351-018 CCIE Security Exam (4.0)

Page 1   
Question 1

Which option on the Cisco ASA appliance must be enabled when implementing botnet
traffic filtering?

  • A. HTTP inspection
  • B. static entries in the botnet blacklist and whitelist
  • C. global ACL
  • D. NetFlow
  • E. DNS inspection and DNS snooping


Answer : E

Question 2

Which query type is required for an nslookup on an IPv6 addressed host?

  • A. type=AAAA
  • B. type=ANY
  • C. type=PTR
  • D. type=NAME-IPV6


Answer : A

Question 3

Which statement is true about the Cisco NEAT 802.1X feature?

  • A. The multidomain authentication feature is not supported on the authenticator switch interface.
  • B. It allows a Cisco Catalyst switch to act as a supplicant to another Cisco Catalyst authenticator switch.
  • C. The supplicant switch uses CDP to send MAC address information of the connected host to the authenticator switch.
  • D. It supports redundant links between the supplicant switch and the authenticator switch.


Answer : B

Question 4

A router has four interfaces addressed as 10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, and
10.1.4.1/24. What is the smallest summary route that can be advertised covering these four
subnets?

  • A. 10.1.2.0/22
  • B. 10.1.0.0/22
  • C. 10.1.0.0/21
  • D. 10.1.0.0/16


Answer : C

Question 5

Which Cisco technology protects against Spanning Tree Protocol manipulation?

  • A. spanning-tree protection
  • B. root guard and BPDU guard
  • C. Unicast Reverse Path Forwarding
  • D. MAC spoof guard
  • E. port security


Answer : B

Question 6

Which three statements are true about MACsec? (Choose three.)

  • A. It supports GCM modes of AES and 3DES.
  • B. It is defined under IEEE 802.1AE.
  • C. It provides hop-by-hop encryption at Layer 2.
  • D. MACsec expects a strict order of frames to prevent anti-replay.
  • E. MKA is used for session and encryption key management.
  • F. It uses EAP PACs to distribute encryption keys.


Answer : B,C,E

Question 7

Which common Microsoft protocol allows Microsoft machine administration and operates
over TCP port 3389?

  • A. remote desktop protocol
  • B. desktop mirroring
  • C. desktop shadowing
  • D. Tarantella remote desktop


Answer : A

Question 8

Which three statements are true about the SSH protocol? (Choose three.)

  • A. SSH protocol runs over TCP port 23.
  • B. SSH protocol provides for secure remote login and other secure network services over an insecure network.
  • C. Telnet is more secure than SSH for remote terminal access.
  • D. SSH protocol runs over UDP port 22.
  • E. SSH transport protocol provides for authentication, key exchange, confidentiality, and integrity.
  • F. SSH authentication protocol supports public key, password, host based, or none as authentication methods.


Answer : B,E,F

Question 9

Which three authentication methods does the Cisco IBNS Flexible Authentication feature
support? (Choose three.)

  • A. cut-through proxy
  • B. dot1x
  • C. MAB
  • D. SSO
  • E. web authentication


Answer : B,C,E

Question 10

Which signature engine is used to create a custom IPS signature on a Cisco IPS appliance
that triggers when a vulnerable web application identified by the "/runscript.php" URI is
run?

  • A. AIC HTTP
  • B. Service HTTP
  • C. String TCP
  • D. Atomic IP
  • E. META
  • F. Multi-String


Answer : B

Question 11

Refer to the exhibit.


What type of attack is being mitigated on the Cisco ASA appliance?

  • A. HTTPS certificate man-in-the-middle attack
  • B. HTTP distributed denial of service attack
  • C. HTTP Shockwave Flash exploit
  • D. HTTP SQL injection attack


Answer : D

Question 12

What term describes an access point which is detected by your wireless network, but is not
a trusted or managed access point?

  • A. rogue
  • B. unclassified
  • C. interferer
  • D. malicious


Answer : A

Question 13

Which authentication mechanism is available to OSPFv3?

  • A. simple passwords
  • B. MD5
  • C. null
  • D. IKEv2
  • E. IPsec AH/ESP


Answer : E

Question 14

IPsec SAs can be applied as a security mechanism for which three options? (Choose
three.)

  • A. Send
  • B. Mobile IPv6
  • C. site-to-site virtual interfaces
  • D. OSPFv3
  • E. CAPWAP
  • F. LWAPP


Answer : B,C,D

Question 15

Refer to the exhibit.


Which statement best describes the problem?

  • A. Context vpn1 is not inservice.
  • B. There is no gateway that is configured under context vpn1.
  • C. The config has not been properly updated for context vpn1.
  • D. The gateway that is configured under context vpn1 is not inservice.


Answer : A

Page 1