Test Information:
Total Questions: 490
Test Number: 350-018v4
Vendor Name: Cisco
Cert Name: CCIE
Test Name: CCIE Security Exam (4.0)
Official Site: http://www.certsgrade.com
Version: 26.0
Question: 1
In order to reassemble IP fragments into a complete IP
datagram, which three IP header fields are referenced by the receiver? (Choose
three.)
A. don't fragment flag
B. packet is fragmented flag
C. IP identification field
D. more fragment flag
E. number of fragments field
F. fragment offset field
Answer: C,
D, F
Question:
2
Which VTP mode allows the Cisco Catalyst switch
administrator to make changes to the VLAN configuration that only affect the
local switch and are not propagated to other switches in the VTP domain?
A. transparent
B. server
C. client
D. local
E. pass-through
Answer:
A
Question:
3
Which type of VPN is based on the concept of trusted group
members using the GDOI key management protocol?
A. DMVPN
B. SSLVPN
C. GETVPN
D. EzVPN
E. MPLS VPN
F. FlexVPN
Answer:
C
Question:
4
Based on RFC 4890, what is the ICMP type and code that
should never be dropped by the firewall to allow PMTUD?
A. ICMPv6 Type 1 – Code 0 – no route to host
B. ICMPv6 Type 1 – Code 1 – communication with destination
administratively prohibited
C. ICMPv6 Type 2 – Code 0 – packet too big
D. ICMPv6 Type 3 – Code 1 – fragment reassembly time
exceeded
E. ICMPv6 Type 128 – Code 0 – echo request
F. ICMPv6 Type 129 – Code 0 – echo reply
Answer:
C
Question:
5
A firewall rule that filters on the protocol field of an IP
packet is acting on which layer of the OSI reference model?
A. network layer
B. application layer
C. transport layer
D. session layer
Answer:
A
Question:
6
Which layer of the OSI model is referenced when utilizing
http inspection on the Cisco ASA to filter Instant Messaging or Peer to Peer
networks with the Modular Policy Framework?
A. application layer
B. presentation layer
C. network layer
D. transport layer
Answer:
A
Question:
7
When a Cisco IOS Router receives a TCP packet with a TTL
value less than or equal to 1, what will it do?
A. Route the packet normally
B. Drop the packet and reply with an ICMP Type 3, Code 1
(Destination Unreachable, Host Unreachable)
C. Drop the packet and reply with an ICMP Type 11, Code 0
(Time Exceeded, Hop Count Exceeded)
D. Drop the packet and reply with an ICMP Type 14, Code 0
(Timestamp Reply)
Answer:
C
Question:
8
In an 802.11 WLAN, which option is the Layer 2 identifier of
a basic service set, and also is typically the MAC address of the radio of the
access point?
A. BSSID
B. SSID
C. VBSSID
D. MBSSID
Answer:
A
Question:
9
What term describes an access point which is detected by
your wireless network, but is not a trusted or managed access point?
A. rogue
B. unclassified
C. interferer
D. malicious
Answer:
A
Question:
10
A router has four interfaces addressed as 10.1.1.1/24,
10.1.2.1/24, 10.1.3.1/24, and 10.1.4.1/24. What is the smallest summary route
that can be advertised covering these four subnets?
A. 10.1.2.0/22
B. 10.1.0.0/22
C. 10.1.0.0/21
D. 10.1.0.0/16
Answer:
C
Question:
11
Which two address translation types can map a group of
private addresses to a smaller group of public addresses? (Choose two.)
A. static NAT
B. dynamic NAT
C. dynamic NAT with overloading
D. PAT
E. VAT
Answer: C,
D
Question:
12
Which authentication mechanism is available to OSPFv3?
A. simple passwords
B. MD5
C. null
D. IKEv2
E. IPsec AH/ESP
Answer:
E
Question:
13
Which two IPv6 tunnel types support only point-to-point
communication? (Choose two.)
A. manually configured
B. automatic 6to4
C. ISATAP
D. GRE
Answer: A,
D
Question:
14
Which two EIGRP packet types are considered to be unreliable
packets? (Choose two.)
A. update
B. query
C. reply
D. hello
E. acknowledgement
Answer: D,
E
Question:
15
Before BGP update messages may be sent, a neighbor must
stabilize into which neighbor state?
A. Active
B. Idle
C. Connected
D. Established
Answer:
D
Question:
16
Which three statements are correct when comparing Mobile
IPv6 and Mobile IPv4 support? (Choose three.)
A. Mobile IPv6 does not require a foreign agent, but Mobile
IPv4 does.
B. Mobile IPv6 supports route optimization as a fundamental
part of the protocol; IPv4 requires extensions.
C. Mobile IPv6 and Mobile IPv4 use a directed broadcast
approach for home agent address discovery.
D. Mobile IPv6 makes use of its own routing header; Mobile
IPv4 uses only IP encapsulation.
E. Mobile IPv6 and Mobile IPv4 use ARP for neighbor
discovery.
F. Mobile IPv4 has adopted the use of IPv6 ND.
Answer: A,
B, D
Question:
17
Refer to the exhibit.
Which message could contain an authenticated initial_contact
notify during IKE main mode negotiation?
A. message 3
B. message 5
C. message 1
D. none, initial_contact is sent only during quick mode
E. none, notify messages are sent only as independent
message types
Answer:
B
Question:
18
Which protocol does 802.1X use between the supplicant and
the authenticator to authenticate users who wish to access the network?
