[Free] Download New Updated (October 2016) Cisco 350-018 Real Exam 301-310

Ensurepass

QUESTION 301

Which configuration is the correct way to change a GET VPN Key Encryption Key lifetime to 10800 seconds on the key server?

 

A.

crypto isakmp policy 1

lifetime 10800

B.

crypto ipsec security-association lifetime seconds 10800

C.

crypto ipsec profile getvpn-profile

set security-association lifetime seconds 10800

!

crypto gdoi group GET-Group

identity number 1234

server local

sa ipsec 1

profile getvpn-profile

D.

crypto gdoi group GET-Group

identity number 1234

server local

rekey lifetime seconds 10800

E.

crypto gdoi group GET-Group

identity number 1234

server local

set security-association lifetime seconds 10800

 

Correct Answer: D

 

 

QUESTION 302

Which three routing characteristics are relevant for DMVPN Phase 3? (Choose three.)

 

A.

Hubs must not preserve the original IP next-hop.

B.

Hubs must preserve the original IP next-hop.

C.

Split-horizon must be turned off for RIP and EIGRP.

D.

Spokes are only routing neighbors with hubs.

E.

Spokes are routing neighbors with hubs and other spokes.

F.

Hubs are routing neighbors with other hubs and must use the same routing protocol as that used on hub-spoke tunnels.

 

Correct Answer: ACD

QUESTION 303

Using Cisco IOS, which two object-group options will permit networks 10.1.1.0/24 and 10.1.2.0/24 to host 192.168.5.1 port 80 and 443? (Choose two.)

 

A.

object-group network SOURCE

range 10.1.1.0 10.1.2.255

object-group network DESTINATION

host 192.168.5.1

object-group service HTTP

tcp eq www

tcp eq 443

tcp source gt 1024

!

access-list 101 permit object-group HTTP object-group SOURCE object-group DESTINATION

B.

object-group network SOURCE

10.1.1.0 0.0.0.255

10.1.2.0 0.0.0.255

object-group network DESTINATION

host 192.168.5.1

object-group service HTTP

tcp eq www

tcp eq 443

!

ip access-list extended ACL-NEW

permit object-group SOURCE object-group DESTINATION object-group HTTP

C.

object-group network SOURCE

10.1.1.0 255.255.255.0

10.1.2.0 255.255.255.0

object-group network DESTINATION

host 192.168.5.1

object-group service HTTP

tcp eq www

tcp eq 443

!

ip access-list extended ACL-NEW

permit object-group SOURCE object-group DESTINATION object-group HTTP

D.

object-group network SOURCE

10.1.1.0 255.255.255.0

10.1.2.0 255.255.255.0

object-group network DESTINATION

host 192.168.5.1

object-group service HTTP

tcp eq www

tcp eq 443

tcp source gt 1024


!

ip access-list extended ACL-NEW

permit object-group HTTP object-group SOURCE object-group DESTINATION

 

Correct Answer: AD

 

 

 

 

 

QUESTION 304

Which two statements about the fragmentation of IPsec packets in routers are true? (Choose two.)

 

A.

By default, the IP packets that need encryption are first encrypted with ESP. If the resulting encrypted packet exceeds the IP MTU on the egress physical interface, then the encrypted packet is fragmented and sent out.

B.

By default, the router knows the IPsec overhead to add to the packet. The router performs a lookup if the packet will exceed the egress physical interface IP MTU after encryption, then fragments the packet and encrypts the resulting IP fragments separately.

C.

increases CPU utilization on the decrypting device.

D.

increases CPU utilization on the encrypting device.

 

Correct Answer: BC

 

 

QUESTION 305

Which statement about the above configuration is true?

 

crypto gdoi group gdoi_group

identity number 1234

server local

sa receive-only

sa ipsec 1

profile gdoi-p

match address ipv4 120

 

A.

The key server instructs the DMVPN spoke to install SAs outbound only.

B.

The key server instructs the GDOI group to install SAs inbound only.

C.

The key server instructs the DMVPN hub to install SAs outbound only.

D.

The key server instructs the GDOI spoke to install SAs inbound only.

 

Correct Answer: B

 

 

QUESTION 306

The above NBAR configuration matches RTP traffic with which payload types?

 

class-map nbar_rtp

match protocol rtp payload-type “0, 1, 4 – 0x10, 10001b – 10010b, 64”

 

A.

0, 1, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 64

B.

0, 1, 4, 5, 6, 7, 8, 9, 10

C.

0, 1, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 64

D.

0, 1, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 64

 

Correct Answer: A

 

 

QUESTION 307

Which standard prescribes a risk assessment to identify whether each control is required to decrease risks and if so, to which extent it should be applied?

 

A.

ISO 27001

B.

ISO 27002

C.

ISO 17799

D.

HIPPA

E.

ISO 9000

 

Correct Answer: A

 

 

QUESTION 308

Which two are valid SMTP commands, according to RFC 821? (Choose two.)

 

A.

EHLO

B.

HELO

C.

RCPT

D.

AUTH

 

Correct Answer: BC

 

 

QUESTION 309

EAP-MD5 provides one-way client authentication. The server sends the client a random challenge. The client proves its identity by hashing the challenge and its password with MD5. What is the problem with EAP-MD5?

 

A.

EAP-MD5 is vulnerable to dictionary attack over an open medium and to spoofing because there is no server authentication.

B.

EAP-MD5 communication must happen over an encrypted medium, which makes it operationally expensive.

C.

EAP-MD5 is CPU-intensive on the devices.

D.

EAP-MD5 not used by RADIUS protocol.

 

Correct Answer: A

 

 

QUESTION 310

Above error is received when generating RSA keys for SSH access on a router using the crypto key generate rsa command. What are the reasons for this error? (Choose two.)

 

error: % Invalid input detected at ‘^’ marker.

 

A.

The hostname must be configured before generating RSA keys.

B.

The image that is used on the router does not support the crypto key generate rsa command.

C.

The command has been used with incorrect syntax.

D.

The crypto key generate rsa command is used to configure SSHv2, which is not supported on Cisco IOS devices.

 

Correct Answer: BC

 

Free VCE & PDF File for Cisco 350-018 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …