someone intercepts your traffic, and start acting as your trusted DHCP server
and sharing the domain details, you will keep on passing details to the users and he will be using it
to understand the internal network.
QUESTION NO: 428

Which two statements apply to the method that ASA uses for tunnel-group lookup for LAN-to-LAN
IPSec connections when using PSK-based authentication? (Choose two.)
402
Cisco 350-018 Exam

A.
If the configuration does not contain the tunnel-group with the IKE ID or peer IP address
DefaultRAGroup, DefaultL2LGroup is used instead.
B.
DefaultL2LGroup is used only if the PSK check in DefaultRAGroup fails.
C.
DefaultRAGroup is used only if the PSK check in DefaultL2LGroup fails.
D.
You can delete and create new default tunnels groups as needed.
Answer: A,B
Explanation:
DefaultRAGroup and DefaultL2LGroup are the two groups that are created by default on the ASA.
If you do not specify any policy in the manually created groups then it is going to inherit all the
policies from these default groups and it will behave unexpectedly. Whenever there is something
that is not specified properly or there is no match then Default groups are looks upon. When these
groups are looked and if there is no configuration is specified for any specific peer then, it is going
to look up on the default group.
QUESTION NO: 429

Which command can be used on a Cisco IOS device to prevent it from being used as an amplifier
in a fraggle attack?
A.
no service tcp-small-servers
B.
no service udp-small-servers
C.
no ip directed-broadcast
D.
no ip redirects
Answer: B
403
Cisco 350-018 Exam

Explanation:
The TCP and UDP small servers are enabled by default on Cisco IOS Software Version 11.2 and
earlier. They may be disabled using the commandsno service tcp-small-serversandno service udpsmall-servers. They are disabled by default on Cisco IOS Software Versions 11.3 and later.
It is recommended that you do not enable these services unless it is absolutely necessary. These
services could be exploited indirectly to gain information about the target system or directly as is
the case with the fraggle attack which uses UDP echo.
QUESTION NO: 430

Which option is used for anti-replay prevention in a Cisco IOS IPsec implementation using tunnel
protection?
A.
Session token
B.
One-time password
C.
Time stamps
D.
Sequence number
E.
Nonce
Answer: D
Explanation:
IPSec provides anti-replay protection against an attacker who duplicates encrypted packets with
the assignment of a monotonically increasing sequence number to each encrypted packet. The
receiving IPSec endpoint keeps track of which packets it has already processed on the basis of
these numbers with the use of a sliding window of all acceptable sequence numbers. Currently,
the default anti-replay window size in Cisco IOSimplementation is 64 packets.
404
Cisco 350-018 Exam
QUESTION NO: 431

Which three actions are advisable when implementing desktop security? (Choose three.)
A.
Installing and maintaining anti-virus/anti-malware software
B.
Educating users on the danger of opening files and attachments from un-trusted sources
C.
Statically defining user password based on information like employee ID number to reduce
incidence of forgotten passwords
D.
Configuring multiple local network DHCP servers
E.
Staying up to date with operating system patches and updates
F.
Configuring client firewalls to automatically disable during business hours as not to impact
production traffic and applications
Answer: A,B,E
Explanation:
The user community is the linchpin in any antivirus deployment. Never underestimate the value of
educating users about using email clients, using common sense in the Internet experience, and
noticing suspicious behavior. While many security programs emphasizes that security is
everyones responsibility, organizations are well advised to be balance the burden placed on your
user community in the overall antivirus effort. The less manual effort involved, the less security
contributes to the general overhead of an organization. Some security management capabilities
that you need to think about at Layer 6 are:
The advantage of installing virus signature updates without user intervention
The advantage of automatically repairing viruses, ifthey are repairable
The advantage of automatically setting aside infected files that cannot be repaired so that skilled
practitioners can analyze them and users dont propagate the infected files
The level of effort, and the errors introduced, by users renaming documents affected by the
Sanitizer, noted in the Layer 2Scanning Content section, to defang attachments
405
Cisco 350-018 Exam

An effective and efficient method for users to notify the support staff thatthey suspect a virus
infection
Security education and training often proves to be the most valuable security prevention
investment in the antivirus arsenal. (Gullet) The best approach is to minimize user interaction with
antivirus processes except to stress the importancewith users about the following:
Not opening email attachments unless the user is sure of the sourceand the attachment is
expected
Not downloading or copying files from unknown sources
Using caution with technologies like instant messaging, peer-to-peer file share, Windows file
sharing,ftp file transfers, and so on.
Using antivirus solutions on home computers, especially if remoteaccess to Node 3.a is possible
Being careful about posting a valid email address in a newsgroup
Being cautious about registering their email address at web sites
Noting suspicious behavior like independent mouse movement or social engineering queries
QUESTION NO: 432

Why do you use a disk-image backup to perform forensic investigations?
A.
The backup timestamps the files with the date and time during copy operations.
B.
The backup creates a bit-level copy of the entire disk.
C.
The backup includes areas that are used for the data store.
D.
This is a secure way to perform a file copy.
Answer: B
Explanation:
A hard disk image is interpreted by aVirtual Machine Monitoras a systemhard disk drive. IT
administrators and software developers administer them through offline operations using built-in or
406
Cisco 350-018 Exam

third-party tools. In terms of naming, a hard disk image for a certain Virtual Machine monitor has a
specific file type extension, e.g.,.vmdkfor VMware VMDK,.vhdfor Xen and Microsoft HyperV,.vdifor Oracle VM VirtualBox, etc.
Hard drive imaging is used in several major application areas:
Topic 5, Cisco Security Products, Features, and Management
QUESTION NO: 433

Which three Cisco security product features assist in preventing TCP-based man-in-the-middle
attacks? (Choose three.)
A.
Cisco ASA TCP initial sequence number randomization?
B.
Cisco ASA TCP sliding-window conformance validation?
C.
Cisco IPS TCP stream reassembly?
D.
Cisco IOS TCP maximum segment size adjustment?
Answer: A,B,C
Explanation:
Each TCP connection has two ISNs: one generated by the client and one generated by the server.
The ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound
directions.Randomizing the ISN of the protected host prevents an attacker frompredictingthe next
ISN for a new connection and potentially hijacking the new session.
QUESTION NO: 434

Which would be the best method to deploy on a Cisco ASA to detect and prevent viruses and
407
Cisco 350-018 Exam

worms?
A.
deep packet inspection
B.
content security via the Control Security Services Module
C.
Unicast Reverse Path Forwarding
D.
IP audit signatures
Answer: B
Explanation:
The Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM)
delivers industry-leading threat protection and content control at the Internet edge providing
comprehensive antivirus, anti-spyware, file blocking, anti-spam, anti-phishing, URL blocking and
filtering, and content filtering-all available in a comprehensive easy-to-manage solution delivered
by industry leaders. The CSC-SSM bolsters the Cisco ASA 5500 Series' strong security
capabilities providing customers with additional protection and control over the content of their
business communications.
QUESTION NO: 435

Which three statements about NetFlow version 9 are correct? (Choose three.)
A.
It is backward-compatible with versions 8 and 5.
B.
Version 9 is dependent on the underlying transport; only UDP is supported.
C.
A version 9 export packet consists of a packet header and flow sets.
D.
Generating and maintaining valid template flow sets requires additional processing.
E.
NetFlow version 9 does not access the NetFlow cache entry directly.
408
Cisco 350-018 Exam

Answer: C,D,E
Explanation:
Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network
traffic accounting, usage-based network billing, network planning, security, Denial of Service
monitoring capabilities, and network monitoring. NetFlow provides valuable information about
network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and
is the leader in IP traffic flow technology.
The basic output of NetFlow is a flow record. Several different formats for flow records have
evolved as NetFlow has matured. The most recent evolution of the NetFlow flow-record format is
known as NetFlow version 9. The distinguishing feature of the NetFlow Version 9 format, which is
the basis for an IETF standard, is that it is template-based. Templates provide an extensible
design to the record format, a feature that should allow future enhancements to NetFlow services
without requiring concurrent changes to the basic flow-record format. Using templates provides
several key benefits:
QUESTION NO: 436

Which multicast capability is not supported by the Cisco ASA appliance?
A.
ASA configured as a rendezvous point
B.
Sending multicast traffic across a VPN tunnel
C.
NAT of multicast traffic
D.
IGMP forwarding (stub) mode
Answer: B
Explanation:
ASA only allows unicast traffic across the VPN tunnel. You can send multicast traffic over GRE
tunnel but ASA does not support GRE VPN. GRE is supported on routers.
409
Cisco 350-018 Exam
QUESTION NO: 437

Which method of output queuing is supported on the Cisco ASA appliance?
A.
CBWFQ
B.
priority queuing
C.
MDRR
D.
WFQ
E.
custom queuing
Answer: B
Explanation:
LLQ priority queuing lets you prioritize certain traffic flows (such as latency-sensitive traffic like
voice and video) ahead of other traffic. Priority queueing uses an LLQpriority queue on an
interface, while all other traffic goes into the "best effort" queue. Because queues are not of infinite
size, they can fill and overflow. When a queue is full, any additional packets cannot get into the
queue and are dropped. This is calledtail drop. To avoid having the queue fill up, you can increase
the queue buffer size. You can also fine-tune the maximum number of packets allowed into the
transmit queue. These options let you control the latency and robustness of the priority queuing.
Packets in the LLQ queue are always transmitted before packets in the best effort queue.
QUESTION NO: 438

Which three authentication methods does the Cisco IBNS Flexible Authentication feature support?
(Choose three.)
A.
cut-through proxy
410
Cisco 350-018 Exam

B.
dot1x
C.
MAB
D.
SSO
E.
web authentication
Answer: B,C,E
Explanation:
Flexible authentication (FlexAuth) is a set of features that allows IT administrators to configure the
sequence and priority of IEEE 802.1X, MAC authentication bypass (MAB), and switch-based web
authentication (local WebAuth).
QUESTION NO: 439

Which option on the Cisco ASA appliance must be enabled when implementing botnet traffic
filtering?
A.
HTTP inspection
B.
static entries in the botnet blacklist and whitelist
C.
global ACL
D.
NetFlow
E.
DNS inspection and DNS snooping
Answer: E
Explanation:
411
Cisco 350-018 Exam

To filter on the domain names in the dynamic database, you need to enable DNS packet
inspection with Botnet Traffic Filter snooping; the ASA looks inside the DNS packets for the
domain name and associated IP address.
QUESTION NO: 440

Which three options can be configured within the definition of a network object, as introduced in
Cisco ASA version 8.3(1)? (Choose three.)
A.
range of IP addresses
B.
subnet of IP addresses
C.
destination IP NAT translation
D.
source IP NAT translation
E.
source and destination FQDNs
F.
port and protocol ranges
Answer: A,B,D
Explanation:
You can now create named network objects that you can use in place of a host, a subnet, or a
range of IP addresses in your configuration and named service objects that you can use in place
of a protocol and port in your configuration. You can then change the object definition in one place,
without having to change any other part of your configuration.
This release introduces support for network and service objects in the following features:
QUESTION NO: 441

412
Cisco 350-018 Exam

Which three statements are true about the transparent firewall mode in Cisco ASA? (Choose
three.)
A.
The firewall is not a routed hop.
B.
The firewall can connect to the same Layer 3 network on its inside and outside interfaces.
C.
Static routes are supported.
D.
PAT and NAT are not supported.
E.
Only one global address per device is supported for management.
F.
SSL VPN is supported for management.
Answer: A,B,C
Explanation:
The adaptive security appliance connects the same network on its inside and outside interfaces.
Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an
existing network.
IPv4 and IPv6 traffic is allowed through the transparent firewall automatically from a higher
security interface to a lower security interface, without an access list. ARPs are allowed through
the transparent firewall in both directions without an access list. You can add static routes on the
ASA when it is running on transparent mode.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/c
onfig/fwmode.pdf
QUESTION NO: 442

Which three statements about Cisco IOS RRI are correct? (Choose three.)
413
Cisco 350-018 Exam

A.
RRI is not supported with ipsec-profiles.
B.
Routes are created from ACL entries when they are applied to a static crypto map.
C.
Routes are created from source proxy IDs by the receiver with dynamic crypto maps.
D.
VRF-based routes are supported.
E.
RRI must be configured with DMVPN.
Answer: B,C,D
Explanation:
Each route is created on the basis of the remote proxy network and mask, with the next hop to this
network being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN)
router as the next hop, the traffic is forced through the crypto process to be encrypted. Each route
is created on the basis of the remote proxy network and mask, with the next hop to this network
being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN) router as the
next hop, the traffic is forced through the crypto process to be encrypted. After the static route is
created on the VPN router, this information is propagated to upstream devices, allowing them to
determine the appropriate VPN router to which to send returning traffic in order to maintain IPsec
state flows. Being able to determine the appropriate VPN router is particularly useful if multiple
VPN routers are used at a site to provide load balancing or failover or if the remote VPN devices
are not accessible via a default route. Routes are created in either the global routing table or the
appropriate virtual route forwarding (VRF) table.
QUESTION NO: 443

With the Cisco FlexVPN solution, which four VPN deployments are supported? (Choose four.)
A.
site-to-site IPsec tunnels?
B.
dynamic spoke-to-spoke IPSec tunnels? (partial mesh)
C.
414
Cisco 350-018 Exam

remote access from software or hardware IPsec clients?
D.
distributed full mesh IPsec tunnels?
E.
IPsec group encryption using GDOI?
F.
hub-and-spoke IPsec tunnels?
Answer: A,B,C,F
Explanation:
Flex is a way to combine multiple frameworks (crypto maps, ezvpn, DMVPN) into single,
comprehendible set of CLI and bind it together with something offering more flexibility and means
to extend functionality in future.
QUESTION NO: 444

Which statement regarding the routing functions of the Cisco ASA is true?
A.
The translation table can override the routing table for new connections.
B.
The ASA supports policy-based routing with route maps?
C.
In a failover pair of ASAs, the standby firewall establishes a peer relationship with OSPF
neighbors.
D.
Routes to the Null0 interface can be configured to black-hole traffic.
Answer: A
Explanation:
When NAT translations are done on the ASA then it can override the routing table for new
connections.
415
Cisco 350-018 Exam
QUESTION NO: 445

Which three statements are true about the Cisco ASA object configuration below? (Choose three.)
object network vpnclients
range 10.1.100.4 10.1.100.10
object network vpnclients
nat (outside,outside) dynamic interface
A.
The NAT configuration in the object specifies a PAT rule?
B.
This configuration requires the command same-security-traffic inter-interface for traffic that
matches this NAT rule to pass through the Cisco ASA appliance.
C.
The NAT rule of this object will be placed in Section 1 (Auto-NAT) of the Cisco ASA NAT table?
D.
This configuration is most likely used to provide Internet access to connected VPN clients.
E.
Addresses in the range will be assigned during config-mode.
Answer: A,C,D
Explanation:
This rule says that the ips 10.1.100.4 to 10.1.100.10 are the ips assigned to hosts sitting on the
outside interface of the ASA and this is configured for hairpinning of the VPN traffic so that they
can access the internet. The hosts will access the internet using the public ip of the ASA.
QUESTION NO: 446

Which three statements are true about the Cisco NAC Appliance solution? (Choose three.)
416
Cisco 350-018 Exam

A.
In a Layer 3 OOB ACL deployment of the Cisco NAC Appliance, the discovery host must be
configured as the untrusted IP address of the Cisco NAC Appliance Server.
B.
In a Cisco NAC Appliance deployment, the discovery host must be configured on a Cisco router
using the "NAC discovery-host" global configuration command.
C.
In a VRF-style OOB deployment of the Cisco NAC Appliance, the discovery host may be the IP
address that is on the trusted side of the Cisco NAC Appliance Server.
D.
In a Layer 3 IB deployment of the Cisco NAC Appliance, the discovery host may be configured as
the IP address of the Cisco NAC Appliance Manager.
Answer: A,C,D
Explanation:
The Discovery Host is the fully qualified domain name (FQDN) or untrusted interface IP address
used by the Cisco NAC Agent to discover the Cisco NAC Server located multiple hops away on
the network. The Agent initiates the discovery process by sending UDP packets to the known
Discovery Host address. Discovery packets must reach the NAC Server untrusted interface to
receive a response.
In a Layer 3 OOB with VRF model, the Discovery Host is typically set to be the DNS name or IP
address of the Cisco NAC Manager. The Manager exists in the clean network. Because all traffic
from the dirty networks is routed by default through the Cisco NAC Server, the Discovery packets
automatically flow through the Server. The traffic flow described here is one of the benefits to the
VRF Method. This traffic flow provides for a consistent, predictable experience.
QUESTION NO: 447

Which three object tracking options are supported by Cisco IOS policy-based routing? (Choose
three.)
A.
absence of an entry in the routing table
B.
existence of a CDP neighbor relationship
417
Cisco 350-018 Exam

C.
existence of an entry in the routing table
D.
results of an SAA operation
E.
state of the line protocol of an interface
Answer: C,D,E
Explanation:
Object tracking is an independent process that monitors objects such as the following:
References: Reference:http://www.cisco.com/c/en/us/td/docs/iosxml/ios/iproute_pi/configuration/15-s/iri-15-s-book/iri-pbr-mult-track.html
QUESTION NO: 448

Which four Cisco IOS features are used to implement First Hop Security in IPv6? (Choose four.)
A.
IPv6 First-Hop Security Binding Table
B.
IPv6 Device Tracking
C.
IPv6 RA Guard
D.
SeND
E.
IPv6 Selective Packet Discard
F.
IPv6 Source Guard
Answer: A,B,C,D
418
Cisco 350-018 Exam

Explanation:
Cisco IOS supports following features to implement First Hop Security in IPv6:
References:
Reference:http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/12_4t/ipv6_12_4t_bo
ok/ip6-first_hop_security.html
QUESTION NO: 449

In ISO 27001 ISMS, which three of these certification process phases are required to collect
information for ISO 27001? (Choose three.)
A.
discover
B.
certification audit
C.
post-audit
D.
observation
E.
pre-audit
F.
major compliance
Answer: B,C,E
Explanation:
TheISO/IEC 27001certification process is essentially the same as that for ISO 9000and other
management systems.It is an external audit of the organizations ISMS (Information Security
Management System) in three main phases:
References: Reference:http://www.iso27001security.com/html/audit___certification.html
419
Cisco 350-018 Exam
QUESTION NO: 450

Which three statements regarding ISO 27002 and COBIT are correct? (Choose three.)
A.
COBIT and ISO 27002 both define a best practices framework for IT controls.
B.
COBIT focuses on information system processes, whereas ISO 27002 focuses on the security of
the information systems.
C.
ISO 27002 addresses control objectives, whereas COBIT addresses information security
management process requirements.
D.
Compared to COBIT, ISO 27002 covers a broader area in planning, operations, delivery, support,
maintenance, and IT governance.
E.
Unlike COBIT, ISO 27002 is used mainly by the IT audit community to demonstrate risk mitigation
and avoidance mechanisms.
Answer: A,B,C
Explanation:
Because, in general:
- Theyre internationally designed and tested tools that have effective actions for the assurance IT.
- As standards and practices, enabling organizations, based on its particularities, adjust according
to their needs.
- Faced to regulatory entities and contractual, enable theaction and effective response.
In particular, COBIT framework geared to General Managements, give sponsors and IT
responsible elements to control and manage of IT governance, the basis for design the information
security planning. As the information and technology the most important assets is the
management who is the strategic guidelines, approves and provides the necessary resources for
establishing the plan.
ISO 27002, best practice that give to information security responsible, the elements needed to
manage security, guidelines for structuring the information security planning and control objectives
and controls necessary to implement security in the organization, key actions to minimize the risks
that jeopardize the information security.
420
Cisco 350-018 Exam

In conclusion, ISO 27002 and COBIT provide the necessary elements to develop an information
security planning, not only for being easily adjustable to best practice business, but also from the
organizational strategy to allow frame the information security: to understand the IT and security
requirements, in designing those policies and procedures, implementing and operating controls to
manage risks and to be value added for the protection of information as a core asset in an
organization.
QUESTION NO: 451

The IETF is a collaborative effort by the international community of Internet professionals to
improve the design, use, and management of the Internet. Which international organization
charters the activity of IETF?
A.
IANA
B.
ISO
C.
ISOC
D.
RIR
E.
IEC
Answer: C
Explanation:
ISOC is a non-profit organization founded in 1992 to provide leadership in Internet-related

standards, education, and policy. It is dedicated to ensuring the open development, evolution and
use of the Internet for the benefit of people throughout the world.
QUESTION NO: 452

Which statement is correct about the Cisco IOS Control Plane Protection feature?
421
Cisco 350-018 Exam

A.
Control Plane Protection is restricted to the IPv4 or IPv6 input path.
B.
Traffic that is destined to the router with IP options will be redirected to the host control plane.
C.
Disabling CEF will remove all active control-plane protection policies. Aggregate control-plane
policies will continue to operate.?
D.
The open-port option of a port-filtering policy allows access to all TCP/UDP based services that
are configured on the router.
Answer: C
Explanation:
Control Plane Protection depends on Cisco Express Forwarding (CEF) for IP packet redirection. If
you disable CEF globally, this will remove all active protect and policing policies configured on the
control-plane subinterfaces. Aggregate control-plane interface policies will continue to function as
normal.
QUESTION NO: 453

Which two statements about IPS signatures are true? (Choose two.)
A.
All of the built-in signatures are enabled by default.
B.
Tuned signatures are built-in signatures whose parameters are adjusted.
C.
Once the signature is removed from the sensing engine it cannot be restored
D.
It is recommended not to retire a signature that is not being used because then it cannot be
restored.
E.
It is possible to define custom signatures.
422
Cisco 350-018 Exam

Answer: B,E
Explanation:
If you want to create a custom signature that is similar to an existing signature, you can create a
clone, or copy, of the signature. You can then edit the parameters to make the clone perform
according to your requirements. For example, you might want to create a clone of a Cisco-defined
signature to customize it to your needs. You might find this preferable to converting the Cisco
signature to a Local or shared policy signature and directly editing its parameters.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_m
anager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/ipsvchap.pdf
QUESTION NO: 454 DRAG DROP

Match the IKE phase-1 components on the left with their values on the right.
Answer:
Explanation:
423
Cisco 350-018 Exam
Security association>Lifetime in seconds.

IPSec security associations use shared secret keys.These keys and their security associations
time out together. When the router requests new security associations during security
associationnegotiation, it will specify its global lifetime value in the request to the peer; it will use
this value as the lifetime of the new security associations.
data confidentiality>des
IPSec enables the ability to frequently regenerate keys during a communication. This prevents the
entire data set from being compromised if one DES key is broken. DES uses a 56-bit key, and
maps a 64-bit input block into a 64-bit output block. The key appears to be a 64-bit key, but one bit
in each of the 8 bytes is used for odd parity, resulting in 56 bits of usable key.
data integritymd5
TheMD5message-digest algorithm is a widely used cryptographic hash function producing a 128bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. MD5
has been utilized in a wide variety of cryptographic applications, and is also commonly used to
verify data integrity.
key sharingpre-shared
In cryptography, apre-shared keyorPSKis a shared secret which was previously shared between
the two parties using some secure channel before it needs to be used. To build a key from shared
secret, the key derivation function should be used. Such systems almost always use symmetric
key cryptographic algorithms. The term PSK is used in Wi-Fi encryption such as Wired Equivalent
Privacy (WEP) or Wi-Fi Protected Access (WPA), notably in Extensible Authentication Protocol,
where it is known as EAP-PSK, where both the wireless access points (AP) and all clientssharethe
same key.
The Diffie-Hellman key computation (also known as exponential key agreement) is based on the
Diffie Hellman (DH) mathematical groups. A Security Gateway supports these DH groups during
the two phases of IKE.
424
Cisco 350-018 Exam

Match the IKE phase-2 components on the left with their values on the right.
Answer:
Explanation:
Security association>Lifetime in seconds.

IPSec security associations use shared secret keys.These keys and their security associations
time out together. when the router requests new security associations during security
associationnegotiation, it will specify its global lifetime value in the request to the peer; it will use
this value as the lifetime of the new security associations.
data confidentialityesp
ESP is used to provide confidentiality, data origin authentication,connectionless integrity, an antireplay service (a form of partial sequence integrity), and limited traffic flow confidentiality. Use of
425
Cisco 350-018 Exam

confidentiality withoutintegrity/authentication (either in ESP or separately in AH) maysubject traffic
to certain forms of active attacks that could undermine the confidentiality service.
data integrityah
Authentication Header (AH) is a member of the IPsec protocol suite. AH guarantees
connectionless integrity and data origin authentication of IP packets. Further, it can optionally
protect against replay attacks by using the sliding window technique and discarding old packets.

Match the HTTP-HTTPS components on the left with their corresponding elements on the right.
Answer:
Explanation:
426
Cisco 350-018 Exam
RequestURL
It assigns the Uri object of the current request to an object variable and displays the value of two
properties of the URL object to the HTTP output.
https443
HTTPS URLs begin with "https://" and use port 443 by default, whereas HTTP URLs begin with
"http://" and use port 80 by default.
A forward proxy is an Internet-facing proxy used to retrieve from a wide range of sources (in most
cases anywhere on the Internet).

Match each SMTP component on the left with its roles on the right.
Answer:
427
Cisco 350-018 Exam
Explanation:
The Internet Message Access Protocol (IMAP) allows users to keep messages on the server,
flagging them as appropriate. An MUA using IMAP displays messages directly from the server,
although a download option for archive purposes is usually also available. One advantage this
gives IMAP is that the same messages are visible from any computer accessing the email
account, since messages aren't routinely downloaded and deleted from the server. If set up
properly, sent mail can be saved to the server also, in contrast with POP mail, where sent
messages exist only in the local MUA and are not visible by other MUAs accessing the same
account.
A mail server (also known as a mail transfer agent or MTA, a mail transport agent, a mail router or
an Internet mailer) is an application that receives incoming e-mail from local users (people within
the same domain) and remote senders and forwards outgoing e-mail for delivery.
Anemail client,email readeror more formallymail user agent(MUA) is a computer program used to
access and manage a user's email.
Mail Submission Agent(MSA): a relatively new term in the e-mail field. This is the component of an
MTA which accepts new mail messages from an MUA, using SMTP. (Traditional Unix MUAs send
their mail using a pipe to one of the MTA's component programs on the same host. Most Windows
MUAs use SMTP to talk to an MSA because there is no MTA on the Windows host.) Most MTA
implementations use the same program as both their MSA and the part which accepts incoming
mail from other hosts. In other cases, these functions are implemented separately. The official
TCP port number for an MSA is 587 (although in many cases it's run on port 25).
Mail Delivery Agent(MDA): the component of an MTA which is responsible for the final delivery of
428
Cisco 350-018 Exam

a message to a local mailbox on disk. Sometimes this is a separate program, and sometimes it's
built into the MTA.

Match the DNS header Opcode value on the left with the corresponding query type on the right.
Answer:
Explanation:
New OpCode assignments require an IETF Standards Action.

429
Cisco 350-018 Exam

Currently DNS OpCodes are assigned as follows:
OpCode Name Reference
0 Query [RFC 1035]
1 IQuery (Inverse Query) [RFC 1035]
2 Status [RFC 1035]
3 available for assignment
4 Notify [RFC 1996]
5 Update [RFC 2136]
6-15 available for assignment

Match the DNS header Rcode value on the left with the corresponding response code on the right.
Answer:
Explanation:
430
Cisco 350-018 Exam
RCODE Name Description Reference

Decimal
Hexadecimal
0 NoError No Error [RFC 1035]
1 FormErr Format Error [RFC 1035]
2 ServFail Server Failure [RFC 1035]
3 NXDomain Non-Existent Domain [RFC 1035]
4 NotImp Not Implemented [RFC 1035]
5 Refused Query Refused [RFC 1035]
6 YXDomain Name Exists when it should not [RFC 2136]
7 YXRRSet RR Set Exists when it should not [RFC 2136]
8 NXRRSet RR Set that should exist does not [RFC 2136]
9 NotAuth Server Not Authoritative for zone [RFC 2136]
10 NotZone Name not contained in zone [RFC 2136]
16 BADVERS Bad OPT Version [RFC 2671]
16 BADSIG TSIG Signature Failure [RFC 2845]
17 BADKEY Key not recognized [RFC 2845]
18 BADTIME Signature out of time window [RFC 2845]
431
Cisco 350-018 Exam

19 BADMODE Bad TKEY Mode [RFC 2930]
20 BADNAME Duplicate key name [RFC 2930]
21 BADALG Algorithm not supported [RFC 2930]
0x0016-0x0F00
3841-4095 Private Use
0x0F01-0x0FFF
0x1000-0xFFFF

Match the steps on the left with the corresponding description on the right of the URL filtering
process on Cisco ASA.
Answer:
432
Cisco 350-018 Exam

Explanation:

Match the ISE profiler component on the right with its corresponding functionality description on
the left.
Answer:
Explanation:
433
Cisco 350-018 Exam

Match the ISO/IEC 27001 domains on the left with their corresponding match description on the
right?
Answer:
Explanation:
434
Cisco 350-018 Exam
A security policy is a living document that allows an organization and its management team to
draw very clear and understandable objectives, goals, rules and formal procedures that help to
define the overall security posture and architecture for organization.

Match each SNMP PDUs on the left with its corresponding functionality on the right.
Answer:
Explanation:
435
Cisco 350-018 Exam
Each SNMP message contains a protocol data unit (PDU). These SNMP PDUs are used for
communication between SNMP managers and SNMP agents. The SNMP Version 1 architecture
defines the following types of PDUs that flow between SNMP managers and SNMP agents:
GETREQUEST PDU
Sent by the SNMP manager to retrieve one or more requested MIB variables specified in the PDU.
GETNEXTREQUEST PDU
Sent by the SNMP manager to retrieve the next MIB variable that is specified in the PDU. You can
have multiple requests in the PDU. This PDU is primarily used by the SNMP manager to walk
through the SNMP agent MIB.
SETREQUEST PDU
Sent by the SNMP manager to set one or more MIB variables specified in the PDU with the value
specified in the PDU.
GETRESPONSE PDU
Sent by the SNMP agent in response to a GETREQUEST, GETNEXTREQUEST, or
SETREQUEST PDU.
TRAP PDU
An unsolicited message sent by the SNMP agent to notify the SNMP manager about a significant
event that occurred in the agent.
Topic 6, Cisco Security Technologies and Solutions

436
Cisco 350-018 Exam

QUESTION NO: 464
Which three statements about the Cisco IPS sensor are true? (Choose three.)
A.
You cannot pair a VLAN with itself.
B.
For a given sensing interface, an interface used in a VLAN pair can be a member of another inline
interface pair.
C.
For a given sensing interface, a VLAN can be a member of only one inline VLAN pair, however, a
given VLAN can be a member of an inline VLAN pair on more than one sensing interface.
D.
The order in which you specify the VLANs in a inline pair is significant.
E.
A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs.
Answer: A,C,E
Explanation:
Inline VLAN Interface Pairs
QUESTION NO: 465

According ISO27001 ISMS, which of the following are mandatory documents? (Choose 4)
A.
ISMS Policy
B.
Corrective Action Procedure
C.
IS Procedures
D.
Risk Assessment Reports
E.
437
Cisco 350-018 Exam

Complete Inventory of all information assets
Answer: A,B,C,D
Explanation:
Mandatory documents required in the main part of ISO 27001
QUESTION NO: 466

Which two statements describe the Cisco TrustSec system correctly? (Choose two.)
A.
The Cisco TrustSec system is a partner program, where Cisco certifies third-party security
products as extensions to the secure infrastructure.
B.
The Cisco TrustSec system is an approach to certifying multimedia and collaboration applications
as secure.
C.
The Cisco TrustSec system is an Advanced Network Access Control System that leverages
enforcement intelligence in the network infrastructure.
D.
The Cisco TrustSec system tests and certifies all products and product versions that make up the
system as working together in a validated manner.
Answer: C,D
Explanation:
The Cisco TrustSec System is an advanced Network Access Control and Identity Solution that is
integrated into the Network Infrastructure. It is a fully tested, validated solution where all the
components within the solution are thoroughly vetted and rigorously tested as an integrated
system.
438
Cisco 350-018 Exam

QUESTION NO: 467
Which three attributes may be configured as part of the Common Tasks panel of an authorization
profile in the Cisco ISE solution? (Choose three.)
A.
VLAN
B.
voice VLAN
C.
dACL name
D.
voice domain permission
E.
SGT
Answer: A,C,D
Explanation:
Creating and Configuring Permissions for a New Standard Authorization Profile
Use this procedure to create a new standard authorization profile and configure its permissions.
To create a new standard authorization profile and permissions, complete the following steps:
Step 1
ChoosePolicy > Policy Elements > Results > Authorization > Authorization Profiles.
The Authorization Profiles window appears listing all existing configured authorization profiles.
Step 2
To create a new profile, choose one of the two following methods:
In the Authorization pane, clickaction(icon) and clickCreate Standard Authorization Profile

or
In the Standard Authorization Profiles page, clickAdd

The Authorization Profiles > New Authorization profile page appears.
Step 3
439
Cisco 350-018 Exam

Enter values in the following panels and fields as needed to create a new authorization profile:
Authorization Profile
NameEnter a name that identifies the new authorization profile.
DescriptionEnter a description of the authorization profile.
Access TypeChoose from the two drop-down list access type options
(ACCESS_ACCEPTorACCESS_REJECT).
Note
The Name and Access Type fields are required and are marked with an asterisk (*).
Common Tasks
DACL NameTo choose, select the check box and choose existing downloadable ACL options
from the drop-down list (for example, Cisco ISE provides two default values in the drop-down
list:PERMIT_ALL_TRAFFICorDENY_ALL_TRAFFIC). The drop-down list will include all current
DACLs in the local database.
VLANTo choose, select the check box and enter an attribute value that identifies a virtual LAN
(VLAN) ID that you want associated with the new authorization profile you are creating (both
integer and string values are supported for the VLAN ID). The format for this entry would
beTunnel-Private-Group-ID:VLANnumber.
Note
If you do not select a a VLAN ID, Cisco ISE uses a default value of VLAN ID = 1. For example, if
you only entered 123 as your VLAN number, the Attributes Details pane would reflect the following
value: Tunnel-Private-Group-ID = 1:123.
Voice Domain PermissionTo choose, select the check box to enable the vendor-specific
440
Cisco 350-018 Exam

attribute (VSA) of "cisco-av-pair" to be associated with a value of "device-traffic-class=voice". In a
multi-domain authorization mode, if the network switch receives this VSA, the endpoint is placed
on to a voice domain after authorization.
Posture DiscoveryTo choose, select the check box to enable a redirection process used for
Posture discovery in Cisco ISE, and enter an ACL on the device that you want to associate with
this authorization profile. For example, if the value you entered is acl119, this is reflected in the
Attributes Details pane as: cisco-av-pair = url-redirect-acl = acl119. The Attributes Details pane
also displays: cisco-av-pair = urlredirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cpp.
Centralized Web AuthenticationTo choose, select the check box to enable a redirection process
that is similar to Posture discovery, but it redirects guest user access requests to the Guest server
in Cisco ISE. Enter an ACL on the device that you want to associate with this authorization profile,
and select the Default or Manual option from the Redirect drop-down list. For example, if the value
you entered is acl-999, this is reflected in the Attributes Details pane as: cisco-av-pair = urlredirect-acl = acl-99. The Attributes Details pane also displays: cisco-av-pair = urlredirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa.
Auto SmartPortTo choose, select the check box to enable Auto SmartPort functionality and
enter a corresponding event name value in the text box. This enables the VSA cisco-av-pair with a
value for this option as "auto-smart-port=event_name". Your choice is reflected in the Attributes
Details pane.
Filter-IDTo choose, select the check box to enable a RADIUS filter attribute that sends the ACL
name that you define in the text box (which is automatically appended with ".in"). Your choice is
reflected in the Attributes Details pane.
ReauthenticationTo choose, select the check box and enter a value in seconds for maintaining
connectivity during reauthentication. You can also choose attribute values from the Timer dropdown list. You choose to maintain connectivity during reauthentication by selecting to use either
the default (a value of 0) or RADIUS-Request (a value of 1) from the drop-down list. Setting this to
the RADIUS-Request value maintains connectivity during the reauthentication process.
MACSec PolicyTo choose, select the check box to enable the MACSec encryption policy
whenever a MACSec-enabled client connects to Cisco ISE, and choose one of the following three
options in the corresponding drop-down list: must-secure, should-secure, or must-not-secure. For
example, your choice is reflected in the Attributes Details pane as: cisco-av-pair = linksecpolicy=must-secure.
NEATTo choose, select the check box to enable Network Edge Access Topology (NEAT), a
feature that extends identity recognition between networks. Selecting this check box displays the
441
Cisco 350-018 Exam

following value in the Attributes Details pane: cisco-av-pair = device-traffic-class=switch.
Web Authentication (Local Web Auth)To choose, select the check box to enable local web
authentication for this authorization profile. This value lets the switch recognize authorization for
web authentication by Cisco ISE sending a VSA along with a DACL. The VSA is cisco-av-pair =
priv-lvl=15 and this is reflected in the Attributes Details pane.
Wireless LAN Controller (WLC)To choose, select the check box and enter an ACL name in the
text field. This value is used in a required Airespace VSA to authorize the addition of a locally
defined ACL to a connection on the WLC. For example, if you entered rsa-1188, this would be
reflected in the Attributes Details pane as: Airespace-ACL-Name = rsa-1188.
ASA VPNTo choose, select the check box to enable an Adaptive Security Appliances (ASA)
VPN group policy. From a drop-down Attributes list, click a value to configure this setting. For
example, if you selected Cisco-BBSM, and then selected CBBSM-Bandwidth, this would be
reflected in the Attributes Details pane as: Class = Cisco-BBSM:CBBSM-Bandwidth.
References:
Reference:http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html
#wp1082757
QUESTION NO: 468

Which three statements about Cisco Flexible NetFlow are true? (Choose three.)
A.
The packet information used to create flows is not configurable by the user.
B.
It supports IPv4 and IPv6 packet fields.
C.
It tracks all fields of an IPv4 header as well as sections of the data payload.
D.
It uses two types of flow cache, normal and permanent.
E.
It can be a useful tool in monitoring the network for attacks.
442
Cisco 350-018 Exam

Answer: B,C,E
Explanation:
It supports IPv4 and IPv6 packet fields and tracks all fields of an IPv4 header as well as sections
of the data payload.
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network
traffic monitoring. Flow data is collected from the network traffic and added to the flow monitor
cache during the monitoring process based on the key and nonkey fields in the flow record.
Flexible NetFlow can be used to perform different types of analysis on the same traffic.
QUESTION NO: 469

Which three statements are true regarding RFC 5176 (Change of Authorization)? (Choose three.)
A.
It defines a mechanism to allow a RADIUS server to initiate a communication inbound to a NAD.
B.
It defines a wide variety of authorization actions, including "reauthenticate."
C.
It defines the format for a Change of Authorization packet.
D.
It defines a DM.
E.
It specifies that TCP port 3799 be used for transport of Change of Authorization packets.
Answer: A,C,D
Explanation:
RFC 5176 defines Change of Authorization (CoA) and Disconnect Message (DM) behavior for
RADIUS.
References: Reference:https://tools.ietf.org/html/draft-dekok-radext-coa-proxy-00
443
Cisco 350-018 Exam
QUESTION NO: 470

Which three statements are true regarding Security Group Tags? (Choose three.)
A.
When using the Cisco ISE solution, the Security Group Tag gets defined as a separate
authorization result.
B.
When using the Cisco ISE solution, the Security Group Tag gets defined as part of a standard
authorization profile.
C.
Security Group Tags are a supported network authorization result using Cisco ACS 5.x.
D.
Security Group Tags are a supported network authorization result for 802.1X, MAC Authentication
Bypass, and WebAuth methods of authentication.
E.
A Security Group Tag is a variable length string that is returned as an authorization result.
Answer: A,C,D
Explanation:
The Cisco Security Group Access (SGA) solution establishes clouds of trusted network devices to
build secure networks. Each device in the Cisco SGA cloud is authenticated by its neighbors
(peers). Communication between the devices in the SGA cloud is secured with a combination of
encryption, message integrity checks, and data-path replay protection mechanisms.The tag, also
called the security group tag (SGT), allows ISE to enforce access control policies by enabling the
endpoint device to act upon the SGT to filter traffic.
The key features of the SGA solution include:
Network Device Admission Control (NDAC)In a trusted network, during authentication, each
network device (for exampleEthernetswitch) in an SGA cloud is verified for its credential and
trustworthiness by its peer device. NDAC uses the IEEE 802.1x port-based authentication and
uses Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
as its Extensible Authentication Protocol (EAP) method. Successful authentication and
authorization in the NDAC process results in Security Association Protocol negotiation for IEEE
802.1AE encryption.
Endpoint Admission Control (EAC)An authentication process for an endpoint user or a device
444
Cisco 350-018 Exam

connecting to the SGA cloud. EAC typically happens at the access level switch. Successful
authentication and authorization in EAC process results in SGT assignment to the user or device.
EAC access methods for authentication and authorization includes:
802.1X port-based authentication
MAC authentication bypass (MAB)
Web authentication (WebAuth)
Security Group (SG)A grouping of users, endpoint devices, and resources that share access
control policies. SGs are defined by the administrator in Cisco ISE. As new users and devices are
added to the SGA domain, Cisco ISE assigns these new entities to the appropriate security
groups.
Security Group Tag (SGT)SGA service assigns to each security group a unique 16-bit security
group number whose scope is global within an SGA domain. The number of security groups in the
switch is limited to the number of authenticated network entities. You do not have to manually
configure security group numbers. They are automatically generated, but you have the option to
reserve a range of SGTs for IP-to-SGT mapping.
Security Group Access Control List (SGACL)SGACLs allow you to control the access and
permissions based on the SGTs that are assigned. The grouping of permissions into a role
simplifies the management of security policy. As you add devices, you simply assign one or more
security groups, and they immediately receive the appropriate permissions. You can modify the
security groups to introduce new privileges or restrict current permissions.
Security Exchange Protocol (SXP)SGT Exchange Protocol (SXP) is a protocol developed for
SGA service to propagate the IP-to-SGT binding table across network devices that do not have
SGT-capable hardware support to hardware that supports SGT/SGACL.
Environment Data DownloadThe SGA device obtains its environment data from Cisco ISE when
it first joins a trusted network. You can also manually configure some of the data on the device.
The device must refresh the environment data before it expires. The SGA device obtains the
following environment data from Cisco ISE:
Server listsList of servers that the client can use for future RADIUS requests (for both
authentication and authorization)
Device SGSecurity group to which the device itself belongs

