Cisco 350-018 Exam Practice PDF, Best Cisco 350-018 Brain Dump With The Knowledge And Skills

Good News!who Want to get Cisco 350-018 Certified? We know that the Cisco 350-018 certification exam is challenging, but with the new version Cisco 350-018 exam dumps, you will pass the exam easily and quickly.Free download the VCE and PDF files on Flydumps.com

QUESTION 1
Refer to the exhibit. It shows the format of an IPv6 Router Advertisement packet. If the Router Lifetime value is set to 0, what does that mean?

A. The router that is sending the RA is not the default router.
B. The router that is sending the RA is the default router.
C. The router that is sending the RA will never power down.
D. The router that is sending the RA is the NTP master.
E. The router that is sending the RA is a certificate authority.
F. The router that is sending the RA has its time synchronized to an NTP source.
Correct Answer: A
QUESTION 2
If a host receives a TCP packet with an SEQ number of 1234, an ACK number of 5678, and a length of 1000 bytes, what will it send in reply?
A. a TCP packet with SEQ number: 6678, and ACK number: 1234
B. a TCP packet with SEQ number: 2234, and ACK number: 5678
C. a TCP packet with SEQ number: 1234, and ACK number: 2234
D. a TCP packet with SEQ number: 5678, and ACK number 2234
Correct Answer: D
QUESTION 3
A network administrator uses a LAN analyzer to troubleshoot OSPF router exchange messages sent to all OSPF routers. To which one of these MAC addresses are these messages sent?
A. 00-00-1C-EF-00-00
B. 01-00-5E-00-00-05
C. 01-00-5E-EF-00-00
D. EF-FF-FF-00-00-05
E. EF-00-00-FF-FF-FF
F. FF-FF-FF-FF-FF-FF
Correct Answer: B

QUESTION 4
Comparing and contrasting IKEv1 and IKEv2, which three statements are true? (Choose three.)
A. IKEv2 adds EAP as a method of authentication for clients; IKEv1 does not use EAP.
B. IKEv1 and IKEv2 endpoints indicate support for NAT-T via the vendor_ID payload.
C. IKEv2 and IKEv1 always ensure protection of the identities of the peers during the negotiation process.
D. IKEv2 provides user authentication via the IKE_AUTH exchange; IKEv1 uses the XAUTH exchange.
E. IKEv1 and IKEv2 both use INITIAL_CONTACT to synchronize SAs.
F. IKEv1 supports config mode via the SET/ACK and REQUEST/RESPONSE methods; IKEv2 supports only REQUEST/RESPONSE.
Correct Answer: ADE
QUESTION 5
Which three statements about GDOI are true? (Choose three.)
A. GDOI uses TCP port 848.
B. The GROUPKEY_PULL exchange is protected by an IKE phase 1 exchange.
C. The KEK protects the GROUPKEY_PUSH message.
D. The TEK is used to encrypt and decrypt data traffic.
E. GDOI does not support PFS.
Correct Answer: BCD
QUESTION 6
Which three nonproprietary EAP methods do not require the use of a client-side certificate for mutual authentication? (Choose three.)
A. LEAP
B. EAP-TLS
C. PEAP
D. EAP-TTLS
E. EAP-FAST
Correct Answer: CDE
QUESTION 7
When you compare WEP to WPA (not WPA2), which three protections are gained? (Choose three.)
A. a message integrity check
B. AES-based encryption
C. avoidance of weak Initialization vectors
D. longer RC4 keys
E. a rekeying mechanism
Correct Answer: ACE
QUESTION 8
Which option shows the correct sequence of the DHCP packets that are involved in IP address assignment between the DHCP client and the server?
A. REQUEST, OFFER, ACK
B. DISCOVER, OFFER, REQUEST, ACK
C. REQUEST, ASSIGN, ACK
D. DISCOVER, ASSIGN, ACK
E. REQUEST, DISCOVER, OFFER, ACK
Correct Answer: B

QUESTION 9
Which common FTP client command transmits a direct, byte-for-byte copy of a file?
A. ascii
B. binary
C. hash
D. quote
E. glob
Correct Answer: B
QUESTION 10
Which option is a desktop sharing application, used across a variety of platforms, with default TCP ports 5800/5801 and 5900/5901?
A. X Windows
B. remote desktop protocol
C. VNC
D. desktop proxy
Correct Answer: C
QUESTION 11
Which two of the following provide protect against man-in-the-middle attacks? (Choose two.)
A. TCP initial sequence number randomization?
B. TCP sliding-window checking
C. Network Address Translation
D. IPsec VPNs
E. Secure Sockets Layer
Correct Answer: DE
QUESTION 12
Refer to the exhibit. Which statement is true?

A. This packet decoder is using relative TCP sequence numbering?.
B. This TCP client is proposing the use of TCP window scaling?.
C. This packet represents an active FTP data session?.
D. This packet contains no TCP payload.
Correct Answer: D
QUESTION 13
An exploit that involves connecting to a specific TCP port and gaining access to an administrative command prompt is an example of which type of attack?
A. botnet
B. Trojan horse
C. privilege escalation
D. DoS
Correct Answer: C
QUESTION 14
When configuring an Infrastructure ACL (iACL) to protect the IPv6 infrastructure of an enterprise network, where should the iACL be applied??
A. all infrastructure devices in both the inbound and outbound direction
B. all infrastructure devices in the inbound direction
C. all infrastructure devices in the outbound direction
D. all parameter devices in both the inbound and outbound direction
E. all parameter devices in the inbound direction
F. all parameter devices in the outbound direction
Correct Answer: E
QUESTION 15
What feature on the Cisco ASA is used to check for the presence of an up-to-date antivirus vendor on an AnyConnect client?
A. Dynamic Access Policies with no additional options
B. Dynamic Access Policies with Host Scan enabled
C. advanced endpoint assessment
D. LDAP attribute maps obtained from Antivirus vendor
Correct Answer: B
QUESTION 16
What type of attack consists of injecting traffic that is marked with the DSCP value of EF into the network?
A. brute-force attack
B. QoS marking attack
C. DHCP starvation attack
D. SYN flood attack
Correct Answer: B
QUESTION 17
Which statement is true regarding Cisco ASA operations using software versions 8.3 and later?
A. The global access list is matched first before the interface access lists.
B. Both the interface and global access lists can be applied in the input or output direction.
C. When creating an access list entry using the Cisco ASDM Add Access Rule window, choosing “global” as the interface will apply the access list entry globally.
D. NAT control is enabled by default.
E. The static CLI command is used to configure static NAT translation rules.
Correct Answer: A

QUESTION 18
Which three multicast features are supported on the Cisco ASA? (Choose three.)
A. PIM sparse mode?
B. IGMP forwarding?
C. Auto-RP
D. NAT of multicast traffic?
Correct Answer: ABD
QUESTION 19
Which three configuration tasks are required for VPN clustering of AnyConnect clients that are connecting to an FQDN on the Cisco ASA?? (Choose three.)
A. The redirect-fqdn command must be entered under the vpn load-balancing sub-configuration.
B. Each ASA in the VPN cluster must be able to resolve the IP of all DNS hostnames that are used in the cluster?.
C. The identification and CA certificates for the master FQDN hostname must be imported into each VPN cluster-member device?.
D. The remote-access IP pools must be configured the same on each VPN cluster-member interface.
Correct Answer: ABC
QUESTION 20
Which three statements are true about objects and object groups on a Cisco ASA appliance that is running Software Version 8.4 or later? (Choose three.)
A. TCP, UDP, ICMP, and ICMPv6 are supported service object protocol types.
B. IPv6 object nesting is supported.
C. Network objects support IPv4 and IPv6 addresses.
D. Objects are not supported in transparent mode.
E. Objects are supported in single- and multiple-context firewall modes.
Correct Answer: ACE
QUESTION 21
Which command is used to replicate HTTP connections from the Active to the Standby Cisco ASA appliance in failover?
A. monitor-interface http
B. failover link fover replicate http
C. failover replication http
D. interface fover replicate http standby
E. No command is needed, as this is the default behavior.
Correct Answer: C
QUESTION 22
policy-map type inspect ipv6 IPv6-map match header routing-type range 0 255 drop class-map outside-class match any policy-map outside-policy class outside-class inspect ipv6 IPv6-map service-policy outside-policy interface outside
Refer to the exhibit.