A. SNMP
B. TACACS+
C. RADIUS
D. EAP over LAN
E. PPPoE
Answer:
D
Question:
19
Which two statements are correct regarding the AES
encryption algorithm? (Choose two.)
A. It is a FIPS-approved symmetric block cipher.
B. It supports a block size of 128, 192, or 256 bits.
C. It supports a variable length block size from 16 to 448
bits.
D. It supports a cipher key size of 128, 192, or 256 bits.
E. The AES encryption algorithm is based on the presumed
difficulty of factoring large integers.
Answer: A,
D
Question:
20
What are two benefits of using IKEv2 instead of IKEv1 when
deploying remote-access IPsec VPNs? (Choose two.)
A. IKEv2 supports EAP authentication methods as part of the
protocol.
B. IKEv2 inherently supports NAT traversal.
C. IKEv2 messages use random message IDs.
D. The IKEv2 SA plus the IPsec SA can be established in six
messages instead of nine messages.
E. All IKEv2 messages are encryption-protected.
Answer: A,
B
Question:
21
DNSSEC was designed to overcome which security limitation of
DNS?
A. DNS man-in-the-middle attacks
B. DNS flood attacks
C. DNS fragmentation attacks
D. DNS hash attacks
E. DNS replay attacks
F. DNS violation attacks
Answer:
A
Question:
22
Which three statements are true about MACsec? (Choose
three.)
A. It supports GCM modes of AES and 3DES.
B. It is defined under IEEE 802.1AE.
C. It provides hop-by-hop encryption at Layer 2.
D. MACsec expects a strict order of frames to prevent
anti-replay.
E. MKA is used for session and encryption key management.
F. It uses EAP PACs to distribute encryption keys.
Answer: B,
C, E
Question:
23
Which SSL protocol takes an application message to be
transmitted, fragments the data into manageable blocks, optionally compresses
the data, applies a MAC, encrypts, adds a header, and transmits the resulting
unit in a TCP segment?
A. SSL Handshake Protocol
B. SSL Alert Protocol
C. SSL Record Protocol
D. SSL Change CipherSpec Protocol
Answer:
C
Question:
24
IPsec SAs can be applied as a security mechanism for which
three options? (Choose three.)
A. Send
B. Mobile IPv6
C. site-to-site virtual interfaces
D. OSPFv3
E. CAPWAP
F. LWAPP
Answer: B,
C, D
Question:
25
Which four options are valid EAP mechanisms to be used with
WPA2? (Choose four.)
A. PEAP
B. EAP-TLS
C. EAP-FAST
D. EAP-TTLS
E. EAPOL
F. EAP-RADIUS
G. EAP-MD5
Answer: A,
B, C, D
Question:
26
Which three statements are true about the SSH protocol?
(Choose three.)
A. SSH protocol runs over TCP port 23.
B. SSH protocol provides for secure remote login and other
secure network services over an insecure network.
C. Telnet is more secure than SSH for remote terminal
access.
D. SSH protocol runs over UDP port 22.
E. SSH transport protocol provides for authentication, key
exchange, confidentiality, and integrity.
F. SSH authentication protocol supports public key,
password, host based, or none as authentication methods.
Answer: B,
E, F
Question:
27
Which two statements are true when comparing ESMTP and SMTP?
(Choose two.)
A. Only SMTP inspection is provided on the Cisco ASA
firewall.
B. A mail sender identifies itself as only able to support
SMTP by issuing an EHLO command to the mail server.
C. ESMTP mail servers will respond to an EHLO with a list of
the additional extensions they support.
D. SMTP commands must be in upper case, whereas ESMTP can be
either lower or upper case.
E. ESMTP servers can identify the maximum email size they
can receive by using the SIZE command.
Answer: C,
E
Question:
28
How does a DHCP client request its previously used IP
address in a DHCP DISCOVER packet?
A. It is included in the CIADDR field.
B. It is included as DHCP Option 50 in the OPTIONS field.
C. It is included in the YIADDR field.
D. It is the source IP address of the UDP/53 wrapper packet.
E. The client cannot request its last IP address; it is
assigned automatically by the server.
Answer:
B
Question:
29
Which two statements about an authoritative server in a DNS
system are true? (Choose two.)
A. It indicates that it is authoritative for a name by
setting the AA bit in responses.
B. It has a direct connection to one of the root name
servers.
C. It has a ratio of exactly one authoritative name server
per domain.
D. It cannot cache or respond to queries from domains
outside its authority.
E. It has a ratio of at least one authoritative name server
per domain.
Answer: A,
E
Question:
30
Refer to the exhibit.
Which three statements are true? (Choose three.)
A. Because of a "root delay" of 0ms, this router
is probably receiving its time directly from a Stratum 0 or 1 GPS reference
clock.
B. This router has correctly synchronized its clock to its
NTP master.
C. The NTP server is running authentication and should be
trusted as a valid time source.
D. Specific local time zones have not been configured on
this router.
E. This router will not act as an NTP server for requests
from other devices.
Answer: B,
C, E
Test Information:
Total Questions: 490
Test Number: 350-018v4
Vendor Name: Cisco
Cert Name: CCIE
Test Name: CCIE Security Exam (4.0)
Official Site: http://www.certsgrade.com
Get20%
Immediate Discount on Full Training Mater
Discount Coupon Code: 20off2016
No comments:
Post a Comment