445
Cisco 350-018 Exam
Expiry timeoutInterval that controls how often the SGA device should download or refresh its
environment data
SGT ReservationAn enhancement in ISE to reserve a range of SGTs to enable IP to SGT

mapping.
IP-to-SGT MappingAn enhancement in ISE to bind an endpoint IP to an SGT and provision it to

an SGA-capable device.
Identity-to-Port MappingA method for a switch to define the identity on a port to which an
endpoint is connected, and to use this identity to look up a particular SGT value in the Cisco ISE
server.
QUESTION NO: 471

Which two certificate enrollment methods can be completed without an RA and require no direct
connection to a CA by the end entity? (Choose two.)
A.
SCEP
B.
TFTP
C.
manual cut and paste
D.
enrollment profile with direct HTTP
E.
PKCS#12 import/export
Answer: C,E
Explanation:
Manual cut-and-paste-- The router displays the certificate request on the console terminal,
allowing the user to enter the issued certificate on the console terminal. A user may manually cutand-paste certificate requests and certificates when there is no network connection between the
446
Cisco 350-018 Exam

router and CA.
PKCS12-- The router imports certificates in PKCS12 format from an external server.
QUESTION NO: 472

Which two statements about the AES algorithm are true? (Choose two)
A.
The AES algorithm is an asymmetric block cipher.
B.
The AES algorithm operates on a 128-bits block.
C.
The AES algorithm uses a fixed length-key of 128 bits.
D.
The AES algorithm does not give any advantage over 3DES due to the same key length.
E.
The AES algorithm consist of four functions. Three functions provide confusion-diffusion and one
provides encryption.
Answer: B,E
Explanation:
QUESTION NO: 473

Which two statements about the RC4 algorithm are true? (Choose two.)
A.
The RC4 algorithm is an asymmetric key algorithm.
B.
The RC4 algorithm is a symmetric key algorithm.
C.
447
Cisco 350-018 Exam

The RC4 algorithmis slower in computation than DES.
D.
The RC4 algorithmis used with wireless encryption protocols.
E.
The RC4 algorithm uses fixed-length keys.
Answer: B,D
Explanation:
RC4 symmetric key algorithm is used identically for encryption and decryption such that the data
stream is simply XORed with the generated key sequence. The algorithm is serial as it requires
successive exchanges of state entries based on the key sequence. Hence implementations can
be very computationally intensive. The RC4 encryption algorithm is used by standards such as
IEEE 802.11 within WEP (Wireless Encryption Protocol) using 40 and 128-bit keys. Published
procedures exist for cracking the security measures as implemented in WEP
QUESTION NO: 474

Which three statements about the RSA algorithm are true? (Choose three.)
A.
The RSA algorithm provides encryption but not authentication.
B.
The RSA algorithm provides authentication but not encryption.
C.
The RSA algorithm creates a pair of public-private keys that are shared by entities that perform
encryption.
D.
The private key is never sent across after it is generated.
E.
The public key is used to decrypt the message that was encrypted by the private key.
F.
The private key is used to decrypt the message that was encrypted by the public key.
Answer: C,D,F
448
Cisco 350-018 Exam

Explanation:
RSA is an algorithm used by modern computers to encrypt and decrypt messages. It is an
asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This is
also called public key cryptography, because one of them can be given to everyone. The other key
must be kept private.RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first
publicly described it in 1978. A user of RSA creates and then publishes the product of two large
prime numbers, along with an auxiliary value, as their public key. The prime factors must be kept
secret. Anyone can use the public key to encrypt a message, but with currently published
methods, if the public key is large enough, only someone with knowledge of the prime factors can
feasibly decode the message.
QUESTION NO: 475

Which two statements about the MD5 Hash are true? (Choose two.)
A.
Length of the hash value varies with the length of the message that is being hashed.
B.
Every unique message has a unique hash value.
C.
Its mathematically possibleto find a pair of message thatyield the same hash value.
D.
MD5 always yields a different value for the same message if repeatedly hashed.
E.
The hash value cannot be used to discover the message.
Answer: B,E
Explanation:
The MD5 message-digest algorithm is a widely used cryptographic hash function producing a 128bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. MD5
has been utilized in a wide variety of cryptographic applications, and is also commonly used to
verify data integrity.
449
Cisco 350-018 Exam
QUESTION NO: 476

Which two statements about the SHA-1 algorithm are true? (Choose two)
A.
The SHA-1 algorithm is considered secure because it always produces a unique hash for the
same message.
B.
The SHA-1 algorithm takes input message of any length and produces 160-bit hash output.
C.
The SHA-1 algorithm is considered secure because it is possible to find a message from its hash.
D.
The purpose of the SHA-1 algorithm is to provide data confidentiality.
E.
The purpose of the SHA-1 algorithm is to provide data authenticity.
Answer: B,E
Explanation:
HMAC-SHA-1-96 producesa 160-bit authenticator value.This 160-bit value can be truncated as

described in RFC2104.For use with either ESP or AH, a truncated value using the first 96 bits
MUST be supported.Upon sending, the truncated value is storedwithin the authenticator field.Upon
receipt, the entire 160-bit value is computed and the first 96 bits are compared to the value stored
in the authenticator field.No other authenticator value lengths are supported by HMAC-SHA-1-96.
QUESTION NO: 477

Which two statements about the DES algorithm are true? (Choose two)
A.
The DES algorithm is based on asymmetric cryptography.
B.
The DES algorithm is a stream cipher.
C.
450
Cisco 350-018 Exam

The DES algorithm is based on symmetric cryptography.
D.
The DES algorithm encrypts a block of 128 bits.
E.
The DES algorithm uses a 56-bit key.
Answer: C,E
Explanation:
Data Encryption Standard (DES) developed in 1970 is symmetric-key algorithm for the encryption
of electronic data. It was highly influential in the advancement of modern cryptography in the
academic world. DES is now considered to be insecure for many applications. This is chiefly due
to the 56-bit key size being too small; in January, 1999, distributed.net and the Electronic Frontier
Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes.
QUESTION NO: 478

Which statement about the 3DES algorithm is true?
A.
The 3DES algorithm uses the same key for encryption and decryption,
B.
The 3DES algorithm uses a public-private key pair with a public key for encryption and a private
key for decryption.
C.
The 3DES algorithm is a block cipher.
D.
The 3DES algorithm uses a key length of 112 bits.
E.
The 3DES algorithm is faster than DES due to the shorter key length.
Answer: C
Explanation:
451
Cisco 350-018 Exam

Advance Encryption Standard (AES) and Triple DES (TDES or 3DES) are commonly used block
ciphers.
QUESTION NO: 479

Which two statements about the DH group are true? (Choose two.)
A.
The DH group is used to provide data authentication.
B.
C.
The DH group is used to provide data confidentiality.
D.
The DH group is used to establish a shared key over an unsecured medium.
E.
Answer: B,D
Explanation:
Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.
Higher group numbers are more secure, but require additional time to compute the key.
Fireware XTM supports these Diffie-Hellman groups:
Both peers in a VPN exchange must use the same DH group, which is negotiated during Phase 1
of the IPSec negotiation process
QUESTION NO: 480

Which two statements about Infrastructure ACLs on Cisco IOS software are true? (Choose two.)
A.
452
Cisco 350-018 Exam

Infrastructure ACLs are used to block-permit the traffic in the router forwarding path.
B.
Infrastructure ACLs are used to block-permit the traffic handled by the route processor.
C.
Infrastructure ACLs are used to block-permit the transit traffic.
D.
Infrastructure ACLs only protect device physical management interface.
Answer: B,D
Explanation:
Limit Network Access with Access Control Lists

Devised to prevent unauthorized direct communication to network devices, infrastructure ACLs are
one of the most critical security control mechanisms that can be implemented in the network. An
ACL is constructed and applied to specify necessary connections between hosts or networks and
network devices. Common examples of these types of connections are eBGP, SSH, and SNMP.
After the required connections have been permitted, all other traffic to the infrastructure is explicitly
denied. All transit traffic that crosses the network and is not destined to infrastructure devices is
explicitly permitted.
QUESTION NO: 481

For which two reasons BVI is required in the Transparent Cisco IOS Firewall? (Choose two)
A.
BVI is required for the inspection of IP traffic.
B.
The firewall can perform routing on bridged interfaces.
C.
BVI is required if routing is disabled on the firewall.
D.
BVI is required if more than two interfaces are in a bridge group.
E.
BVI is required for the inspection of non-IP traffic.
453
Cisco 350-018 Exam

F.
BVI can manage the device without having an interface that is configured for routing.
Answer: D,F
Explanation:
Prerequisites for BVI Configuration
If a BVI is not configured, you must disable IP routing (via the no ip routing command) for the
bridging operation to take effect.
If configured, a BVI must be configured with an IP address in the same subnet.
You must configure a BVI if more than two interfaces are placed in a bridge group
QUESTION NO: 482

Event Store is a component of which IPS application?
A.
SensorApp
B.
InterfaceApp
C.
MainApp
D.
NotificationApp
E.
AuthenticationApp
Answer: C
Explanation:
MainApp includes all IPS components except SensorApp and the CLI. It is loaded by the operating
system at startup and loads SensorApp. MainApp then brings the following subsystem
components up:
Authentication, Logger,ARC,Web Server,Notification (SNMP),External Product Interface,Interface
454
Cisco 350-018 Exam

manager,Event Store,Health and security monitoring
QUESTION NO: 483

Which statement about the Cisco Secure ACS Solution Engine TACACS+ AV pair is true?
A.
AV pairs are only required to be enabled on Cisco Secure ACS for successful implementation.
B.
The Cisco Secure ACS Solution Engine does not support accounting AV pairs.
C.
AV pairs are only string values.
D.
AV pairs are of two types: string and integer.
Answer: C
Explanation:
All TACACS+ values are strings. The concept of valuetypedoes not exist in TACACS+ as it does
in Remote Access Dial-In User Service (RADIUS)
QUESTION NO: 484

Which three are RFC 5735 addresses? (Choose three.)
A.
171.10.0.0/24
B.
0.0.0.0/8
C.
203.0.113.0/24
D.
455
Cisco 350-018 Exam

192.80.90.0/24
E.
172.16.0.0/12
F.
198.50.100.0/24
Answer: B,C,E
Explanation:
0.0.0.0/8-- Used for broadcast messages to the current ("this") network as specified by RFC 1700.
203.0.113.0/24-- Assigned as "TEST-NET-3" in RFC 5737 for use solely in documentation and
example source code and should not be used publicly.
172.16.0.0/12-- Used for local communications within a private network as specified by RFC 1918.
QUESTION NO: 485

Which statement about ISO/IEC 27001 is true?
A.
ISO/IEC 27001 is only intended to report security breaches to the management authority.
B.
ISO/IEC 27001 was reviewed by the International Organization for Standardization.
C.
ISO/IEC 27001 is intendedto bring information security under management control.
D.
ISO/IEC 27001 was reviewed by the International Electrotechnical Commission.
E.
ISO/IEC 27001 was published by ISO/IEC.
Answer: C
Explanation:
ISO/IEC 27001 formally specifies a management system that is intended to bring information
security under explicit management control. Being a formal specification means that it mandates
456
Cisco 350-018 Exam

specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be
formally audited and certified compliant with the standard.
QUESTION NO: 486

Which two statements about the ISO are true? (Choose two.)
A.
The ISO is a government-based organization.
B.
The ISO has three membership categories: Member, Correspondent, and Subscribers.
C.
Subscriber members are individual organizations.
D.
Only member bodies have voting rights.
E.
Correspondent bodies are small countries with their own standards organization.
Answer: B,D
Explanation:
The International Organization for Standardization (ISO) is an international standard-setting body

composed of representatives from various national standards organizations.
ISO has three membership categories:
Member bodiesare national bodies considered the most representative standards body in each
country.These are the only members of ISO that have voting rights.
Correspondent membersare countries that do not have their own standards organization. These
members are informed about ISO's work, but do not participate in standards promulgation.
Subscriber membersare countries with small economies. They pay reduced membership fees, but
can follow the development of standards.
457
Cisco 350-018 Exam

QUESTION NO: 487
Which three addresses are special uses as defined in RFC 5735? (Choose three.)
A.
171.10.0.0/24
B.
0.0.0.0/8
C.
203.0.113.0/24
D.
192.80.90.0/24
E.
172.16.0.0/12
F.
198.50.100.0/24
Answer: B,C,E
Explanation:
0.0.0.0/8--Used for broadcast messages to the current ("this") network as specified by RFC 1700.
203.0.113.0/24--Assigned as "TEST-NET-3" in RFC 5737 for use solely in documentation and
example source code and should not be used publicly.
172.16.0.0/12--Used for local communications within a private network as specified by RFC 1918.
QUESTION NO: 488

Which statement about Sarbanes-Oxley (SOX) is true?
A.
SOX is an IEFT compliance procedure for computer systems security.
B.
SOX is a US law.
C.
458
Cisco 350-018 Exam

SOX is an IEEE compliance procedure for IT management to produce audit reports.
D.
SOX is a private organization that provides best practices for financial institution computer
systems.
E.
Section 404 of SOX is only related to IT compliance.
Answer: B
Explanation:
The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S.
Congress to protect shareholders and the general public from accounting errors and fraudulent
practices in the enterprise, as well as improve the accuracy of corporate disclosures. The U.S.
Securities and Exchange Commission (SEC) administers the act, which sets deadlines for
compliance and publishes rules on requirements.
QUESTION NO: 489

Which of the following two statements apply to EAP-FAST? (Choose two.)
A.
EAP-FAST is useful when a strong password policy cannot be enforced and an 802.1X EAP type
that does not require digital certificates can be deployed.
B.
EAP-FAST was developed only for Cisco devices and is not compliant with 802.1X and 802.11i.
C.
EAP-FAST provides protection from authentication forging and packet forgery (replay attack).
D.
EAP-FAST is a client/client security architecture.
Answer: A,C
Explanation:
Authentication via Secure Tunneling (EAP-FAST), an EAP type from Cisco Systems. Extensible
Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) is a publicly
459
Cisco 350-018 Exam

accessible IEEE 802.1X EAP type developed by Cisco Systems. EAP-FAST provides protection
from a variety of network attacks, including man-in-the-middle, authentication forging, weak IV
attack (AirSnort), packet forgery (replay attack), and dictionary attacks.
Topic 7, Security Policies and Procedures, Best Practices, and Standards
QUESTION NO: 490