Given the Cisco ASA configuration above, which commands need to be added in order for the Cisco ASA appliance to deny all IPv6 packets with more than three extension headers?
A. policy-map type inspect ipv6 IPv6-map match ipv6 header count > 3
B. policy-map outside-policy class outside-class inspect ipv6 header count gt 3
C. class-map outside-class match ipv6 header count greater 3
D. policy-map type inspect ipv6 IPv6-map match header count gt 3 drop
Correct Answer: D
QUESTION 23
Which C3PL configuration component is used to tune the inspection timers such as setting the tcp idle-time and tcp synwait-time on the Cisco ZBFW?
A. class-map type inspect
B. parameter-map type inspect
C. service-policy type inspect
D. policy-map type inspect tcp
E. inspect-map type tcp
Correct Answer: B

QUESTION 24
Which three NAT types support bidirectional traffic initiation? (Choose three.)
A. static NAT
B. NAT exemption
C. policy NAT with nat/global
D. static PAT
E. identity NAT
Correct Answer: ABD
QUESTION 25
Which IPS module can be installed on the Cisco ASA 5520 appliance?
A. IPS-AIM
B. AIP-SSM
C. AIP-SSC
D. NME-IPS-K9
E. IDSM-2
Correct Answer: B
QUESTION 26
Which two options best describe the authorization process as it relates to network access? (Choose two.)
A. the process of identifying the validity of a certificate, and validating specific fields in the certificate against an identity store
B. the process of providing network access to the end user
C. applying enforcement controls, such as downloadable ACLs and VLAN assignment, to the network access session of a user
D. the process of validating the provided credentials
Correct Answer: BC
QUESTION 27
If ISE is not Layer 2 adjacent to the Wireless LAN Controller, which two options should be configured on the Wireless LAN Controller to profile wireless endpoints accurately? (Choose two.)
A. Configure the Call Station ID Type to be: “IP Address”.
B. Configure the Call Station ID Type to be: “System MAC Address”.
C. Configure the Call Station ID Type to be: “MAC and IP Address”.
D. Enable DHCP Proxy.
E. Disable DHCP Proxy.
Correct Answer: BE
QUESTION 28
Refer to the exhibit. To configure the Cisco ASA, what should you enter in the Name field, under the Group Authentication option for the IPSec VPN client?

A. group policy name
B. crypto map name
C. isakmp policy name
D. crypto ipsec transform-set name
E. tunnel group name
Correct Answer: E
QUESTION 29
Refer to the exhibit. On R1, encrypt counters are incrementing. On R2, packets are decrypted, but the encrypt counter is not being incremented. What is the most likely cause of this issue?

A. a routing problem on R1
B. a routing problem on R2
C. incomplete IPsec SA establishment
D. crypto engine failure on R2
E. IPsec rekeying is occurring
Correct Answer: B QUESTION 30
Which two methods are used for forwarding traffic to the Cisco ScanSafe Web Security service? (Choose two.)
A. Cisco AnyConnect VPN Client with Web Security and ScanSafe subscription
B. Cisco ISR G2 Router with SECK9 and ScanSafe subscription
C. Cisco ASA adaptive security appliance using DNAT policies to forward traffic to ScanSafe subscription servers
D. Cisco Web Security Appliance with ScanSafe subscription
Correct Answer: BC
QUESTION 31
Which four statements about SeND for IPv6 are correct? (Choose four.)
A. It protects against rogue RAs.
B. NDP exchanges are protected by IPsec SAs and provide for anti-replay.
C. It defines secure extensions for NDP.
D. It authorizes routers to advertise certain prefixes.
E. It provides a method for secure default router election on hosts.
F. Neighbor identity protection is provided by Cryptographically Generated Addresses that are derived from a Diffie-Hellman key exchange.
G. It is facilitated by the Certification Path Request and Certification Path Response ND messages.
Correct Answer: ACDE
QUESTION 32
What is the recommended network MACSec policy mode for high security deployments?
A. should-secure
B. must-not-secure
C. must-secure
D. monitor-only
E. high-impact
Correct Answer: A

QUESTION 33
Which three statements about NetFlow version 9 are correct? (Choose three.)
A. It is backward-compatible with versions 8 and 5.
B. Version 9 is dependent on the underlying transport; only UDP is supported.
C. A version 9 export packet consists of a packet header and flow sets.
D. Generating and maintaining valid template flow sets requires additional processing.
E. NetFlow version 9 does not access the NetFlow cache entry directly.
Correct Answer: CDE

QUESTION 34
Which three statements about VXLANs are true? (Choose three.)
A. It requires that IP protocol 8472 be opened to allow traffic through a firewall.
B. Layer 2 frames are encapsulated in IP, using a VXLAN ID to identify the source VM.
C. A VXLAN gateway maps VXLAN IDs to VLAN IDs.
D. IGMP join messages are sent by new VMs to determine the VXLAN multicast IP.
E. A VXLAN ID is a 32-bit value.
Correct Answer: BCD
QUESTION 35
Which two identifiers are used by a Cisco Easy VPN Server to reference the correct group policy information for connecting a Cisco Easy VPN Client? (Choose two.)
A. IKE ID_KEY_ID
B. OU field in a certificate that is presented by a client
C. XAUTH username
D. hash of the OTP that is sent during XAUTH challenge/response
E. IKE ID_IPV4_ADDR
Correct Answer: AB
QUESTION 36
Which multicast routing mechanism is optimal to support many-to-many multicast applications?
A. PIM-SM
B. MOSPF
C. DVMRP
D. BIDIR-PIM
E. MSDP
Correct Answer: D
QUESTION 37
Which three statements regarding VLANs are true? (Choose three.)
A. To create a new VLAN on a Cisco Catalyst switch, the VLAN name, VLAN ID and VLAN type must all be specifically configured by the administrator.
B. A VLAN is a broadcast domain.
C. Each VLAN must have an SVI configured on the Cisco Catalyst switch for it to be operational.
D. The native VLAN is used for untagged traffic on an 802.1Q trunk.
E. VLANs can be connected across wide-area networks.
Correct Answer: BDE
QUESTION 38
Which technology, configured on the Cisco ASA, allows Active Directory authentication credentials to be applied automatically to web forms that require authentication for clientless SSL connections?
A. one-time passwords
B. certificate authentication
C. user credentials obtained during authentication
D. Kerberos authentication
Correct Answer: C

QUESTION 39
In what subnet does address 192.168.23.197/27 reside?
A. 192.168.23.0
B. 192.168.23.128
C. 192.168.23.160
D. 192.168.23.192
E. 192.168.23.196
Correct Answer: D QUESTION 40
Given the IPv4 address 10.10.100.16, which two addresses are valid IPv4-compatible IPv6 addresses? (Choose two.)
A. :::A:A:64:10
B. ::10:10:100:16
C. 0:0:0:0:0:10:10:100:16
D. 0:0:10:10:100:16:0:0:0
Correct Answer: BC QUESTION 41
Refer to the exhibit. Which three fields of the IP header labeled can be used in a spoofing attack? (Choose one.)

A. 6, 7, 11
B. 6, 11, 12
C. 3, 11, 12
D. 4, 7, 11
Correct Answer: A
QUESTION 42
What is the size of a point-to-point GRE header, and what is the protocol number at the IP layer?
A. 8 bytes, and protocol number 74
B. 4 bytes, and protocol number 47
C. 2 bytes, and protocol number 71
D. 24 bytes, and protocol number 1
E. 8 bytes, and protocol number 47
Correct Answer: B
QUESTION 43
When implementing WLAN security, what are three benefits of using the TKIP instead of WEP? (Choose three.)
A. TKIP uses an advanced encryption scheme based on AES.
B. TKIP provides authentication and integrity checking using CBC-MAC.
C. TKIP provides per-packet keying and a rekeying mechanism.
D. TKIP provides message integrity check.
E. TKIP reduces WEP vulnerabilities by using a different hardware encryption chipset.
F. TKIP uses a 48-bit initialization vector.
Correct Answer: CDF
QUESTION 44
Which two statements about SHA are correct? (Choose two.)
A. Five 32-bit variables are applied to the message to produce the 160-bit hash.
B. The message is split into 64-bit blocks for processing.
C. The message is split into 512-bit blocks for processing.
D. SHA-2 and MD5 both consist of four rounds of processing.
Correct Answer: AC
QUESTION 45
Which three statements about IKEv2 are correct? (Choose three.)
A. INITIAL_CONTACT is used to synchronize state between peers.
B. The IKEv2 standard defines a method for fragmenting large messages.
C. The initial exchanges of IKEv2 consist of IKE_SA_INIT and IKE_AUTH.
D. Rekeying IKE and child SAs is facilitated by the IKEv2 CREATE_CHILD_SA exchange.
E. NAT-T is not supported.
F. Attribute policy push (via the configuration payload) is only supported in REQUEST/REPLY mode.
Correct Answer: ACD

