350-018v4 CCIE Security Exam (4.0)

Page 1   
Question 1

Refer to the exhibit.


Which three statements are true? (Choose three.)

  • A. Because of a "root delay" of 0ms, this router is probably receiving its time directly from a Stratum 0 or 1 GPS reference clock.
  • B. This router has correctly synchronized its clock to its NTP master.
  • C. The NTP server is running authentication and should be trusted as a valid time source.
  • D. Specific local time zones have not been configured on this router.
  • E. This router will not act as an NTP server for requests from other devices.


Answer : B,C,E

Question 2

Which two statements about an authoritative server in a DNS system are true? (Choose
two.)

  • A. It indicates that it is authoritative for a name by setting the AA bit in responses.
  • B. It has a direct connection to one of the root name servers.
  • C. It has a ratio of exactly one authoritative name server per domain.
  • D. It cannot cache or respond to queries from domains outside its authority.
  • E. It has a ratio of at least one authoritative name server per domain.


Answer : A,E

Question 3

Refer to the exhibit.


Which message of the ISAKMP exchange is failing?

  • A. main mode 1
  • B. main mode 3
  • C. aggressive mode 1
  • D. main mode 5
  • E. aggressive mode 2


Answer : B

Question 4

Regarding VSAs, which statement is true?

  • A. VSAs may be implemented on any RADIUS server.
  • B. VSAs are proprietary, and therefore may only be used on the RADIUS server of that vendor. For example, a Cisco VSA may only be used on a Cisco RADIUS server, such as ACS or ISE.
  • C. VSAs do not apply to RADIUS; they are a TACACS attribute.
  • D. Each VSA is defined in an RFC and is considered to be a standard.


Answer : A

Question 5

Which traffic class is defined for non-business-relevant applications and receives any
bandwidth that remains after QoS policies have been applied?

  • A. scavenger class
  • B. best effort
  • C. discard eligible
  • D. priority queued


Answer : A

Question 6

Refer to the exhibit.


When configuring a Cisco IPS custom signature, what type of signature engine must you
use to block podcast clients from accessing the network?

  • A. service HTTP
  • B. service TCP
  • C. string TCP
  • D. fixed TCP
  • E. service GENERIC


Answer : A

Question 7

Which protocol does 802.1X use between the supplicant and the authenticator to
authenticate users who wish to access the network?

  • A. SNMP
  • B. TACACS+
  • C. RADIUS
  • D. EAP over LAN
  • E. PPPoE


Answer : D

Question 8

Which three statements are true about the SSH protocol? (Choose three.)

  • A. SSH protocol runs over TCP port 23.
  • B. SSH protocol provides for secure remote login and other secure network services over an insecure network.
  • C. Telnet is more secure than SSH for remote terminal access.
  • D. SSH protocol runs over UDP port 22.
  • E. SSH transport protocol provides for authentication, key exchange, confidentiality, and integrity.
  • F. SSH authentication protocol supports public key, password, host based, or none as authentication methods.


Answer : B,E,F

Question 9

IPsec SAs can be applied as a security mechanism for which three options? (Choose
three.)

  • A. Send
  • B. Mobile IPv6
  • C. site-to-site virtual interfaces
  • D. OSPFv3
  • E. CAPWAP
  • F. LWAPP


Answer : B,C,D

Question 10

Which option explains the passive scan technique that is used by wireless clients to
discover available wireless networks?

  • A. listening for access point beacons that contain available wireless networks
  • B. sending a null probe request
  • C. sending a null association request
  • D. listening for access point probe response frames that contain available wireless networks


Answer : A

Question 11

Refer to the exhibit.


Which statement about this Cisco Catalyst switch 802.1X configuration is true?

  • A. If an IP phone behind the switch port has an 802.1X supplicant, MAC address bypass will still be used to authenticate the IP Phone.
  • B. If an IP phone behind the switch port has an 802.1X supplicant, 802.1X authentication will be used to authenticate the IP phone.
  • C. The authentication host-mode multi-domain command enables the PC connected behind the IP phone to bypass 802.1X authentication.
  • D. Using the authentication host-mode multi-domain command will allow up to eight PCs connected behind the IP phone via a hub to be individually authentication using 802.1X.


Answer : B

Question 12

Which statement is true about the Cisco NEAT 802.1X feature?

  • A. The multidomain authentication feature is not supported on the authenticator switch interface.
  • B. It allows a Cisco Catalyst switch to act as a supplicant to another Cisco Catalyst authenticator switch.
  • C. The supplicant switch uses CDP to send MAC address information of the connected host to the authenticator switch.
  • D. It supports redundant links between the supplicant switch and the authenticator switch.


Answer : B

Question 13

Which of the following provides the features of route summarization, assignment of
contiguous blocks of addresses, and combining routes for multiple classful networks into a
single route?

  • A. classless interdomain routing
  • B. route summarization
  • C. supernetting
  • D. private IP addressing


Answer : A

Question 14

Which statement best describes the concepts of rootkits and privilege escalation?

  • A. Rootkits propagate themselves.
  • B. Privilege escalation is the result of a rootkit.
  • C. Rootkits are a result of a privilege escalation.
  • D. Both of these require a TCP port to gain access.


Answer : B

Question 15

Which two statements are correct regarding the AES encryption algorithm? (Choose two.)

  • A. It is a FIPS-approved symmetric block cipher.
  • B. It supports a block size of 128, 192, or 256 bits.
  • C. It supports a variable length block size from 16 to 448 bits.
  • D. It supports a cipher key size of 128, 192, or 256 bits.
  • E. The AES encryption algorithm is based on the presumed difficulty of factoring large integers.


Answer : A,D

Page 1