According to OWASP guidelines, what is the recommended method to prevent cross-site request
forgery?
A.
Allow only POST requests.
B.
Mark all cookies as HTTP only.
C.
Use per-session challenge tokens in links within your web application.
D.
Always use the "secure" attribute for cookies.
E.
Require strong passwords.
Answer: C
Explanation:
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site,
email, blog, instant message, or program causes a users Web browser to perform an unwanted
action on a trusted site for which the user is currently authenticated. The impact of a successful
cross-site request forgery attack is limited to the capabilities exposed by the vulnerable
application. For prevention, remember that all cookies, even the secret ones, will be submitted
with every request. All authentication tokens will be submitted regardless of whether or not the
end-user was tricked into submitting the request. Furthermore, session identifiers are simply used
by the application container to associate the request with a specific session object.
460
Cisco 350-018 Exam
QUESTION NO: 491

Which three statements about the IANA are true? (Choose three.)
A.
IANA is a department that is operated by the IETF.
B.
IANA oversees global IP address allocation.
C.
IANA managed the root zone in the DNS.
D.
IANA is administered by the ICANN.
E.
IANA defines URI schemes for use on the Internet.
Answer: B,C,D
Explanation:
The Internet Assigned Numbers Authority (IANA) is a department of ICANN, a nonprofit private
American corporation, which oversees global IP address allocation, autonomous system number
allocation, root zone management in the Domain Name System (DNS), media types, and other
Internet Protocol-related symbols and numbers. IANA is responsible for the operation and
maintenance of a number of key aspects of the DNS, including the root zone, and the .int and
.arpa domains. IANA is the global coordinator of the DNS root.
QUESTION NO: 492

Which of the following best describes Chain of Evidence in the context of security forensics?
A.
Evidence is locked down, but not necessarily authenticated.
B.
Evidence is controlled and accounted for to maintain its authenticity and integrity.
C.
461
Cisco 350-018 Exam

The general whereabouts of evidence is known.
D.
Someone knows where the evidence is and can say who had it if it is not logged.
Answer: B
Explanation:
QUESTION NO: 493

Which option is a benefit of implementing RFC 2827?
A.
prevents DoS from legitimate, non-hostile end systems
B.
prevents disruption of special services such as Mobile IP
C.
defeats DoS attacks which employ IP source address spoofing
D.
restricts directed broadcasts at the ingress router
E.
allows DHCP or BOOTP packets to reach the relay agents as appropriate
Answer: C
Explanation:
RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP
Source Address Spoofing
QUESTION NO: 494

Which current RFC made RFCs 2409, 2407, and 2408 obsolete?
462
Cisco 350-018 Exam

A.
RFC 4306
B.
RFC 2401
C.
RFC 5996
D.
RFC 4301
E.
RFC 1825
Answer: A
Explanation:
This version of the IKE specification combines the contents of what were previously separate
documents, including Internet Security Association and Key Management Protocol (ISAKMP, RFC
2408), IKE (RFC 2409), the Internet Domain of Interpretation (DOI, RFC 2407), Network Address
Translation (NAT) Traversal, Legacy authentication, and remote address acquisition.
QUESTION NO: 495

Which two answers describe provisions of the SOX Act and its international counterpart Acts?
(Choose two.)
A.
confidentiality and integrity of customer records and credit card information
B.
accountability in the event of corporate fraud
C.
financial information handled by entities such as banks, and mortgage and insurance brokers
D.
assurance of the accuracy of financial records
E.
US Federal government information
463
Cisco 350-018 Exam

F.
security standards that protect healthcare patient data
Answer: B,D
Explanation:
The SarbanesOxley Act of 2002 also known as the "Public Company Accounting Reform and
Investor Protection Act" (in the Senate) and "Corporate and Auditing Accountability and
Responsibility Act" (in the House) and more commonly called SarbanesOxley, Sarbox or SOX, is
a United States federal law that set new or enhanced standards for all U.S. public company
boards, management and public accounting firms. There are also a number of provisions of the
Act that also apply to privately held companies, for example the wilful destruction of evidence to
impede a Federal investigation.
QUESTION NO: 496

Which RFC outlines BCP 84?
A.
RFC 3704
B.
RFC 2827
C.
RFC 3030
D.
RFC 2267
E.
RFC 1918
Answer: A
Explanation:
BCP 38, RFC 2827, is designed to limit the impact of distributed denial of service attacks, by
denying traffic with spoofed addresses access to the network, and to help ensure that traffic is
traceable to its correct source network.
464
Cisco 350-018 Exam
QUESTION NO: 497

Which two current RFCs discuss special use IP addresses that may be used as a checklist of
invalid routing prefixes for IPv4 and IPv6 addresses? (Choose two.)
A.
RFC 5156
B.
RFC 5735
C.
RFC 3330
D.
RFC 1918
E.
RFC 2827
Answer: A,B
Explanation:
RFC 5156 and RFC 5735 are the ones that can be used as a checklist of invalid routing prefixes
for IPv4 and IPv6 addresses
QUESTION NO: 498

In RFC 4034, DNSSEC introduced which four new resource record types? (Choose four.)
A.
DNS Public Key (DNSKEY)
B.
Next Secure (NSEC)
C.
Resource Record Signature (RRSIG)
D.
465
Cisco 350-018 Exam

Delegation Signer (DS)
E.
Top Level Domain (TLD)
F.
Zone Signing Key (ZSK)
Answer: A,B,C,D
Explanation:
The DNS Security Extensions (DNSSEC) introduce four new DNS resource record types: DNS
Public Key (DNSKEY), Resource Record Signature (RRSIG), Next Secure (NSEC), and
Delegation Signer (DS).
References: Reference:https://tools.ietf.org/html/rfc4034
QUESTION NO: 499

What functionality is provided by DNSSEC?
A.
origin authentication of DNS data
B.
data confidentiality of DNS queries and answers
C.
access restriction of DNS zone transfers
D.
storage of the certificate records in a DNS zone file
Answer: A
Explanation:
DNSSEC uses public key cryptography to sign and authenticate DNSresource record sets
(RRsets).The public keys are stored in DNSKEY resource records and are used in the DNSSEC
authentication process described in RFC4035. A zone signs its authoritative RRsets by using a
private key and stores the corresponding public key in a DNSKEY RR.A resolver can then use the
466
Cisco 350-018 Exam

public key to validate signatures covering the RRsets in the zone, and thus to authenticate them.
QUESTION NO: 500

Which three IP resources is the IANA responsible for? (Choose three.)
A.
IP address allocation
B.
detection of spoofed address
C.
criminal prosecution of hackers
D.
autonomous system number allocation
E.
root zone management in DNS
F.
BGP protocol vulnerabilities
Answer: A,D,E
Explanation:
IANA manages the DNS Root Zone (assignments of ccTLDs and gTLDs) along with other
functions such as the .int and .arpa zones. IANA coordinates allocations from the global IP and AS
number spaces, such as those made to Regional Internet Registries. IANA is the central repository
for protocol name and number registries used in many Internet protocols.
QUESTION NO: 501

Which two statements about RFC 2827 are true? (Choose two.)
A.
RFC 2827 defines egress packet filtering to safeguard against IP spoofing.
467
Cisco 350-018 Exam

B.
A corresponding practice is documented by the IEFT in BCP 38.
C.
RFC 2827 defines ingress packet filtering for the multihomed network.
D.
RFC 2827 defines ingress packet filtering to defeat DoS using IP spoofing.
E.
A corresponding practice is documented by the IEFT in BCP 84.
Answer: B,D
Explanation:
RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP
Source Address Spoofing (BCP 38)
QUESTION NO: 502

Which two statements about SOX are true? (Choose two.)
A.
SOX is an IEFT compliance procedure for computer systems security.
B.
SOX is a US law.
C.
SOX is an IEEE compliance procedure for IT management to produce audit reports.
D.
SOX isa private organization that provides best practices for financial institution computer
systems.
E.
Section 404 of SOX is related to IT compliance.
Answer: B,E
Explanation:
468
Cisco 350-018 Exam

The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S.
Congress to protect shareholders and the general public from accounting errors and fraudulent
practices in the enterprise, as well as improve the accuracy of corporate disclosures. The U.S.
Securities and Exchange Commission (SEC) administers the act, which sets deadlines for
compliance and publishes rules on requirements.
In Section 404, issuers are required to publish information in their annual reports concerning the
scope and adequacy of the internal control structure and procedures for financial reporting. This
statement shall also assess the effectiveness of such internal controls and procedures. The
registered accounting firm shall, in the same report, attest to and report on the assessment on the
effectiveness of the internal control structure and procedures for financial reporting.
QUESTION NO: 503

Which VPN technology is based on GDOI (RFC 3547)?
A.
MPLS Layer 3 VPN
B.
MPLS Layer 2 VPN
C.
GET VPN
D.
IPsec VPN
Answer: C
Explanation:
Cisco IOS GET VPN uses Group Domain of Interpretation (GDOI) as the keying protocol and
IPSec for encryption.
Topic 8, Mixed Questions
QUESTION NO: 504

469
Cisco 350-018 Exam

Which statement is valid regarding SGACL?
A.
SGACL mapping and policies can only be manually configured.
B.
Dynamically downloaded SGACL does not override manually configured conflicting policies.
C.
SGACL is access-list bound with a range of SGTs and DGTs.
D.
SGACL is not a role-based access list.
Answer: C
Explanation:
A role-based access control list bound to a range of SGTs and DGTs forms an SGACL
References: Reference:
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sgacl_conf
ig.html
QUESTION NO: 505

Of which IPS application is Event Store a component?
A.
InterfaceApp
B.
AuthenticationApp
C.
SensorApp
D.
NotificationApp
E.
MainApp
470
Cisco 350-018 Exam

Answer: E
Explanation:
Cisco IPS software includes the following applications:
MainAppInitializes the system, starts and stops the other applications, configures the OS, and
performs upgrades. It contains the following components:
ctlTransSource (Control Transaction server)Allows sensors to send control transactions. This is

used to enable the master blocking sensor capability of Attack Response Controller (formerly
known as Network Access Controller).
Event StoreAn indexed store used to store IPS events (error, status, and alert system
messages) that is accessible through the CLI, IDM, IME, ASDM, or SDEE.
References: Reference: http://www.cisco.com/c/en/us/td/docs/security/ips/70/configuration/guide/cli/cliguide7/cli_system_architecture.html#wp1009053
QUESTION NO: 506

Which two statements about this debug output are true? (Choose two.)
A.
The request is from NHC to NHS.
B.
The request is from NHS to NNC.
471
Cisco 350-018 Exam

C.
192.168.10.2 is the remote NBMA address.
D.
192.168.10.1 is the local VPN address.
E.
69.1.1.2 is the local non-routable address.
F.
This debug output represents a failed NHRP request.
Answer: A,D
Explanation:
QUESTION NO: 507

Which statement describes RA?
A.
The RA is not responsible to verify users request for digital certificates.
B.
The RA is part of private key infrastructure.
C.
The RA has the power to accept registration requests and to issue certificates.
D.
The RA only forwards the requests to the CA to issue certificates.
Answer: D
Explanation:
QUESTION NO: 508

472
Cisco 350-018 Exam
Against which type of attack does the given configuration protect?

A.
pharming
B.
a botnet attack
C.
phishing
D.
DNS hijacking
E.
DNS cache poisoning
Answer: B
Explanation:
References: Reference: https://supportforums.cisco.com/document/33011/asa-botnetconfiguration

Drag and drop the description on the left onto the associated items on the right.
473
Cisco 350-018 Exam
Answer:
Explanation:
Collection of similar programs that work together to execute specific tasks botnet
Independent malicious program copies itself from one host to another host over a network and
carries other programs Viruses
Programs that appear to have one function but actually perform a different function Trojan horse
Programs that modify other programs and that attach themselves to other programs on execution Worms
References: Reference: http://www.cisco.com/web/about/security/intelligence/virus-wormdiffs.html
QUESTION NO: 510

474
Cisco 350-018 Exam

A.
The switch initiates the authentication.
B.
The client initiates the authentication.
C.
The device performs subsequent IEEE 802.1X authentication if it passed MAB authentication. If
the device fails IEEE 802.1X, it will start MAB again.
D.
Devices that perform IEEE 802.1X should be in the MAC address database for successful
authentication.
E.
IEEE 802.1x devices must first authenticate via MAB to perform subsequent IEEE 802.1X
authentication. If 802.1X fails, the device is assigned to the default guest VLAN.
Answer: C
Explanation:
References: Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-ossoftware/identity-based-networking-service/application_note_c27-573287.html
QUESTION NO: 511

Which two statements about the RC4 algorithm are true? (Choose two.)
475
Cisco 350-018 Exam

A.
The RC4 algorithm is an asymmetric key algorithm.
B.
In the RC4 algorithm, the 40-bit key represents four characters of ASCII code.
C.
The RC4 algorithm is faster in computation than DES.
D.
The RC4 algorithm uses variable-length keys.
E.
The RC4 algorithm cannot be used with wireless encryption protocols.
Answer: C,D
Explanation:
QUESTION NO: 512

After setting the replay window size on your Cisco router, you received the given system message.
What is the reason for the message?
A.
The replay window size is set too low for the number of packets received.
B.
The IPSec anti-replay feature is enabled, but the window size feature is disabled.
C.
The IPSec anti-replay feature is disabled.
D.
The replay window size is set too high for the number of packets received.
476
Cisco 350-018 Exam

Answer: A
Explanation:
If your replay window size has not been set to a number that is high enough for the number of
packets received, you will receive a system message such as the following:
*Nov 17 19:27:32.279: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection
id=1
The above message is generated when a received packet is judged to be outside the anti-replay
window.
References: Reference: http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_conn_dplane/configuration/12-4t/sec-ipsec-data-plane-12-4t-book/sec-ipsecantireplay.html
QUESTION NO: 513

Which two statements about IPv6 path MTU discovery are true? (Choose two.)
A.
If the destination host receives an ICMPv6 Packet Too Big message from a router, it reduces its
path MTU.
B.
It can allow fragmentation when the minimum MTU is below a configured value.
C.
The discovery packets are dropped if there is congestion on the link.
D.
If the source host receives an ICMPv6 Packet Too Big message from a router, it reduces its path
MTU.
E.
During the discovery process, the DF bit is set to 1.
F.
The initial path MTU is the same as the MTU of the original nodes link layer interface.
Answer: D,F
Explanation:
477
Cisco 350-018 Exam