QUESTION 46
Which three statements about LDAP are true? (Choose three.)
A. LDAP uses UDP port 389 by default.
B. LDAP is defined in terms of ASN.1 and transmitted using BER.
C. LDAP is used for accessing X.500 directory services.
D. An LDAP directory entry is uniquely identified by its DN.
E. A secure connection via TLS is established via the UseTLS operation.
Correct Answer: BCD Exam D

QUESTION 1
Which two EIGRP packet types are considered to be unreliable packets? (Choose two.)
A. update
B. query
C. reply
D. hello
E. acknowledgement
Correct Answer: DE
QUESTION 2
Before BGP update messages may be sent, a neighbor must stabilize into which neighbor state?
A. Active
B. Idle
C. Connected
D. Established
Correct Answer: D
QUESTION 3
Which three statements are correct when comparing Mobile IPv6 and Mobile IPv4 support? (Choose three.)
A. Mobile IPv6 does not require a foreign agent, but Mobile IPv4 does.
B. Mobile IPv6 supports route optimization as a fundamental part of the protocol; IPv4 requires extensions.
C. Mobile IPv6 and Mobile IPv4 use a directed broadcast approach for home agent address discovery.
D. Mobile IPv6 makes use of its own routing header; Mobile IPv4 uses only IP encapsulation.
E. Mobile IPv6 and Mobile IPv4 use ARP for neighbor discovery.
F. Mobile IPv4 has adopted the use of IPv6 ND.
Correct Answer: ABD
QUESTION 4
Which protocol does 802.1X use between the supplicant and the authenticator to authenticate users who wish to access the network?
A. SNMP
B. TACACS+
C. RADIUS
D. EAP over LAN
E. PPPoE
Correct Answer: D
QUESTION 5
Refer to the exhibit. Which message could contain an authenticated initial_contact notify during IKE main mode negotiation?

A. message 3
B. message 5
C. message 1
D. none, initial_contact is sent only during quick mode
E. none, notify messages are sent only as independent message types
Correct Answer: B
QUESTION 6
Which two statements are correct regarding the AES encryption algorithm? (Choose two.)
A. It is a FIPS-approved symmetric block cipher.
B. It supports a block size of 128, 192, or 256 bits.
C. It supports a variable length block size from 16 to 448 bits.
D. It supports a cipher key size of 128, 192, or 256 bits.
E. The AES encryption algorithm is based on the presumed difficulty of factoring large integers.
Correct Answer: AD
QUESTION 7
What are two benefits of using IKEv2 instead of IKEv1 when deploying remote-access IPsec VPNs? (Choose two.)
A. IKEv2 supports EAP authentication methods as part of the protocol.
B. IKEv2 inherently supports NAT traversal.
C. IKEv2 messages use random message IDs.
D. The IKEv2 SA plus the IPsec SA can be established in six messages instead of nine messages.
E. All IKEv2 messages are encryption-protected.
Correct Answer: AB

QUESTION 8
DNSSEC was designed to overcome which security limitation of DNS?
A. DNS man-in-the-middle attacks
B. DNS flood attacks
C. DNS fragmentation attacks
D. DNS hash attacks
E. DNS replay attacks
F. DNS violation attacks
Correct Answer: A
QUESTION 9
Which three statements are true about MACsec? (Choose three.)
A. It supports GCM modes of AES and 3DES.
B. It is defined under IEEE 802.1AE.
C. It provides hop-by-hop encryption at Layer 2.
D. MACsec expects a strict order of frames to prevent anti-replay.
E. MKA is used for session and encryption key management.
F. It uses EAP PACs to distribute encryption keys.
Correct Answer: BCE
QUESTION 10
Which SSL protocol takes an application message to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment?
A. SSL Handshake Protocol
B. SSL Alert Protocol
C. SSL Record Protocol
D. SSL Change CipherSpec Protocol
Correct Answer: C
QUESTION 11
IPsec SAs can be applied as a security mechanism for which three options? (Choose three.)
A. Send
B. Mobile IPv6
C. site-to-site virtual interfaces
D. OSPFv3
E. CAPWAP
F. LWAPP
Correct Answer: BCD
QUESTION 12
Which four options are valid EAP mechanisms to be used with WPA2? (Choose four.)
A. PEAP
B. EAP-TLS
C. EAP-FAST
D. EAP-TTLS
E. EAPOL
F. EAP-RADIUS
G. EAP-MD5
Correct Answer: ABCD

QUESTION 13
According to OWASP guidelines, what is the recommended method to prevent cross-site request forgery?
A. Allow only POST requests.
B. Mark all cookies as HTTP only.
C. Use per-session challenge tokens in links within your web application.
D. Always use the “secure” attribute for cookies.
E. Require strong passwords.
Correct Answer: C
QUESTION 14
Which option is used to collect wireless traffic passively, for the purposes of eavesdropping or information gathering?
A. network taps
B. repeater Access Points
C. wireless sniffers
D. intrusion prevention systems
Correct Answer: C
QUESTION 15
Which traffic class is defined for non-business-relevant applications and receives any bandwidth that remains after QoS policies have been applied?
A. scavenger class
B. best effort
C. discard eligible
D. priority queued
Correct Answer: A
QUESTION 16
In the context of a botnet, what is true regarding a command and control server?
A. It can launch an attack using IRC or Twitter.
B. It is another name for a zombie.
C. It is used to generate a worm.
D. It sends the command to the botnets via adware.
Correct Answer: A

QUESTION 17
Which option is used for anti-replay prevention in a Cisco IOS IPsec implementation?
A. session token
B. one-time password
C. time stamps
D. sequence number
E. nonce
Correct Answer: D
QUESTION 18
Refer to the exhibit. What will be the default action?

A. HTTP traffic to the Facebook, Youtube, and Twitter websites will be dropped.
B. HTTP traffic to the Facebook and Youtube websites will be dropped.
C. HTTP traffic to the Youtube and Twitter websites will be dropped.
D. HTTP traffic to the Facebook and Twitter websites will be dropped.
Correct Answer: D
QUESTION 19
Which Cisco ASA feature can be used to update non-compliant antivirus/antispyware definition files on an AnyConnect client?
A. dynamic access policies
B. dynamic access policies with Host Scan and advanced endpoint assessment
C. Cisco Secure Desktop
D. advanced endpoint assessment
Correct Answer: B
QUESTION 20
Refer to the exhibit. When configuring a Cisco IPS custom signature, what type of signature engine must you use to block podcast clients from accessing the network?

A. service HTTP
B. service TCP
C. string TCP
D. fixed TCP
E. service GENERIC
Correct Answer: A
QUESTION 21
An attacker configures an access point to broadcast the same SSID that is used at a public hot- spot, and launches a deauthentication attack against the clients that are connected to the hot-spot, with the hope that the clients will then associate to the AP of the attacker. In addition to the deauthentication attack, what attack has been launched?
A. man-in-the-middle
B. MAC spoofing
C. Layer 1 DoS
D. disassociation attack
Correct Answer: A
QUESTION 22
Which statement best describes the concepts of rootkits and privilege escalation?
A. Rootkits propagate themselves.
B. Privilege escalation is the result of a rootkit.
C. Rootkits are a result of a privilege escalation.
D. Both of these require a TCP port to gain access.
Correct Answer: B
QUESTION 23
Refer to the exhibit. Which message of the ISAKMP exchange is failing?