IPv6 routers do not support fragmentation or the Don't Fragment option. For IPv6, Path MTU
Discovery works by initially assuming the path MTU is the same as the MTU on the link layer
interface where the traffic originates. Then, similar to IPv4, any device along the path whose MTU
is smaller than the packet will drop the packet and send back an ICMPv6 Packet Too Big (Type 2)
message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The
process is repeated until the MTU is small enough to traverse the entire path without
fragmentation.
References: Reference: https://en.wikipedia.org/wiki/Path_MTU_Discovery
QUESTION NO: 514

An RSA key pair consists of a public key and a private key and is used to set up PKI. Which
statement applies to RSA and PKI?
A.
The public key must be included in the certificate enrollment request.
B.
The RSA key-pair is a symmetric cryptography.
C.
It is possible to determine the RSA key-pair private key from its corresponding public key.
D.
When a router that does not have an RSA key pair requests a certificate, the certificate request is
sent, but a warning is shown to generate the RSA key pair before a CA signed certificate is
received.
Answer: A
Explanation:
An RSA key pair consists of a public key and a private key. When setting up your PKI, you must
include the public key in the certificate enrollment request. After the certificate has been granted,
the public key will be included in the certificate so that peers can use it to encrypt data that is sent
to the router. The private key is kept on the router and used both to decrypt the data sent by peers
and to digitally sign transactions when negotiating with peers.
References: Reference: http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-pki-overview.html
478
Cisco 350-018 Exam
QUESTION NO: 515

For what reason has the IPv6 Type 0 Routing Header been recommended for deprecation?
A.
When Type 0 traffic is blocked by a firewall policy, all other traffic with routing headers is dropped
automatically.
B.
It can conflict with ingress filtering.
C.
It can create a black hole when used in combination with other routing headers.
D.
Attackers can exploit its functionality to generate DoS attacks.
Answer: D
Explanation:
The functionality provided by IPv6's Type 0 Routing Header can be exploited in order to achieve
traffic amplification over a remote path for the purposes of generating denial-of-service traffic. This
document updates the IPv6 specification to deprecate the use of IPv6 Type 0 Routing Headers, in
light of this security concern.
References: Reference: https://tools.ietf.org/html/rfc5095
QUESTION NO: 516

479
Cisco 350-018 Exam
Which option is the reason for the failure of the DMVPN session between R1 and R2?
A.
B.
C.
D.
E.
IPsec phase-1 configuration missing peer address on R2
Answer: B
Explanation:
QUESTION NO: 517

For which reason would an RSA key pair need to be removed?
A.
The CA is under DoS attack
480
Cisco 350-018 Exam

B.
The CA has suffered a power outage
C.
The existing CA is replaced, and the new CA requires newly generated keys
D.
PKI architecture would never allow the RSA key pair removal
Answer: C
Explanation:
An RSA key pair may need to be removed for one of the following reasons:
References: Reference: http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-deploy-rsa-pki.html
QUESTION NO: 518

Which encapsulation technique does VXLAN use?
A.
MAC in TCP
B.
MAC in MAC
C.
MAC in UDP
D.
MAC in GRE
Answer: C
Explanation:
VXLAN is a MAC in IP/UDP(MAC-in-UDP) encapsulation technique with a 24-bit segment
identifier in the form of a VXLAN ID.
References: Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nxos/vxlan/configuration/guide/b_NX-OS_VXLAN_Configuration_Guide/overview.pdf
481
Cisco 350-018 Exam
QUESTION NO: 519

What are two limitations of the Atomic IP Advanced Engine? (Choose two.)
A.
It has limited ability to check the fragmentation header.
B.
It is unable to fire high-severity alerts for known vulnerabilities.
C.
It is unable to detect IP address anomalies, including IP spoofing
D.
It is unable to inspect a packets length fields for bad information.
E.
It is unable to detect Layer 4 attacks if the packets were fragmented by IPv6.
Answer: A,E
Explanation:
The Atomic IP Advanced engine contains the following restrictions:
Cannot detect the Layer 4 field of the packets if the packets are fragmented so that the Layer 4
identifier does not appear in the first packet.
Cannot detect Layer 4 attacks in flows with packets that are fragmented by IPv6 because there is
no fragment reassembly.
Cannot detect attacks with tunneled flows.
Limited checks are provided for the fragmentation header.
There is no support for IPv6 on the management (command and control) interface. With
ASA 8.2(1), the ASA 5500 AIP SSM support IPv6 features.
If there are illegal duplicate headers, a signature fires, but the individual headers cannot be
separately inspected.
Anomaly detection does not support IPv6 traffic; only IPv4 traffic is directed to the anomaly
detection processor.
Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a
block or rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action
is not carried out.
482
Cisco 350-018 Exam

References: Reference:http://www.cisco.com/c/en/us/td/docs/security/ips/71/configuration/guide/ime/imeguide71/ime_signature_engines.pdf
QUESTION NO: 520

What are two advantages of SNMPv3 over SNMPv2c? (Choose two.)
A.
integrity, to ensure that data has not been tampered with in transit
B.
no source authentication mechanism for faster response time
C.
Packet replay protection mechanism removed for efficiency
D.
GetBulkRequest capability, to retrieve large amounts of data in a single request
E.
confidentiality via encryption of packets, to prevent man-in-the-middle attacks
Answer: A,E
Explanation:
SNMPv3 contains all the functionality of SNMPv1 and SNMPv2, but SNMPv3 has significant
enhancements to administration and security. SNMPv3 is an interoperable standards-based
protocol. SNMPv3 provides secure access to devices by authenticating and encrypting packets
over the network.
The security features provided in SNMPv3 are as follows:
Message integrityEnsuring that a packet has not been tampered with in transit
AuthenticationDetermining that the message is from a valid source
EncryptionScrambling contents of a packet to prevent it from being seen by an unauthorized
source
References: Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/82glx/configuration/guide/snmp.pdf
483
Cisco 350-018 Exam
QUESTION NO: 521

Which two statements correctly describe the debug output?

A.
The remote VPN address is 180.10.10.1
B.
The message is observed on the NHS
C.
The message is observed on the NHC.
D.
The remote routable address 91.91.91.1.
E.
The local non-routable address is 20.10.10.3.
F.
The NHRP hold time is 3 hours.
Answer: A,C
Explanation:
484
Cisco 350-018 Exam

QUESTION NO: 522
Which two statements about NEAT are true? (Choose two.)
A.
NEAT supports standard ACLs on the switch port.
B.
NEAT is not supported on an EtherChannel port.
C.
NEAT should be deployed only with autoconfiguration.
D.
NEAT uses CISP (Client Information Signaling Protocol) to propagate client IP address.
E.
NEAT is supported on an EtherChannel port.
Answer: B,C
Explanation:
Restrictions for Network Edge Authentication Topology
References: Reference: http://www.cisco.com/en/US/docs/iosxml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-neat.html
QUESTION NO: 523

485
Cisco 350-018 Exam
Which three descriptions of the configuration are true? (Choose three.)

A.
The configuration is on the NHS.
B.
The tunnel IP address represents the NBMA address.
C.
This tunnel is a point-to-point GRE tunnel.
D.
The tunnel is not providing peer authentication.
E.
The configuration is on the NHC.
F.
The tunnel encapsulates multicast traffic.
G.
The tunnel provides data confidentiality.
Answer: A,F,G
Explanation:
486
Cisco 350-018 Exam

Drag and drop the SMTP components on the left onto their corresponding roles on the right.
Answer:
Explanation:
MTA Is the component responsible to move email from sending mail server to the recipient mail
server.
MUA Is the component that interacts with the end user
POP/IMAP Is the component responsible to fetch email from the recipient mail server mailbox to
recipient MUA
MDA Is the component responsible to move the email from MTA to the user mailbox in the
recipient mail server
The following terminology is important in understanding the operation of a mail server.
References: Reference:http://xmodulo.com/how-mail-server-works.html
487
Cisco 350-018 Exam

QUESTION NO: 525
When attempting to use basic HTTP authentication to authenticate a client, which type of HTTP
message should the server use?
A.
HTTP 302 with an Authenticate header
B.
HTTP 401 with a WWW-Authenticate header
C.
HTTP 407
D.
HTTP 200 with a WWW-Authenticate header
Answer: B
Explanation:
QUESTION NO: 526

Your coworker is working on a project to prevent DDoS and ingress filtering and needs advice on
the standard and associated process for a single-homed network. Which two options do you
suggest? (Choose two.)
A.
RFC 5735
B.
RFC 3704
C.
BCP 84
D.
BCP 38
E.
RFC 2827
Answer: D,E
488
Cisco 350-018 Exam

Explanation:
QUESTION NO: 527

What is the range of valid stratum numbers for NTP when configuring a Cisco IOS device as an
authoritative NTP server?
A.
0 to 16
B.
1 to 15
C.
0 to 4
D.
1 to 16
Answer: B
Explanation:
When configuring a Cisco device as NTP master its clock becomes a reference clock for time
synchronization to other devices. The stratum of the NTP master can be configured in the range 115, but will usually be configured as stratum-1
References: Reference: https://seriousnetworks.wordpress.com/2013/08/08/configuring-ntp-oncisco-ios-devices/
QUESTION NO: 528

Which statement about the DH group is true?
A.
It provides data confidentiality.
B.
489
Cisco 350-018 Exam

It does not provide data authentication.
C.
It is negotiated in IPsec phase 2.
D.
It establishes a shared key over a secured medium.
Answer: B
Explanation:
References: Reference: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
QUESTION NO: 529

Which three fields are part of the AH header? (Choose three.)
A.
Destination Address
B.
Source Address
C.
Protocol ID
D.
Next Header
E.
Packet ICV
F.
SPI identifying SA
G.
Application Port
Answer: D,E,F
Explanation:
The following AH packet diagram shows how an AH packet is constructed and interpreted:[8][9]
490
Cisco 350-018 Exam

Authentication Header format
Offsets
Octet16
0
1
2
3
Octet16
Bit10
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
491
Cisco 350-018 Exam

18
19
20
21
22
23
24
25
26
27
28
29
30
31
0
0
Next Header
Payload Len
Reserved
4
32
Security Parameters Index (SPI)
8
64
Sequence Number
C
96
492
Cisco 350-018 Exam

Integrity Check Value (ICV)
References: Reference: https://en.wikipedia.org/wiki/IPsec

Drag the elements on the left to their corresponding functionality on the right.
Answer:
Explanation:
Cisco TrustSec SGT Exchange Protocol Control protocol for propagating IP-to-SGT binding
information across network device
SGACL Associates SGT with a policy
Cisco Trustsec Build secure networks by establishing domains of trusted network devices
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.
html
493
Cisco 350-018 Exam
QUESTION NO: 531

In the IPv6 address 2001:DB8:130F::870:0:140B/64, which portion is the IPv6 interface identifier?
A.
2001:DB8:130F:0
B.
870:0:140B
C.
2001:DB8:130F
D.
0:870:0:140B
Answer: D
Explanation:
The CIDR prefix representation is used to represent the IPv6 address. An example of this notation
is: 2001:DB8:130F::870:0:140B/64
The /64 indicates that the first 64 bits are being used to represent the network and the last 64 bits
are being used to represent the interface identifier.
References: Reference: https://www.cisco.com/web/strategy/docs/gov/IPv6_WP.pdf
QUESTION NO: 532

Which statement is true about the Cisco ASA interface monitoring?
A.
ASA does not clear the received packets count on the monitored interface before running the
tests.
B.
Interfaces of the same context cannot be monitored.
C.
It is possible to configure a context to monitor a shared interface.
494
Cisco 350-018 Exam

D.
If the monitored interface has both IPv4 and IPv6 addresses then it cannot be monitored.
Answer: C
Explanation:
You can monitor up to 250 interfaces (in multiple mode, divided between all contexts). You should
monitor important interfaces. For example in multiple mode, you might configure one context to
monitor a shared interface. (Because the interface is shared, all contexts benefit from the
monitoring.)
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_c
onfig/ha_failover.html
QUESTION NO: 533

Which two ESMTP commands are supported by the ASA inspection engine? (Choose two.)
A.
SOML
B.
LINK
C.
VERB
D.
ONEX
E.
ETRN
F.
ATRN
Answer: A,E
Explanation:
ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP. For
495
Cisco 350-018 Exam

convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The
application inspection process for extended SMTP is similar to SMTP application inspection and
includes support for SMTP sessions. Most commands used in an extended SMTP session are the
same as those used in an SMTP session but an ESMTP session is considerably faster and offers
more options related to reliability and security, such as delivery status notification.
Extended SMTP application inspection adds support for these extended SMTP commands,
including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTTLS, and VRFY. Along with
the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the
ASA supports a total of fifteen SMTP commands.
References: Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa-commandreference/I-R/cmdref2/i2.html#pgfId-1765148
QUESTION NO: 534

496
Cisco 350-018 Exam

A.
incomplete ISAKMP profile configuration on the server
B.
incorrect ACL in the ISAKMP client group configuration
C.
incorrect IPsec phase 2 configuration on the server
D.
incorrect group configuration on the client
E.
ISAKMP key mismatch
Answer: A
Explanation:
QUESTION NO: 535

497
Cisco 350-018 Exam
With the client attempting an implicit SFTP connection to the SFTP server, which mode works by
default?
A.
passive
B.
neither passive nor active
C.
active
D.
both passive and active
Answer: B
Explanation:
The ASA firewall has issues in regards of handling this type of connections. Normally when regular
FTP is used, the ASA sees the payload on the FTP control channel and does the proper NAT
translations when using passive mode, when using active, he sees the IP addresses and let the
498
Cisco 350-018 Exam

data connection to be established. On the other hand, since on the secure methods (FTPS and
SFTP), the control channel is encrypted, the ASA has not way to determine the ports being used .
QUESTION NO: 536

Depending on configuration, which two behaviors can the ASA classifier exhibit when it receives
unicast traffic on an interface that is shared by multiple contexts? (Choose two.)
A.
It is classified using the destination address of the packet using the NAT table.
B.
It is classified using the destination address of the packet using the connection table.
C.
It is classified by copying and sending the packet to all the contexts.
D.
it is classified using the destination address of the packet using the routing table.
E.
It is classified using the destination MAC address of the packet.
Answer: A,E
Explanation:
QUESTION NO: 537

Which two statements about SSL VPN smart tunnels on a Cisco IOS device are true? (Choose
two.)
A.
They are incompatible with split tunneling.
B.
They do not support FTP.
C.
They are incompatible with MAPI proxy.
499
Cisco 350-018 Exam

D.
They support private socket libraries.
E.
They can be started in more than one Web browser at the same time.
Answer: A,C
Explanation:
Restrictions for Cisco IOS SSL VPN Smart Tunnels Support
References: Reference: http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-15-mt-book/sec-conn-sslvpn-smarttunnels-support.html
QUESTION NO: 538

Which two statements about ISO 27001 are true? (Choose two.)
A.
It is closely aligned to ISO 22000 standards.
B.
It is an ISO 17799 code of practice.
C.
It is an Information Security Management Systems specification.
D.
It is a code of practice for Informational Social Management.
E.
It was formerly known as BS7799-2.
Answer: C,E
Explanation:
500
Cisco 350-018 Exam

QUESTION NO: 539
What is the purpose of the command in the NAT-PT for IPv6 implementation on a Cisco IOS
device?
A.
It defines address pool used by the IPv6 access-list.
B.
It defines the IPv4 address pool used by the NAT-PT for dynamic address mapping.
C.
It defines address pool used by the IPv4 access-list.
D.
It defines the IPv6 address pool used by the NAT-PT for dynamic address mapping.
E.
It defines the IPv4 address pool used by the NAT-PT for static address mapping
Answer: B
Explanation:
ipv6 nat v6v4 pool name start-ipv4 end-ipv4 prefix-length prefix-length Example:
Device(config)# ipv6 nat v6v4 pool v4pool 10.21.8.1 10.21.8.10 prefix-length 24
Specifies a pool of IPv4 addresses to be used by NAT-PT for dynamic address mapping.
References: Reference: http://www.cisco.com/c/en/us/td/docs/iosxml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/ip6-natpt.html
501
Cisco 350-018 Exam

QUESTION NO: 540
Which statement about the Cisco ASA operation running versions 8.3 is true?
A.
The interface and global access lists both can be applied in the input or output direction.
B.
NAT control is enabled by default.
C.
The interface access list is matched first before the global access lists.
D.
The static CLI command is used to configure static NAT translation rules.
Answer: C
Explanation:
QUESTION NO: 541

For which router configuration is the attack-drop.sdf file recommended?
A.
Routers with less than 128 MB of memory.
B.
Routers with less than 64 MB of memory.
C.
Routers with at least 128 MB of memory.
D.
E.
Answer: A
Explanation:
An SDF has definitions for each signature it contains. After signatures are loaded and complied
502
Cisco 350-018 Exam

onto a router running Cisco IOS IPS, IPS can begin detecting the new signatures immediately. If
the default, built-in signatures that are shipped with the routers are not used, then one of three
different types of SDFs can be selected for download, which are pre-configured for routers with
memory requirements:
References: Reference: http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_data_ios_ips/configuration/12-4t/sec-data-ios-ips-12-4t-book/sec-cfg-ips.html#GUID09308574-4A31-4DBF-820E-A3F03BC47512
QUESTION NO: 542

Which configuration prevents R2 from becoming a PIM neighbor with R1?

A.
access-list 10 permit 192.168.1.2 0.0.0.0!Interface gi0/0ip pim neighbor-filter 10
B.
access-list 10 deny 192.168.1.2 0.0.0.0!Interface gi0/0ip pim neighbor-filter 1
C.
access-list 10 deny 192.168.1.2 0.0.0.0!Interface gi0/0ip pim neighbor-filter 10
D.
access-list 10 deny 192.168.1.2 0.0.0.0!Interface gi0/0ip igmp access-group 10
Answer: C
Explanation:
503
Cisco 350-018 Exam
QUESTION NO: 543

Which statement is true regarding the packet flow on Cisco ASA firewall running version 8.2?
A.
For the packet that has been received on the ingress interface, ACL is only checked if the
connection entry exists for the packet flow.
B.
For the packet that has been received on the ingress interface, transaction rule is checked before
the ACL if the connection entry for the packet flow does not exist.
C.
For the packet that has been received on the egress interface, transaction rule is checked before
the ACL if the connection entry does not exist for the packet flow.
D.
For the packet that has been received on the ingress interface, ACL is only checked if the
connection entry does not exist for the packet flow.
Answer: D
Explanation:
Here is a diagram of how the Cisco ASA processes the packet that it receives:
Here are the individual steps in detail:

If packet flow does not match a current connection, then the TCP state is verified. If it is a SYN
packet or UDP (User Datagram Protocol) packet, then the connection counter is incremented by
one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and
the event is logged.
Additional security checks will be implemented if a Content Security (CSC) module is involved.
References: Reference: ASA 8.2: Packet Flow through an ASA Firewall
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generationfirewalls/113396-asa-packet-flow-00.html
504
Cisco 350-018 Exam
QUESTION NO: 544

Which statement about the fragmentation of IPsec packets in routers is true?
A.
By default if the packet size exceeds MTU of ingress physical interface, it will be fragmented and
sent without encryption.
B.
By default if the packet size exceeds MTU of the egress physical interface, it will be dropped.
C.
By default, the router knows the IPsec overhead to add to the packet, performs a lookup if the
packet will exceed egress physical interface IP MTU after encryption, then fragments the packet
before encrypting and separately encrypts the resulting IP fragments.
D.
By default, the IP packets that need encryption are first encrypted with ESP, if the resulting
encrypted packet exceeds the IP MTU on the egress physical interface, then the encrypted packet
is fragmented before being sent.
Answer: C
Explanation:
QUESTION NO: 545

Which three statements about SSHv1 and SSHv2 are true? (Choose three.)
A.
Both SSHv1 and SSHv2 support multiple session channels on a single connection.
B.
Both SSHv1 and SSHv2 require a server key to protect the session key.
C.
SSHv2 supports a wider variety of user-authentication methods than SSHv1.
D.
Unlike SSHv1, SSHv2 uses separate protocols for authentication, connection, and transport.
E.
505
Cisco 350-018 Exam

Unlike SSHv1, SSHv2 supports multiple forms of user authentication in a single session.
F.
Both SSHv1 and SSHv2 negotiate the bulk cipher.
Answer: D,E,F
Explanation:
SSH-1 and SSH-2 Differences
SSH-2
SSH-1
Separate transport, authentication, and connection protocols.
One monolithic protocol.
Strong cryptographic integrity check.
Weak CRC-32 integrity check.
Supports password changing.
N/A
Any number of session channels per connection (including none).
Exactly one session channel per connection (requires issuing a remote command even when you
don't want one).
Full negotiation of modular cryptographic and compression algorithms, including bulk encryption,
MAC, and public-key.
Negotiates only the bulk cipher; all others are fixed.
Encryption, MAC, and compression are negotiated separately for each direction, with independent
keys.
The same algorithms and keys are used in both directions (although RC4 uses separate keys,
since the algorithm's design demands that keys not be reused).
Extensible algorithm/protocol naming scheme allows local extensions while preserving
interoperability.
Fixed encoding precludes interoperable additions.
User authentication methods:
Supports a wider variety:
506
Cisco 350-018 Exam

Use of Diffie-Hellman key agreement removes the need for a server key.
Server key used for forward secrecy on the session key.
Supports public-key certificates.
N/A
User authentication exchange is more flexible and allows requiring multiple forms of authentication
for access.
Allows exactly one form of authentication per session.
Hostbased authentication is in principle independent of client network address, and so can work
with proxying, mobile clients, etc.
RhostsRSA authentication is effectively tied to the client host address, limiting its usefulness.
Periodic replacement of session keys.
N/A
References: Reference: http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch03_05.htm
QUESTION NO: 546

Which statement about the configuration commands is true?

A.
These are valid configuration commands and the switch accepts them.
B.
These commands return an error because of a mismatch between the Dot1x order and priority.
C.
Changing the default order of authentication does not introduce additional authentication traffic in
507
Cisco 350-018 Exam

the network.
D.
By default, the switch attempts MAB and then Dot1x.
Answer: A
Explanation:
References: Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-ossoftware/identity-based-networking-service/application_note_c27-573287.html
QUESTION NO: 547

Which MAC address control command enables usage monitoring for a CAM table on a switch?
A.
mac-address-table synchronize
B.
mac-address-table limit
C.
mac-address-table secure
D.
mac-address-table notification threshold
E.
mac-address-table learning
Answer: D
Explanation:
mac-address-table notification threshold
To enable content-addressable memory (CAM) table usage monitoring notification, use the macaddress-table notification threshold command in global configuration mode. To disable CAM table
usage monitoring notification, use the no form of this command.
http://www.cisco.com/c/en/us/td/docs/ios/lanswitch/command/reference/lsw_book/lsw_m1.html
508
Cisco 350-018 Exam
QUESTION NO: 548

Attacks can originate from multicast receivers. Any receiver that sends an IGMP or MLD report
typically creates state on which router?
A.
customer
B.
first-hop
C.
source
D.
RP
Answer: B
Explanation:
Attacks can originate from multicast receivers. Any receiver sending an IGMP/MLD report will
typically create state on the first-hop router. There is no equivalent mechanism in unicast.
http://www.cisco.com/web/about/security/intelligence/multicast_toolkit.html
QUESTION NO: 549

What technology can secure DNS information in IP networks?
A.
a combination of DNS and SSL/TLS
B.
a combination of DNS and IPSec
C.
DNS encryption
D.
509
Cisco 350-018 Exam

DNSSEC
Answer: D
Explanation:
DNSSEC supplements the hierarchical nature of the DNS with cryptographic characteristics that
make it possible to verify the authenticity of information stored in the DNS. This validation makes it
possible for resolvers to be assured that when they request a particular piece of information from
the DNS, that they do in fact receive the correct information as published by the authoritative
source.
This assurance is made possible using cryptographic signatures included in the DNS by a source
organization. These signatures are calculated on a complete Resource Record set, not individual
Resource Records. The signatures are published in a DNSSEC-specific resource record type
called RRSIG. For example, setting aside the requisite infrastructure, by publishing the signature
for an A record, the source organization makes it possible for resolvers on the Internet to verify
that the A record contains authentic data and is correct as published. A DNS server is only signing
data for which it is authoritative, for example, the DNS server does not sign NS records that
delegate subdomains from its zone.
References: Reference: http://www.cisco.com/web/about/security/intelligence/dnssec.html#5
QUESTION NO: 550

Which set of encryption algorithms is used by WPA and WPA2?
A.
Blowfish and AES
B.
CAST and RC6
C.
TKIP and RC6
D.
TKIP and AES
Answer: D
Explanation:
510
Cisco 350-018 Exam
QUESTION NO: 551

Which of the following statement is true about the ARP Spoofing attack?
A.
Attacker sends the ARP request with the MAC address and IP address of a legitimate resource in
the network.
B.
ARP spoofing does not facilitate man-in the middle attack for the attacker.
C.
Attacker sends the ARP request with its own MAC address and IP address of a legitimate
resource in the network.
D.
Attacker sends the ARP request with the MAC address and IP address of its own.
Answer: C
Explanation:
ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker
sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network.
Generally, the aim is to associate the attacker's MAC address with the IP address of another host,
such as the default gateway, causing any traffic meant for that IP address to be sent to the
attacker instead.
References: Reference: https://en.wikipedia.org/wiki/ARP_spoofing
QUESTION NO: 552

Which two values you must configure on the Cisco ASA firewall to support FQDN ACL? (Choose
two.)
A.
a DNS server
B.
an FQDN object
511
Cisco 350-018 Exam

C.
a policy map
D.
a class map
E.
a service object
F.
a service policy
Answer: A,B
Explanation:
References: Reference: https://supportforums.cisco.com/document/66011/using-hostnames-dnsaccess-lists-configuration-steps-caveats-and-troubleshooting
QUESTION NO: 553

Which of these is an invalid syslog facility?
A.
0
B.
1
C.
31
D.
12
Answer: C
Explanation:
References: Reference: https://en.wikipedia.org/wiki/Syslog
512
Cisco 350-018 Exam

QUESTION NO: 554
Which statement about SOX is true?
A.
Section 404 of SOX is related to non IT compliance.
B.
It is a US law.
C.
It is an IEFT compliance procedure for computer systems security.
D.
It is an IEEE compliance procedure for IT management to produce audit reports.
E.
It is a private organization that provides best practices for financial institution computer systems.
Answer: B
Explanation:
The SarbanesOxley Act of 2002 (Pub.L. 107204, 116 Stat. 745, enacted July 30, 2002), also
known as the "Public Company Accounting Reform and Investor Protection Act" (in the Senate)
and "Corporate and Auditing Accountability and Responsibility Act" (in the House) and more
commonly called SarbanesOxley, Sarbox or SOX, is a United States federal law that set new or
expanded requirements for all U.S. public company boards, management and public accounting
firms. There are also a number of provisions of the Act that also apply to privately held companies,
for example the willful destruction of evidence to impede a Federal investigation.
References: Reference: https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act
QUESTION NO: 555

What are two authentication algorithms supported with SNMPv3 on an ASA? (Choose two.)
A.
3DES
B.
DES
513
Cisco 350-018 Exam

C.
SHA
D.
RC4
E.
MD5
F.
RC5
Answer: C,E
Explanation:
References: Reference: http://www.lightchange.com/configuring-snmp-v3-on-cisco-asa-and-ios/
QUESTION NO: 556

Which statement is true about the PKI deployment using Cisco IOS devices?
A.
During the enrollment, CA or RA signs the client certificate request with its public key.
B.
RA is capable to publish the CRLs.
C.
Peers use private leys in their certificates to negotiate IPSec SAs to establish the secure channel.
D.
RA is used for accepting the enrollment requests.
E.
Certificate Revocation is not supported by SCEP protocol.
Answer: D
Explanation:
The RA only has the power to accept registration requests and forward them to the CA. It is not
allowed to issue certificates or publish CRLs. The CA is responsible for these functions.
References:
Reference:http://www.cisco.com/en/US/tech/tk1132/technologies_white_paper09186a00800e79cb
514
Cisco 350-018 Exam

.shtml
QUESTION NO: 557

Which ICMP message type code indicates that fragment reassembly time has been exceeded?
A.
Type 11, code 0
B.
Type 11, Code 1
C.
Type 12, Code 2
D.
Type 4, Code 0
Answer: B
Explanation:
ICMP Type
Literal
0
echo-reply
3
destination unreachable code 0 = net unreachable 1 = host unreachable 2 = protocol unreachable
3 = port unreachable 4 = fragmentation needed and DF set 5 = source route failed
4
source-quench
5
redirect code 0 = redirect datagrams for the network 1 = redirect datagrams for the host 2 =
redirect datagrams for the type of service and network 3 = redirect datagrams for the type of
service and host
515
Cisco 350-018 Exam