A. main mode 1
B. main mode 3
C. aggressive mode 1
D. main mode 5
E. aggressive mode 2
Correct Answer: B
QUESTION 24
Which multicast capability is not supported by the Cisco ASA appliance?
A. ASA configured as a rendezvous point
B. sending multicast traffic across a VPN tunnel
C. NAT of multicast traffic
D. IGMP forwarding (stub) mode
Correct Answer: B
QUESTION 25
Refer to the exhibit. What type of attack is being mitigated on the Cisco ASA appliance?

A. HTTPS certificate man-in-the-middle attack
B. HTTP distributed denial of service attack
C. HTTP Shockwave Flash exploit
D. HTTP SQL injection attack
Correct Answer: D
QUESTION 26
Which method of output queuing is supported on the Cisco ASA appliance?
A. CBWFQ
B. priority queuing
C. MDRR
D. WFQ
E. custom queuing
Correct Answer: B

QUESTION 27
Which four values can be used by the Cisco IPS appliance in the risk rating calculation? (Choose four.)
A. attack severity rating
B. target value rating
C. signature fidelity rating
D. promiscuous delta E. threat rating
F. alert rating
Correct Answer: ABCD
QUESTION 28
Which three authentication methods does the Cisco IBNS Flexible Authentication feature support? (Choose three.)
A. cut-through proxy
B. dot1x
C. MAB
D. SSO
E. web authentication
Correct Answer: BCE
QUESTION 29
Troubleshooting the web authentication fallback feature on a Cisco Catalyst switch shows that clients with the 802.1X supplicant are able to authenticate, but clients without the supplicant are not able to use web authentication. Which configuration option will correct this issue?
A. switch(config)# aaa accounting auth-proxy default start-stop group radius
B. switch(config-if)# authentication host-mode multi-auth
C. switch(config-if)# webauth
D. switch(config)# ip http server
E. switch(config-if)# authentication priority webauth dot1x
Correct Answer: D

QUESTION 30
Which option on the Cisco ASA appliance must be enabled when implementing botnet traffic filtering?
A. HTTP inspection
B. static entries in the botnet blacklist and whitelist
C. global ACL
D. NetFlow
E. DNS inspection and DNS snooping
Correct Answer: E
QUESTION 31
Refer to the exhibit. Which statement about this Cisco Catalyst switch 802.1X configuration is true?

A. If an IP phone behind the switch port has an 802.1X supplicant, MAC address bypass will still be used to authenticate the IP Phone.
B. If an IP phone behind the switch port has an 802.1X supplicant, 802.1X authentication will be used to authenticate the IP phone.
C. The authentication host-mode multi-domain command enables the PC connected behind the IP phone to bypass 802.1X authentication.
D. Using the authentication host-mode multi-domain command will allow up to eight PCs connected behind the IP phone via a hub to be individually authentication using 802.1X.
Correct Answer: B
QUESTION 32
Which signature engine is used to create a custom IPS signature on a Cisco IPS appliance that triggers when a vulnerable web application identified by the “/runscript.php” URI is run?
A. AIC HTTP
B. Service HTTP
C. String TCP
D. Atomic IP
E. META
F. Multi-String
Correct Answer: B
QUESTION 33
With the Cisco FlexVPN solution, which four VPN deployments are supported? (Choose four.)
A. site-to-site IPsec tunnels?
B. dynamic spoke-to-spoke IPSec tunnels? (partial mesh)
C. remote access from software or hardware IPsec clients?
D. distributed full mesh IPsec tunnels?
E. IPsec group encryption using GDOI?
F. hub-and-spoke IPsec tunnels?
Correct Answer: ABCF

QUESTION 34
Which four techniques can you use for IP management plane security? (Choose four.)
A. Management Plane Protection
B. uRPF
C. strong passwords
D. RBAC
E. SNMP security measures
F. MD5 authentication
Correct Answer: ACDE
QUESTION 35
Which three statements about remotely triggered black hole filtering are true? (Choose three.)
A. It filters undesirable traffic.
B. It uses BGP or OSPF to trigger a network-wide remotely controlled response to attacks.
C. It provides a rapid-response technique that can be used in handling security-related events and incidents.
D. It requires uRPF.
Correct Answer: ACD
QUESTION 36
Which three statements about Cisco Flexible NetFlow are true? (Choose three.)
A. The packet information used to create flows is not configurable by the user.
B. It supports IPv4 and IPv6 packet fields.
C. It tracks all fields of an IPv4 header as well as sections of the data payload.
D. It uses two types of flow cache, normal and permanent.
E. It can be a useful tool in monitoring the network for attacks.
Correct Answer: BCE
QUESTION 37
During a computer security forensic investigation, a laptop computer is retrieved that requires content analysis and information retrieval. Which file system is on it, assuming it has the default installation of Microsoft Windows Vista operating system?
A. HSFS
B. WinFS
C. NTFS
D. FAT
E. FAT32
Correct Answer: C

QUESTION 38
Which three statements about the IANA are true? (Choose three.)
A. IANA is a department that is operated by the IETF.
B. IANA oversees global IP address allocation.
C. IANA managed the root zone in the DNS.
D. IANA is administered by the ICANN.
E. IANA defines URI schemes for use on the Internet.
Correct Answer: BCD
QUESTION 39
What does the Common Criteria (CC) standard define?
A. The current list of Common Vulnerabilities and Exposures (CVEs)
B. The U.S standards for encryption export regulations
C. Tools to support the development of pivotal, forward-looking information system technologies
D. The international standards for evaluating trust in information systems and products
E. The international standards for privacy laws
F. The standards for establishing a security incident response system
Correct Answer: D
QUESTION 40
Which three types of information could be used during the incident response investigation phase? (Choose three.)
A. netflow data
B. SNMP alerts
C. encryption policy
D. syslog output
E. IT compliance reports
Correct Answer: ABD
QUESTION 41
Which of the following best describes Chain of Evidence in the context of security forensics?
A. Evidence is locked down, but not necessarily authenticated.
B. Evidence is controlled and accounted for to maintain its authenticity and integrity.
C. The general whereabouts of evidence is known.
D. Someone knows where the evidence is and can say who had it if it is not logged.
Correct Answer: B
QUESTION 42
Which option is a benefit of implementing RFC 2827?
A. prevents DoS from legitimate, non-hostile end systems
B. prevents disruption of special services such as Mobile IP
C. defeats DoS attacks which employ IP source address spoofing
D. restricts directed broadcasts at the ingress router
E. allows DHCP or BOOTP packets to reach the relay agents as appropriate
Correct Answer: C
QUESTION 43
Which of the following provides the features of route summarization, assignment of contiguous blocks of addresses, and combining routes for multiple classful networks into a single route?
A. classless interdomain routing
B. route summarization
C. supernetting
D. private IP addressing
Correct Answer: A

QUESTION 44
Aggregate global IPv6 addresses begin with which bit pattern in the first 16-bit group?
A. 000/3
B. 001/3
C. 010/2
D. 011/2
Correct Answer: B
QUESTION 45
Which layer of the OSI reference model typically deals with the physical addressing of interface cards?
A. physical layer
B. data-link layer
C. network layer
D. host layer
Correct Answer: B
QUESTION 46
Which statement best describes a key difference in IPv6 fragmentation support compared to IPv4?
A. In IPv6, IP fragmentation is no longer needed because all Internet links must have an IP MTU of 1280 bytes or greater.
B. In IPv6, PMTUD is no longer performed by the source node of an IP packet.
C. In IPv6, IP fragmentation is no longer needed since all nodes must perform PMTUD and send packets equal to or smaller than the minimum discovered path MTU.
D. In IPv6, PMTUD is no longer performed by any node since the don’t fragment flag is removed from the IPv6 header.
E. In IPv6, IP fragmentation is performed only by the source node of a large packet, and not by any other devices in the data path.
Correct Answer: E
If you fail in Cisco 350-018 exam test with Cisco 350-018 exam dumps, we promise to give you full refund! You only need to scan your Cisco 350-018 test score report to us together with your receipt ID. After our confirmation, we will give you full refund in time.Or you can choose to charge another IT exam Q&As instead of Cisco 350-018 exam dumps.Useful Cisco certifications exam dumps are assured with us.If our Cisco 350-018 exam dumps can’t help you pass Cisco 350-018 exam,details will be sent before we send the exam to you.We don’t waste our customers’ time and money! Trusting Passtcert is your best choice!