6
alternate-address
8
echo
9
router-advertisement
10
router-solicitation
11
time-exceeded code 0 = time to live exceeded in transit 1 = fragment reassembly time exceeded
References: Reference: http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/iossoftware-releases-121-mainline/12778-ping-traceroute.html
QUESTION NO: 558

Which two statements about the BGP backdoor feature are true? (Choose two.)
A.
It makes IGP learned routes preferred over eBGP learned routes.
B.
It makes iBGP learned routes preferred over IGP learned routes.
C.
It changes the eBGP administrative distance from 20 to 200.
D.
It makes eBGP learned routes preferred over IGP learned routes.
E.
It changes the eBGP administrative distance from 200 to 20.
F.
It changes the iBGP administrative distance from 200 to 20.
516
Cisco 350-018 Exam

Answer: A,C
Explanation:
The Backdoor Feature is often used to increase the administrative distance of eBGP to 200 with
the goal of making the IGP learned routes to be preferred.
References: Reference: https://supportforums.cisco.com/document/148471/what-bgp-backdoorfeature
QUESTION NO: 559

What is Cisco CKM (Centralized Key Management) used for?
A.
to allow an access point to act as a TACACS server to authenticate the client
B.
to avoid configuring PSKs (Pre-Shared Key) locally on network access devices and to configure a
PSK once on a RADIUS server
C.
to provide switch port security
D.
to allow authenticated client devices to roam from one access point to another without any
perceptible delay during re-association
Answer: D
Explanation:
Using Cisco Centralized Key Management (CCKM), an access point configured to provide
Wireless Domain Services (WDS) takes the place of the RADIUS server and authenticates the
client so quickly that there is no perceptible delay in voice or other time-sensitive applications
References: Reference: http://www.cisco.com/c/en/us/td/docs/wireless/access_point/122_13_JA/configuration/guide/s12213sc/s13roamg.html
517
Cisco 350-018 Exam

QUESTION NO: 560
Which two statements about ASA transparent mode are true? (Choose two.)
A.
It drops ARP traffic unless it is permitted.
B.
It does not support NAT.
C.
It requires the inside and outside interface to be in different subnets.
D.
It can pass IPv6 traffic.
E.
It cannot pass multicast traffic.
F.
It supports ARP inspection.
Answer: B,F
Explanation:
Even though the transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass
through the security appliance unless you explicitly permit it with an extended access list. The only
traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can
be controlled by ARP inspection.
These features are not supported in transparent mode:
NAT is performed on the upstream router.
You can add static routes for traffic that originates on the security appliance. You can also allow
dynamic routing protocols through the security appliance with an extended access list.
Note: IS-IS is IP protocol 124 (is-is over ipv4). IS-IS transient packets can be allowed through the
transparent mode by the form of an ACL that permits protocol 124. The transparent mode
supports all 255 IP protocols.
The transparent firewall can act as a DHCP server, but it does not support the DHCP relay
commands. DHCP relay is not required because you can allow DHCP traffic to pass through with
an extended access list.
You can allow multicast traffic through the security appliance if you allow it in an extended access
list. In a transparent firewall, access-lists are required to pass the multicast traffic from higher to
lower, as well as from lower to higher security zones. In normal firewalls, higher to lower security
zones are not required.
518
Cisco 350-018 Exam

The transparent firewall supports site-to-site VPN tunnels for management connections only. It
does not terminate VPN connections for traffic through the security appliance. You can pass VPN
traffic through the security appliance with an extended access list, but it does not terminate nonmanagement connections.
References: Reference: http://www.cisco.com/c/en/us/support/docs/security/pix-500-seriessecurity-appliances/97853-Transparent-firewall.html
QUESTION NO: 561

Which statement describes the computed authentication data in the AH protocol?
A.
It is part of the original IP header.
B.
It is sent to the peer.
C.
It is part of a new IP header.
D.
It provides integrity only for the new IP header.
Answer: B
Explanation:
QUESTION NO: 562

To transport VXLAN traffic, which minimum MTU change, from a default MTU of 1500 bytes on the
port, is required to avoid fragmentation and performance degradation?
A.
9100 bytes
B.
9114 bytes
519
Cisco 350-018 Exam

C.
1650 bytes
D.
1550 bytes
Answer: D
Explanation:
VXLAN traffic is encapsulated in a UDP packet when sent out to the physical network. This
encapsulation imposes the following overhead on each packet:
Outer Ethernet Header (14) + UDP header (8) + IP header (20) + VXLAN header (8) = 50 bytes
To avoid fragmentation and possible performance degradation, all the physical network devices
transporting the VXLAN traffic need to handle 50 bytes greater than the maximum transmission
unit (MTU) size expected for the frame. Therefore, adjust the MTU settings for all these devices,
which will transport the VXLAN traffic.
References: Reference: http://www.cisco.com/c/en/us/products/collateral/switches/nexus-1000vswitch-vmware-vsphere/guide_c07-702975.html
QUESTION NO: 563

What is the unit of measurement of the average rate of a token bucket?
A.
kilobytes per second
B.
bytes per second
C.
kilobits per second
D.
bits per second
Answer: D
520
Cisco 350-018 Exam

Explanation:
A token bucket is a formal definition of a rate of transfer. It has three components: a burst size, a
mean rate, and a time interval (Tc). Although the mean rate is generally represented as bits per
second, any two values may be derived from the third by the relation shown as follows:
mean rate = burst size / time interval
http://www.cisco.com/c/en/us/td/docs/ios/ios_xe/qos/configuration/guide/2_xe/qos_xe_book/polcin
g_shping_oview_xe.html
QUESTION NO: 564

In which two parts should the multicast boundary command be applied? (Choose two.)
A.
A
B.
B
C.
C
521
Cisco 350-018 Exam

D.
D
E.
E
F.
F
Answer: A,F
Explanation:
You define a multicast boundary to prevent Auto-RP messages from entering the PIM domain.
You create an access list to deny packets destined for 224.0.1.39 and 224.0.1.40, which carry
Auto-RP information.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/relea
se/152_2_e/multicast/configuration_guide/b_mc_1522e_3750x_3560x_cg/b_mc_3750x_3560x_chapter
_010.html#task_33BF7D47C052413ABF8ACFCE9C871DD2
QUESTION NO: 565

What are two enhancements in WCCP V2.0 over WCCP V1.0? (Choose two.)
A.
support for HTTP redirection
B.
multicast support
C.
authentication support
D.
IPv6 support
E.
encryption support
Answer: B,C
522
Cisco 350-018 Exam

Explanation:
WCCP V2.0 supports the following enhancements to the WCCP V1.0 Protocol:
* Multi-Router Support.
WCCP V2.0 allows a farm of web-caches to be attached to more than one router.
* Multicast Support.
WCCP V2.0 supports multicasting of protocol messages between web-caches and routers.
* Improved Security.
WCCP V2.0 provides optional authentication of protocol packets received by web-caches and
routers.
* Support for redirection of non-HTTP traffic.
WCCP V2.0 supports the redirection of traffic other than HTTP traffic through the concept of
Service Groups.
* Packet return.
WCCP V2.0 allows a web-cache to decline to service a redirected packet and to return it to a
router to be forwarded. The method by which packets are returned to a router is negotiable.
References: Reference: https://tools.ietf.org/id/draft-wilson-wrec-wccp-v2-01.txt
QUESTION NO: 566

What is the default duration of IPS anomaly detections learning accept mode?
A.
12 hours
B.
48 hours
C.
24 hours
D.
8 hours
523
Cisco 350-018 Exam

Answer: C
Explanation:
Although anomaly detection is in detect mode by default, it conducts an initial learning accept
mode for the default period of 24 hours.
http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/sec
urity_manager/4-1/user/guide/CSMUserGuide_wrapper/ipsanom.html
QUESTION NO: 567

Which three items does TLS rely on to prove identity? (Choose three.)
A.
certificates
B.
password
C.
username
D.
Trustpoint
E.
private keys
F.
public keys
Answer: A,E,F
Explanation:
The Secure Socket Layer (SSL) protocol and Transport Layer Security (TLS) are application-level
protocols that provide for secure communication between a client and server by allowing mutual
authentication, the use of hash for integrity, and encryption for privacy. SSL and TLS rely on
certificates, public keys, and private keys.
References: Reference: http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r42/security/configuration/guide/b_syssec_cg42crs/b_syssec_cg42crs_chapter_01010.html
524
Cisco 350-018 Exam
QUESTION NO: 568

Which two are characteristics of WPA? (Choose two.)
A.
implements a key mixing function before passing the initialization vector to the RC4 algorithm
B.
uses a 40-bit key with 24-bit initialization vector
C.
introduces a 64-bit MIC mechanism
D.
WPA does not allow Pre-Shared key mode
E.
makes the use of AES mandatory
Answer: A,C
Explanation:
On October 31, 2002, the Wi-Fi Alliance endorsed TKIP under the name Wi-Fi Protected Access
(WPA).
TKIP and the related WPA standard implement three new security features to address security
problems encountered in WEP protected networks. First, TKIP implements a key mixing function
that combines the secret root key with the initialization vector before passing it to the RC4
initialization. WEP, in comparison, merely concatenated the initialization vector to the root key, and
passed this value to the RC4 routine. This permitted the vast majority of the RC4 based WEP
related key attacks. Second, WPA implements a sequence counter to protect against replay
attacks. Packets received out of order will be rejected by the access point. Finally, TKIP
implements a 64-bit Message Integrity Check (MIC).
References: Reference: https://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol
QUESTION NO: 569

Which three parameters does the HTTP inspection engine use to inspect the traffic on Cisco IOS
firewall? (Choose three.)
525
Cisco 350-018 Exam

A.
source address
B.
application
C.
transfer encoding type
D.
minimum header length
E.
request method
F.
destination address
Answer: B,C,E
Explanation:
References: Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/configuration/15mt/https-15-mt-book/nm-https-inspection-engine.html
QUESTION NO: 570

Which two of the following pieces of information are communicated by the ASA in version 8.4 or
later when the Stateful Failover is enabled? (Choose two.)
A.
DHCP server address leases.
B.
dynamic routing tables
C.
power status
D.
NAT translation table
E.
user authentication
526
Cisco 350-018 Exam

Answer: B,D
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ha
_overview.html#wp1078922
QUESTION NO: 571

Which command sets the key-length for the IPv6 SeND protocol?
A.
ipv6 nd inspection
B.
ipv6 nd ra-interval
C.
ipv6 nd prefix
D.
ipv6 nd secured
E.
ipv6 nd ns-interval
Answer: D
Explanation:
ipv6 nd secured key-length [[minimum | maximum] v alue Example:
Router(config)# ipv6 nd secured key-length minimum 512
References: Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/152mt/ipv6-15-2mt-book/ip6-first-hop-security.html
QUESTION NO: 572

527
Cisco 350-018 Exam

Which signature engine would you choose to filter for the regex [aA][tT][tT][aA][cC][kK] in the URI
field of the HTTP header?
A.
ATOMIC IP
B.
service HTTP
C.
AIC HTTP
D.
string TCP
Answer: B
Explanation:
References: Reference: https://supportforums.cisco.com/blog/149481/introduction-regularexpressions-ips
QUESTION NO: 573

Of which IPS application is Event Action Rule a component?
A.
NotificationApp
B.
InterfaceApp
C.
SensorApp
D.
SensorDefinition
E.
MainApp
F.
AuthenticationApp
528
Cisco 350-018 Exam

Answer: C
Explanation:
References: Reference: http://manualmachine.com/cisco-systems/ips4510k9/1024953-usermanual/page:67/
QUESTION NO: 574

When a client attempts to authenticate to an access point with the RADIUS server, the server
returns the error message Invalid message authenticator in EAP request. Which action can you
take to correct the problem?
A.
Add the user profile to ACS.
B.
Synchronize the shared password between AP and ACS.
C.
Configure the required privileges for the authentication service.
D.
Enable the external database account.
Answer: B
Explanation:
Verify that shared secret passwords are synchronized between the access point and the
authentication server. Otherwise, you can receive this error message:
Invalid message authenticator in EAP request
The shared secret entry for the access point on the RADIUS server must contain the same shared
secret password as those previously mentioned.
References: Reference: http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1100series/44844-leapserver.html
529
Cisco 350-018 Exam

QUESTION NO: 575
Which statement is true regarding Transparent mode configuration on Cisco ASA firewall running
version 9.x?
A.
Networks connected with the ASA data interfaces must be in different subnets for the traffic to
flow.
B.
Bridge Groups are not supported in Transparent mode.
C.
Default route defined on the ASA is only for the management traffic return path.
D.
You need to make management interface of the ASA as the next-hop for the connected devices to
establish reachability across the ASA.
E.
Management interface does not update the MAC address table.
Answer: C
Explanation:
Transparent Firewall Guidelines
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_c
onfig/intro_fw.html
530

350 018 PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

350 018 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Cisco 350-018

CCIE Security Exam (4.0)

Cisco 350-018 Exam

Cisco 350-018 Exam

Cisco 350-018 Exam

Cisco 350-018 Exam

Error messagetype fieldcode fielddescription

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 350-018 Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 350-018 Exam

Enhanced HTTP inspection

URL screening through N2H2 or Websense

Java and ActiveX filtering

Conformance to RFC 2616

Use of RFC-defined methods only.

Compliance with the additional criteria.

Cisco 350-018 Exam

Cisco 350-018 Exam

Cisco 350-018 Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 350-018 Exam

Cisco 350-018 Exam

Cisco 350-018 Exam

Cisco 350-018 Exam

Cisco 350-018 Exam

Established State:connection between neighbors established.

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 350-018 Exam

Cisco 350-018 Exam

Switch(config)#ip http server

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 350-018 Exam

Cisco 350-018 Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 350-018 Exam

Cisco 350-018 Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 350-018 Exam

Cisco 350-018 Exam

Cisco 350-018 Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 350-018 Exam

Some special IP multicast addresses are reserved for OSPF:

Cisco 350-018 Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 350-018 Exam

Cisco 350-018 Exam

Cisco 350-018 Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 350-018 Exam

Cisco 350-018 Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 350-018 Exam

Cisco 350-018 Exam

Communication Between VLANs

Cisco 350-018 Exam

Cisco 350-018 Exam

Cisco 350-018 Exam

The GRE packetheader has the following form:

Cisco 350-018 Exam

CiscoWorks Common Services Default Roles: