Cisco 350-018 Practice Exam, 100% Success Rate Cisco 350-018 Dumps With High Quality

Free Sharing Flydumps Cisco 350-018 exam questions and answers are constantly being revised and updated for relevance and accuracy.Many candidates has passed the Cisco 350-018 exam easily by training the new version.100% pass rate.

If you want to use RADIUS authenticatfon, must you configure AAA?
B. No, AAA is not required to use RADIUS, just use the “ip auth radius” commands
C. Yes, you must configure AAA to use TACACS+, Kerberos, or RADIUS.
D. No, AAA is for authentication, authorization, and accounting. It is not required to configure
Correct Answer: C
SWA has a priority of 8192 while SWB has a priority of 32768. Which switch will be root _why?
A. SWA, it has the lowest priority.
B. SWB, it has the highest priority.
C. Neither, it will be determined by the lowest MAC address.
D. Neither, it will be determined by the lowest cost to the root switch.
Correct Answer: A
What does a PIX do with tcp sequence number to minimize the risk of tcp sequence number attacks? (Select all that apply)
A. Randomize them.
B. Make sure they are within an acceptable range.
C. Doesn’t use them.
D. Uses the same numbers over and over again “First Test, First Pass” – 105 Cisco 350-018 Exam
Correct Answer: AB
Traffic is flowing from the inside to the outside. You are using an output access-list (outbound access-list) along with NAT. What IP addresses should be referenced in the access-list?
A. Outside (global) addresses
B. Inside (local) addresses
C. Encrypted addresses
D. Private addresses
Correct Answer: A

Which of the following are valid av-pairs on a RADIUS server?
A. rte-fltr-out#0=”router igrp 60″
B. user = georgia { login = cleartext lab service = ppp protocol = ip { addr-pool=bbb } }
C. cisco-avpair = “ip:addr-pool=bbb”
D. route#1 = “”
Correct Answer: C
What is RADIUS? (Select all that apply)
A. Remote Authentication Dial-In User Services
B. “A distributed client/server system that secures networks against unauthorized access”
C. A secret-key network authentication protocol.
D. A modular security application that provides centralized validation of users attempting to gain access to a router or network access server
Correct Answer: AB
In RFC 2138 (RADIUS), vendor specific attributes (VSA) are specified. Specifically, this is called VSA 26 (attribute 26). These allow vendors to support their own extended options. Cisco’s vendor ID is 9. Which of the following commands tell the Cisco IOS to use and understand VSA’s? (Select all that apply)
A. radius-server vsa send
B. radius-server vsa send authentication
C. radius-server vsa send accounting “First Test, First Pass” – 106 Cisco 350-018 Exam
D. ip radius-server vsa send
Correct Answer: ABC
In your company’s network, a Cisco adaptive security appliance is running in multiple context mode. Multiple contexts are associated with the ingress interface. As a network technician of your company, can you tell me which three actions will be taken by the security appliance to classify packets into a context? (Choose three.)
A. looking at the destination interface IP address for traffic destined to an interface
B. looking at the source interface IP address for traffic sourced from an interface
C. looking at static commands where the global interface matches the ingress interface of the packet
D. looking at IP addresses identified by a global pool for the ingress interface by use of the global command
Correct Answer: ACD
Your RADIUS server is at IP address and the authentication key is “Cisco”. AAA has not yet been configured on your router. What is the minimum number of commands you can type to tell your router about your RADIUS server? (Select all that apply)
A. aaa new-model radius-server host auth-port 1545 acct-port 1546 key Cisco
B. radius-server host key cisco
C. aaa new-model
D. radius-server host auth-port 1545 acct-port 1546 key cisco
Correct Answer: BC
When a Cisco Secure Intrustion Detection System Sensor communicates with a Cisco Secure Instrustion Detection System Director, what statement is FALSE?
A. If the preferred route is down, up to 255 alternate listed routes can be attempted
B. When the sensor to director is detected as “down”, packets lost during this time are buffered and retransmitted. The packets are dropped only when the buffer is full.
C. The communication occurs via the postofficed system
D. When no keepalives are detected, eventd on the sensor e-mails the administrator.
Correct Answer: D
The main reason the NFS protocol is not recommended for use across a firewall or a security domain is that.
A. it is UDP based. As a result, its state is difficult to track.
B. This protocol uses a range of ports, and firewalls have difficulty opening the proper entry points to allow traffic.
C. File permissions are easily modified in the requests, and the security of the protocol is not stringent. “First Test, First Pass” – 107 Cisco 350-018 Exam
D. Industry technicians do not understand NFS well, but is actually appropriate to run across various security domains.
Correct Answer: C
Why it is important to delete IPSec Security Associations (SAs) frequently and then re-key and reestablish the SA’s?
A. To reduce the chance that another IPSec machine on the network will generate the same random SPIf which will cause confusion as to which machine is the endpoint of a tunnel.
B. To reduce the risk of a brute force attack where your key can be compromised if it stays the same for too long period of a time.
C. Each time a SA is regenerated, the integrity of the link is checked. This is the only way to establish if the tunnel is still active.
D. To reduce the potential problems of counters exceeding their allocated size, which will cause them to wrap back to zero and display invalid results.
Correct Answer: B
What command sequence should be used to turn on RADIUS in a router?
A. aaa new-model aaa authen login default radius radius-server host #.#.#.# radius-server key <key>
B. aaa new-model aaa authen login default radius radius-server host #.#.#.#
C. radius-server host #.#.#.# radius-srever key <key> aaa authen login default radius aaa new-model
D. radius-server host #.#.#.# radius-server use-extended login radius
Correct Answer: A
Routers running OSPF and sharing a common segment become neighbors on that segment. What statement regarding OSPF neighbors is FALSE?
A. The Primary and Secondary addresses on an interface allow the router to belong to different areas at the same time.
B. All routes must agree on the stub area flag in the ISPF Hello Packets.
C. Neighbors will fail to form an adjaceny if thei Hello and Dead intervals differ, .
D. Two routers will not become neighbors if the Area-ID and Authentication password do not mathc.
Correct Answer: A
If the read community is known and there is SNMP connectivity to a device (without an access-list limiting this):
A. The System Description (sysDescr), which includes the full name and version identification of the system’s hardware type, software operating-system, and networking software, can be ascertained through and SNMP query.
B. The entire configuration of the router can be read but not modified.
C. The passwords on the router can be modified.
D. The passwords on the router can be read, not modified. This enables the attacker to access the router as a base of operations for other attacks.
Correct Answer: A
Simply put, an IPS signature is any distinctive characteristic that identifies something. Using this definition, all IPS products use signatures of some kind, regardless of what the product descriptions claim. In which format are IPS signatures stored?
A. Post Office
Correct Answer: C
Which of the following aptly describes the Unix file /etc/shadow?
A. The Unix file/etc/shadow is referenced by login when the /etc/passwd file contains an asterisk in the third field.
B. The Unix file/etc/shadow is referenced by NIS when the /etc/passwd file contains a line with the first character of ‘+’.
C. The Unix file/etc/shadow is a place to store encrypted passwords without referencing the /etc/passwd file.
D. The Unix file/etc/shadow is a read-protected file referenced by login when the /etc/passwd file contains a special character in the second field.
Correct Answer: D

What statement about AH and ESP is FALSE?
A. ESP encapsulates the IP header, while AH does not.
B. ESP uses protocol 50.
C. AH uses protocol 51.
D. AH does not lent itself to a NAT environment becayse of IP header encapsulation.
Correct Answer: A
A switch has been configured to support MuitiLayer Switching (MLS). In addition, Access Control Lists on the MLS-Route Processor have been configured to block all FTP traffic destined to the Internet. What flow mask will be used to create each shortcut?
A. Application flow mask
B. Full flow mask
C. Destination-Source flow mask
D. Destination flow mask
Correct Answer: B
What is the term used to describe an attack that falsifies a broadcast ICMP echo request and includes a primary and secondary victim?
A. Fraggle Attack
B. Man in the Middle Attack
C. Trojan Horse Attack
D. Smurf Attack
Correct Answer: D
When configuring IPSec with IKE, if the transform set includes an ESP cipher algorithm, specify the cipher keys. In a Cisco IOS IPsec transform set, which two of the following items are valid for ESP cipher algorithms?(Choose two)
A. esp-null, esp-seal
B. esp-aes 256, esp-aes null
C. esp-null, esp-aes 512
D. esp-aes 192, esp-des, esp-3des
Correct Answer: AD
If the result of an attack left an ARP table in the state below, what address would you suspect of launching the attack?
Internet – 000c.5a35.3c77 ARPA FastEthernet0/0 Internet 0 00bc.d1f5.f769 ARPA FastEthernet0/0 Internet 0 00bc.d1f5.f769 ARPA FastEthernet0/0 Internet 3 00bc.d1f5.f769 ARPA FastEthernet0/0 Internet 0 00bc.d1f5.f769 ARPA FastEthernet0/0
C. “First Test, First Pass” – 110 Cisco 350-018 Exam
Correct Answer: D
What would be a reason to decrease the security association lifetime on a router?
A. To ease the workload on the router CPU and RAM
B. To give a potential hacker less time to decipher the keying
C. To improve Perfect Forward Secrecy (PFS)
D. If the lifetime of the peer router on the other end of the tunnel is shooter, the lifetime on the local router must be decreased so that the SA lifetime of both routers is the same.
Correct Answer: B
The no ip directed-broadcast command is useful in preventing SMURF style attacks for the following reason:
A. It prevents your network device from being a target
B. It prevents your network device from launching an attack.
C. It prevents your network device from being a reflector in an attack
D. It prevents your network device from being traced as the source of an attack.
Correct Answer: C
IDS tuning requires a step-by-step methodology in order to successfully tuje ISD signatures effectively. Put the following tuning steps for a new sensor into their proper order.
Identify critical assets that require monitoring and protection.

Update sensors with new signatures.

Let sensors operate for a period of time generating alarms using the default configuration.

Apply initial configuration.

Selectively implement response actions.

Connect sensors to network.

Analyze alarms and tune out false positives.

A, F, D, C, G, E, B

A, C, F, D, G, E, B

A, B, C, D, E, G, F

F, E, G, A, B, C, D
Correct Answer: A

The newly appointed trainee technician wants to know what the purpose of Lock _Key is. What will
“First Test, First Pass” – 111 Cisco 350-018 Exam
your reply be?
A. Lock _Key secures the console port of the router so that even users with physical access to the router cannot gain access without entering the proper sequence.
B. Lock _Key permits Telnet to the router and have temporary access lists applied after issuance of the access-enable command.
C. Lock _Key require additional authentication for traffic traveling through the PIX for TTAP compliance.
D. Lock _Key is to prevent users from getting into enable mode.
Correct Answer: B
The company network administrator has forgotten the enable password of the router. There are no users logged into the router, but all passwords on the router are encrypted.
What can the administrator do to recover the enable secret password?
A. The administrator can reboot the router, press the BREAK key during boot up, and boot the router into ROM Monitor mode to erase the configuration, and re-install the entire configuration as it was saved on a TFTP server.
B. The administrator can call the Cisco Technical Assistance Center (TAC) for a specific code that will erase the existing password.
C. The administrator can reboot the router, press the BREAK key during boot up, boot the router into ROM Monitor mode to either erase or replace the existing password, and reboot the router as usual.
D. The administrator should erase the configuration, boot the router into ROM Monitor mode, press the BREAK key, and overwrite the previous enable password with a new one.
Correct Answer: A
The newly appointed trainee technician wants to know what the definition of exploit signatures is in the context of Intrustion detection. What will your reply be?
A. Exploit Signatures are policies that prevent hackers from your network.
B. Exploit Signatures are security weak points in your network that are open to exploitation by intruders.
C. Exploit Signatures are identifiable patterns of attacks detected on your network.
D. Exploit Signatures are digital graffiti from malicious users.
Correct Answer: C
Which of the following services would you advice the new trainee technician to enable on ISO firewall devices?
A. SNMP with community string public.
B. TCP small services.
C. UDP small services
D. Password-encryption.
Correct Answer: D
The newly appointed trainee technician wants to know what PFS (Perfect Forward Security) requires. What will your reply be?
C. Another Diffie-Hellman exchange when an SA has expired
D. Triple DES
Correct Answer: C
Using Ciscos’ Security Device manager on an IOS router, what functions could you expect the security audit option to do for you?
A. Scan for and report open ports.
B. Report IOS vulnerabilities.
C. List identiflcable configuration problems and suggest recommendations for fixing them.
D. Configure LAN and WAN interfaces with IP addresses and security related commands
Correct Answer: C QUESTION 32

The comapny network is using Cisco Secure Intrustion Detection System and the network traffic pattern appears ordinary. However, numerous false positives for a particular alarm are received. What can you do to avoid the quantity of “noise” in the future?
A. Click the unmanage for the alarm in QUESTION NO: in the HP OpenView/NR GUI interface.
B. Click the acknowledge for the alarm in QUESTION NO: in the HPOV/NR GUI interface.
C. You can use ventd to decrease the alarm level severity
D. You could configure a decreases alarm level severity through nrconfigure.
Correct Answer: D QUESTION 33
What does “counting to infinity” mean in a Distance Vector protocol environment?
A. “counting to infinity” means calculating the time taken for a protocol to converge.
B. “counting to infinity” means checking that the number of route entries do not exeed a set upper limit.
C. “counting to infinity” can occur when Split Horizon is not enabled.
D. “counting to infinity” means setting an upper limit for hop count, to break down routing loops if this limit is reached.

Correct Answer: D QUESTION 34
Which network management software installation is a prerequisite for the Cisco Secure Intrustion
“First Test, First Pass” – 113 Cisco 350-018 Exam Detection System Director software?
A. CiscoWorks 2000 on Unix
B. SunNetManager on Solaris
C. Microsoft Internet Information Server on Windows NT
D. NetSonar on Linux

Correct Answer: D QUESTION 35
The newly appointed trainee technician wants to know if one can change the situation where every time a typing mistake is made at the exec prompt of a router, the message from the router indicates a lookup is being performed. Also, there is a waiting period of several seconds before the next command can be typed. What will your reply be?
A. No, this is a default feature of Cisco IOS software.
B. Yes, by using the no ip domain-lookup command
C. Yes, by using the no ip helper-address command.
D. Yes, by using the no ip multicast helper-map command

Correct Answer: B QUESTION 36
How does Cisco Secure Intrustion Detection System sensor behave when it detects unauthorized activity?
A. Cisco Secure Intrustion System sensor will send an e-mail to the network administrator.
B. Cisco Secure Intrustion System sensor will send an alarm to Cisco Secure Intrustion Detection System Director.
C. Cisco Secure Intrustion System sensor will shut down the interface where the traffic arrived, if device management is configured.
D. Cisco Secure Intrustion System sensor will perform a traceroute to the attacking device.

Correct Answer: B QUESTION 37
Why do scanning tools may report a root Trojan Horse compromise when it is run against an lOScomponent?
A. IOS is based on BSD UNIX and is thus subject to a Root Trojan Horse compromise.
B. The scanning software is detecting the hard-coded backdoor password in IOS.
C. Some IOS versions are crashable with the telnet option vulnerability.
D. The port scanning package mis-parses the IOS error messages.

Correct Answer: D QUESTION 38
The PIX firewall allows users to block Java when using what combination of keywords and implementation?
“First Test, First Pass” – 114 Cisco 350-018 Exam
A. “no cafebabe” in a static
B. “no Java” in a static
C. “no cafebabe” in an outbound list
D. “filter Java” in an outbound list

Correct Answer: D QUESTION 39
What can be used to solve a problem situation where a user’s PC is unable to ping a server located on a different LAN connected to the same router?
A. Ensure routing is enabled.
B. A default gateway from the router to the server must be defined
C. Check to see if both the PC and the server have properly defined default gateways
D. Both the server and the PC must have defined static ARP entries.

Correct Answer: C QUESTION 40
What happens when one experiences a ping of death?
A. This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the “type” field in the ICMP header is set to 18 (Address Mask Reply).
B. This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset’ 8) + (IP data length) >65535. In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.
C. This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the source equal to destination address.
D. This is when an the IP header is set to 1 (ICMP) and the “type” field in the ICMP header is set to 5 (Redirect).

Correct Answer: B QUESTION 41
What response will a RADIUS server send to a client to indicate the client’s user name or password is invalid?
A. Authentication Denied
B. Access-Reject
C. Access-Deny
D. Access-Fasil

Correct Answer: B
Mail Server A is trying to contact Mail Server B behind a firewall. Mail Server A makes the initial connection, but there is a consistent long delay (1 minute) before the queued mail is actually sent.
“First Test, First Pass” – 115 Cisco 350-018 Exam
A reason for this might be:
A. Mail Server A does not have a default route.
B. Mail Server B does not have a default route
C. The firewall is blocking TCP port 113.
D. A third Mail Server is delaying the traffic.
Correct Answer: C
What would be the biggest challenge to a hacker writing a man-in-the-middle attack aimed at VPN tunnels using digital certificates for authentication?
A. Programmatically determining the private key so they can proxy the connection between the two VPN endpoints.
B. Determining the ISAKMP credentials when passed to establish the key exchange.
C. Determining the pase two credentials used to establish the tunnel attributes.
D. Decrypting and encrypting 3DES once keys are known.
Correct Answer: A
Which best describes a common method used for VLAN hopping?
A. Using VTP to configure a switchport to sniff all VLAN traffic
B. Appending an additional tag to an 802.1Q frame such that the switch forwards to packet to the embedded VLAN ID
C. Flooding the VLAN with traffic containing spoofed MAC addresses in an attempt to cause the CAM table to overflow
D. Spoofing the IP address of the host to that of a host in the target VLAN
Correct Answer: B
The newly appointed trainee technician wants to know where Kerberos is mainly used. What will your reply be?
A. Session-layer protocols, for data integrity and checksum verification.
B. Application-layer protocols, like Telnet and FTP.
C. Presentation-layer protocols, as the implicit authentication system for data stream or RPC.
D. Transport and Network-layer protocols, for host to host security in IP, UDP, or TCP.
Correct Answer: B
Which of the following statements regarding Certificate Revocation List (CRL) is valid when using PKI?
A. The CRL resides on the CA server and is built by querying the router or PIX to determine which “First Test, First Pass” – 116 Cisco 350-018 Exam clients’ certificate status in the past.
B. The CRL is used to check presented certificates to determine if they are revoked.
C. A router or PIX will not require that the other end of the IPSec tunnel have a certificate if the crl optional command is in place.
D. The router’s CRL includes a list of clients that have presented invalid certificates to the router in the past.
Correct Answer: B
What is the rationale behind a Network Administrator wanting to use Certificate Revocation Lists (CRLs) in their IPSec implementations?
A. CRLs allow netwotk administrators the ability to do “on the fly” authentication of revoked certificates.
B. They help to keep a record of valid certificates that have been issued in their network
C. CRLs allow network administrators to deny devices with certain certificates from being authenticated to their network.
D. Wildcard keys are much more efficient and secure. CRLs should only be used as a last resort.
Correct Answer: C
What sets the FECN bit in Frame Relay?
A. The Frame Relay network, to inform the DTE receiving the frame that congestion was experienced in the path form source to destination.
B. The Frame Relay network, in frames traveling in the opposite direction from those frames that encountered congestion.
C. The receiving DTE, to inform the Frame Relay network that it is overloaded and that the switch should throttle back.
D. The sending DTE, to inform the Frame Relay network that it is overloaded and that the switch should throttle back
Correct Answer: A

Under which of the following circumstances will Network Address Translation (NAT) not work well?
A. With outbound HTTP when AAA authentication is involved.
B. With traffic that carries source and/or destination IP addresses in the application data stream.
C. With ESP Tunnel mode IPSec traffic.
D. When PAT (Port Address Translation) is used on the same firewall.
Correct Answer: B

Generally speaking which of the following could be done to mitigate a Day Zero host or server attack?
A. Install software that prevents actions such as buffer overflows and writes to the system directory. “First Test, First Pass” – 117 Cisco 350-018 Exam
B. Deploy Intrustion Detection on all switches that directly connect to hosts or servers.
C. Install Virus scanning software.
D. Ensure that your hosts and servers all have the latest security patches.
Correct Answer: A
The newly appointed company trainee technician wants to know how a route running Certificate Enrollment Protocol (CEP) obtains a certificate. What will your reply be?
A. The router administrator should send an e-mail message to ‘[email protected]’. This message should request a certificate and include the FQDN of the device.
B. If using Cisco IDS version 11.3 or 12.0, the router administrator should enter the following configuration: crypto ca identity <registered_ca_name> enrollment ftp:// <cetificate_authority>
C. The router administrator has to copy the certificate from the peer router at the other end of the tunnel and then paste it onto the local router.
D. If using Cisco IOS version 11.3 or 12.0, the router administrator should enter the following configuration: crypto ca identify <registered_ca_name> enrollment http:// <certificate authority>
Correct Answer: D
The addresses on the inside of a packet-filtering router are configured from the network Which of the following access-list entries on the outside gateway router would prevent spoof attacks to this network?
A. access-list 101 deny ip
B. access-list 101 deny ip
C. access-list 101 deny ip any 255.255.255
D. access-list 101 deny ip any
Correct Answer: D
Below are four ‘out” access-lists, configured on an interface.
What list will block an IP packet with source address, destination address, destination TCP port 23 from leaving the routr?
A. access-list 100 deny ip tcp eq telnet eq telnet access-list 100 permit ip any any
B. access-list 100 deny tcp any eq telnet access-list 100 permit ip eq telnet any
C. access-list 100 deny tcp eq telnet access-list 100 permit ip any any
D. access-list 100 deny ip host access-list 100 permit ip any any
Correct Answer: B
A router is connected to a serial link with a protocol MTU of 512 bytes. If the router receives an IP packet containing 1024 bytes, it will: (Select two)
A. Always drop the packet.
B. Fragment the packet, also, the router at the other side of the serial link will reassemble the packet.
C. Drop the packet if the DF bit is set.
D. Fragment the packet and sent it, also, the destination will reassemble the packet when it arrives.
Correct Answer: CD QUESTION 55
The primary benefit of RSA encrypted nonces over RSA signatures is:
A. The do not require a certificate authority.
B. The offer repudiation.
C. They are not subject to export control
D. There is better scalability for multiple peers.

Correct Answer: A QUESTION 56
The CEO of a tech company want to know which security programs can effectively protect your network against password sniffer programs? (Choose three.)
A. IPSec, due to it encrypting data.
B. RLOGIN, because it does not send passwords.
C. Kerberos, due to encrypt password abilities.
D. One time passwords, because the passwords always change.

Correct Answer: ACD QUESTION 57
Which of the following is a description of the principle on which a Denial of Service (DoS) attack works?
A. MS-DOS and PC-DOS operating systems using a weak security protocol.
B. Overloaded buffer systems can easily address error conditions and respond appropriately.
C. Host systems are incapable of responding to real traffic, if they have an overwhelming number of incomplete connections (SYN/RCVD State).
D. All CLIENT systems have TCP/IP stack compromisable implementation weaknesses and permit them to launch an attack easily.

Correct Answer: C QUESTION 58
When using a sniffer directly connected to an access switch, the sniffer sees an excessive amount
“First Test, First Pass” – 119 Cisco 350-018 Exam of BPDUs with the TCA bit set. Which are the most likely explanations?
A. There are no problems in the network.
B. Ports connecting to workstations do not have spanning tree portfast configured.
C. Bad cabling is being used in the network.
D. The CPU utilization on the root switch is getting up to 99% and thus not sending out any BPDUs.

Correct Answer: B QUESTION 59
Which three methods best describe a secure wireless LAN implementation? (choose three)
A. Deploy WEP using a static 128 bit key.
B. Deploy dynamic key management.
C. Deploy mutual authentication between access point and client.
D. Deploy mutual authentication between authentication server and client.

Correct Answer: ABD QUESTION 60
You are performing device management with a Cisco router. Which of the following is true?
A. The Cisco Secure Intrustion Detection System sensor can apply access-list definition 198 and 199 (default) to the router in response to an attack signature.
B. The Cisco Secure Intrustion Detection System sensor can shut down the router interface in response to an attack signature.
C. The Cisco Secure Intrustion Detection System sensor can emit an audible alarm when the Cisco router is attached.
D. The Cisco Secure Intrustion Detection System sensor can modify the routing table to divert the attacking traffic.

Correct Answer: A QUESTION 61
The network administrator was requested to make a script with the following criteria:

Must be owned by the root and executable by a group of users other than the root.

Must not give other users root privileges other than execution of the script.

Must not allow the users to modify the script.
Which of the following would be the best way to accomplish this task?
Having the root use ‘chmod 4755 <name_of_script>’ to make it readable and executable by non-root users or the use ‘chmod u-s <name_of_script>’.

By having the users logged in under their own ID’s, typing ‘su’ and inputting the root password after they have been given the root password, then executing the script.

Changing permissions to read-write and changing ownership of the script to the group.

By having root use ‘chmod u-s <name_of_script>’.

Correct Answer: A QUESTION 62
Multicast addresses in the range of through are reserved for:
A. Administratively Scoped multicast traffic that is intended to reamin inside of a private network and is never intended to be transmitted into the Internet.
B. Global Internet multicast traffic intended to travel throughout the Internet.
C. Link-local multicast traffic consiting of network control messages that never leave the local subnet.
D. Any valid multicast data stream.

Correct Answer: C QUESTION 63
You are the network administrator of the company. Can you tell me, which is the first step to establish PPP communications over a link?
A. The switch sends NCP frames to negotiate parameters such as data compression and address assignment.
B. The originating node sends configuration request packets to negotiate the LCP layer.
C. One or more Layer 3 protocols are configured.
D. The originating node sends Layer 3 data packet to inform the receiving node’s Layer 3 process. Correct Answer: B
Which of the following commands must be present on the router (exact syntax would depend on the version) for the user with priviledge level 15 (as defined in their TACACS+ profile) to be dropped into enabled mode immediately when that user telnets into a Cisco router?
A. The global command: aaa authorization exec [default] [group] tacacs-
B. The line command: logon authorization tacacs+
C. The global command: privilege 15 enable
D. The global command: aaa authentication enable default tacacs+
Correct Answer: D QUESTION 65
Under which circumstances will the Diffie-Hellman key exchange allows two parties to establish a shared secret key? (Choose all that apply.)
A. Over an insecure medium.
B. After the termination of a secure session.
C. Prior to the initiation of a secure session.
D. After a session has been fully secured.

Correct Answer: ABC QUESTION 66
Based on the displayed network diagram and configuration. You are hosting a web server at
“First Test, First Pass” – 121 Cisco 350-018 Exam, which is under a denial of service attack. Use NBAR to limit web traffic to that server at 200 kb/
Which configuration is true to complete the NBAR configuration?

policy-map DoS-Attack class DoS police cir 200 bc 200 be 200 conform-action transmit exceed-action drop violate-action drop

access-list 188 permit tcp any host eq www
B. policy-map drop class DoS police conform-action transmit exceed-action drop
C. policy-map drop class DoS police cir 200000 bc 37500 be 75000 conform-action transmit exceed-action drop violate-action drop ! access-list 188 permit tcp any host eq www
D. policy-map DoS-Attack class DoS police cir 200000 bc 37500 be 75000 conform-action transmit exceed-action drop violate-action drop ! access-list 188 permit tcp any host eq www

Correct Answer: D
When a user initiales a dailup PPP logon to a Cisco router running RADIUS, what attributes are sent to the RADIUS server for authentication? (assume a PAP password)
A. Username (1), user service (7), PAP Password (8)
B. Username (1), user service (7), Filter ID (11), Login port(16), reply message (18), Vendor Specific Attribute (26)
C. Username (1), CHAP password (3)
D. Username (1), PAP Password (2), NAS-ip (4), NAS-port (5), NAS port type (61), user service (7), framed protocol (6)
Correct Answer: D
You are the network administrator. Two remote LANs connected via a serial connection are exchanging routing updates via RJP. An alternate path exists with a higher hop count. When the serial link fails, you receive complaints of users regarding the time it takes to transfer to the alternate path. How will you ameliorate this situation?
A. You could change the hop count on an alternate path to be the same cost.
B. You could reduce or disable the holdown timer by making use of the timers basic command.
C. You could increase the bandwidth of the alternate serial connection.
D. You could configure a static route with the appropriate administratice cost via the alternate route.
Correct Answer: B

When using MD5 authentication in BGP where is the hash passed in the IP packet?
A. The payload packet of a BGP request and response.
B. In a TCP header flagged with an option 19.
C. A specially defined BGP authentication packet.
D. In a UDP header flagged with an option 16.
Correct Answer: B QUESTION 70

Which of the following statements is NOT accurate regarding frame Relay?
A. Frame Relay does not provide error recovery.
B. Frame Relay provides error detection.
C. Frame Relay is high-speed, shared bandwidth protocol.
D. Frame Relay is based on a “packet-over-circuit” architecture.
Correct Answer: C QUESTION 71
Which of the following represents the correct ways of releasing IBGP from the condition that all
“First Test, First Pass” – 123 Cisco 350-018 Exam IBGP neighbors need to be fully meshed? (Choose all that apply.)
A. Configure route reflectors
B. Configure IBGP neighbors several hops away
C. Configure confederations
D. Configure local preference

Correct Answer: AC QUESTION 72
A security System Administrator is reviewing the network system log files. He notes the following:
-Network log files are at 5 MB at 12:00 noon.

At 14:00 hours, the log files at 3 MB.
What should he assume has happened and what should he do about the situation?
He should contact the attacker’s ISP as soon as possible and have the connection disconnected.
He should log the event as suspicious activity, continue to investigate, and take further steps according to site security policy.

He should log the file size, and archive the information, because the router crashed.

He should run a file system check, because the Syslog server has a self correcting file system problem.

Correct Answer: B QUESTION 73
What reaction can be expected from the host when a router sends an ICMP packet, with the Type 3 (host unreachable) and Code 4 (DF bit set) flags set, back to the originating host?
A. The host should reduce the size of future packets it may send to the router.
B. This scenario is not possible because the packet will be fragmented and sent to the original destination.
C. The sending station will stop sending packets, due to the router not expecting to see the DF bit in the incoming packet.
D. The sending station will clear the DF bit and resend the packet.

Correct Answer: D QUESTION 74
Suppose a client calls and advises you that an FTP data transaction is not allowing him to view the host?? s directory structure. What are the most likely causes of the problem? (Choose all that apply.)
The client’s username/password is wrong.
A. ‘s FTP data port is not connected.
B. The client
C. The host machine has denied him access because the password is wrong.
D. An access list is stopping port 20 from detailing the directory list.

Correct Answer: BD QUESTION 75
Which of the following statements is true regarding SSL?
A. Every packet sent between host and client is authenticated.
B. Encryption is used after a simple handshake is completed.
C. SSL uses port 2246.
D. SSL is not a predefined standard.

Correct Answer: B QUESTION 76
In IPSec, what encapsulation protocol only encrypts the data and not the IP header?
C. MD5

Correct Answer: A QUESTION 77
What can be drawn from the following syslog message receive by an administrator from his adaptive security appliance?
%ASA-6-201010 Embryonic connection limit exceeded 200/200 for inbound packet from 209.165.201. 10/1026 to 10. 1. 1. 1.20/80 on interface outside
A. The client at has been infected with a virus.
B. The server at is under a SYN attack.
C. The server at is under a smurf attack.
D. The server at is under a smurf attack.

Correct Answer: B QUESTION 78
Birthday attacks can protest against which of the following?
A. symmetric ciphering
B. asymmetric ciphering
C. hash algorithms
D. digital signatures

Correct Answer: C QUESTION 79
Which of the following is AH??s destination IP port?
A. 23
B. 21 “First Test, First Pass” – 125 Cisco 350-018 Exam
C. 50
D. 51

Correct Answer: D
You work as a network engineer, study the exhibit carefully. Your company has just configured Cisco security appliance between R1 and R2 to enhance security and apply advanced protocol inspection. Unluckily, BGP stopped working after inserting the appliance in the network. How to restore BGP connectivity? (Choose three.)

A. Configure BGP on the security appliance as an IBGP peer to R1 and R2 in AS 65500.
B. Configure a static NAT translation to allow inbound TCP connections from R2 to R1.
C. Configure an ACL on the security appliance allowing TCP port 179 between R1 and R2.
D. Configure a static route on R1 and R2 using the appliance inside and outside interfaces as gateways.
Correct Answer: BCD
In Cisco PIX Firewall Software version 7.0 and later, which command replaced the fixup protocol commands?
A. secure <protocol>
B. fixup protocol commands did not change in version 7.0
C. inspect <protocol>
D. audit <protocol>
Correct Answer: C
Certificate Enrollment Process (CEP) runs over what TCP port number? (Choose the best two answers.)
A. Same as HTTP
B. Port 80
C. Port 50
D. Port 51
Correct Answer: AB
On the basis of the partial debug output displayed in the exhibit, which value is contained inside the brackets [4] in line 1?

A. RADIUS VSA number
B. RADIUS attribute type value
C. RADIUS VSA length
D. RADIUS identifier field value
Correct Answer: B
What definition best describes Kerberized?
A. A general term that refers to authentication tickets
B. An authorization level label for Kerberos principals
C. Applications and services that have been modified to support the Kerberos credential infrastructure
D. A domain consisting of users, hosts, and network services that are registered to a Kerberos server
Correct Answer: C
Which three statements best describe how DNSSEC prevents DNS cache poisoning attacks from succeeding? (Choose three.)
A. DNSSEC utilizes DS records to establish a trusted hierarchy of zones.
B. DNSSEC signs all records with domain-specific keys.
C. DNSSEC introduces KEY records that hold domain-specific public keys
D. DNSSEC deprecates CNAME records and replaces them with DS records. “First Test, First Pass” – 127 Cisco 350-018 Exam
Correct Answer: ABC
Which two of the following can you configure an IPS sensor with three sniffing interfaces as? (Choose two.)
A. three promiscuous sensors
B. two inline sensors, one promiscuous sensors
C. one inline sensor, one promiscuous sensor
D. three inline sensors
Correct Answer: AC QUESTION 87
What definition best describes a key distribution center when Kerberos is applied to a network?
A. A general term that refers to authentication tickets
B. An authorization level label for Kerberos principals
C. Applications and services that have been modified to support the Kerberos credential infrastructure
D. A Kerberos server and database program running on a network host.

Correct Answer: D QUESTION 88
Examine the following items, what are the header sizes for point-to-point and multipoint GRE with tunnel key?
A. 8 bytes for both
B. 4 bytes and 8 bytes respectively
C. 24 bytes for both
D. 4 bytes for both

Correct Answer: B QUESTION 89
Which three statements are correct concerning private address space? (Choose three.)
A. Private address space is defined in RFC 1918.
B. These IP addresses are considered private:
C. Private address space is not supposed to be routed over the Internet.
D. Using only private address space and NAT to the Internet is not considered as secure as having a stateful firewall.

Correct Answer: ACD QUESTION 90
“First Test, First Pass” – 128 Cisco 350-018 Exam
Which of the following protocols does TACACS+ support?
B. AppleTalk
D. All the above

Correct Answer: D
What is SDEE?
A. a queuing mechanism to store alerts
B. a protocol used by multiple vendors to transmit IDS events across the network
C. a mechanism to securely encode intrusion events in an event store
D. a Cisco proprietary protocol to transfer IDS events across the network
Correct Answer: B
Which two statements correctly describe NAT? (Choose two.)
A. NAT is only useful for TCP/UDP and ICMP traffic.
B. NAT provides one-to-one address mapping.
C. NAT provides one-to-many address mapping.
D. NAT can be used for all IP traffic.
Correct Answer: BD
What versions of TACACS does Cisco IOS support? (Select the best three answers.)
C. Extended TACACS
D. Extended TACACS+
Correct Answer: ABC
Which command can be used to globally disable the requirement that a translation rule must exist before packets can pass through the firewall?
A. access-list
B. no nat-control
C. global <interface> 0
D. nat <interface> 0
Correct Answer: B

Which two statements are attributed to stateless filtering? (Choose two.)
A. It can look at sequence numbers to validate packets in flow
B. It must process every packet against the inbound ACL filter
C. The first TCP packet in a flow must be a SYN packet.
D. It can be used in asymmetrical traffic flows.
Correct Answer: BD
What algorithm initiates and encrypts a session between two routers?? exchange keys between two encryption devices?
A. Routing algorithm
B. Diffie-Hellman algorithm
C. The switching engine
Correct Answer: B QUESTION 97
You are a network engineer, can you tell me how do TCP SYN attacks take advantage of TCP to prevent new connections from being established to a host under attack?
A. taking advantage of the host transmit backoff algorithm by sending jam signals to the host
B. filling up a host listen queue by failing to ACK partially opened TCP connections
C. incrementing the ISN of each segment by a random number, causing constant TCP retransmissions
D. sending multiple FIN segments, forcing TCP connection release

Correct Answer: B QUESTION 98
Select three RFC 1918 addresses. (Choose three.)

Correct Answer: BCD QUESTION 99
An administrator notices a router??s CPU utilization has jumped from 2 percent to 100 percent, and that a CCIE engineer was debugging. What IOS command can the network administrator enter to stop all debugging output to the console and vty lines without affecting users on the connected router?
“First Test, First Pass” – 130 Cisco 350-018 Exam
A. no logging console debugging
B. undebug all
C. line vty 0 4 no terminal monitor
D. reload the router

Correct Answer: B QUESTION 100
While implementing WLAN security, which three benefits can be obtained by using the TKIP instead of WEP? (Choose three.)
A. TKIP uses an advanced encryption scheme based on AES.
B. TKIP uses a 48-bit initialization vector
C. TKIP provides per-packet keying and a rekeying mechanism.
D. TKIP provides message integrity check Correct Answer: BCD

Exam F
Which three global correlation features can be enabled from Cisco IPS Device Manager (Cisco IDM)? (Choose three.)
A. Network Reputation
B. Data Contribution
C. Reputation Assignment
D. Signature Correlation
E. Global Data Integration
F. Reputation Filtering
G. Global correlation infection
Correct Answer: AFG
You are responsible for bringing up an IPsec tunnel between two Cisco IOS routers in Site A and Site B, and, at the same time, allowing them to access to the Internet from their local sites. You applied these configurations to the routers:
“First Test, First Pass” – 159 Cisco 350-018 Exam “First Test, First Pass” – 160 Cisco 350-018 Exam
You issue the show crypto ipsec sa command and see that tunnel is up, but no packets are encrypted or decrypted on either side. To test connectivity, you sourced a ping from the private interface of the each router, destined to the private interface of the far-end router. You ask a VPN expert to help you trouble shoot. The expert has verified that ESP is not being blocked, and the routing is correct. After troubleshooting, the expert makes which of these determinations?
A. The problem is with the encryption ACL. As you were testing with ICMP, you needed to allow ICMP in both encryption ACLs. Router 1: permit ICMP Router 2: permit ICMP
B. The problem is with the NAT ACL. VPN traffic should be denied in the NAT ACL so that the ACL, looks likes the following. Router 1: Ip access list ext NAT deny IP permit ip any Router 2: Ip access list ext NAT deny IP permit ip any
C. The problem is that is not possible to do NAT along with VPN on a Cisco IOS router.
D. The problem is the NAT transparency is enabled. Disable NAT Transparency using the following global command on both routers. “First Test, First Pass” – 161 Cisco 350-018 Exam No crypto ipsec nat-transparency udp-encapsulation.
Correct Answer: B QUESTION 3

When you define the BGP neighbor ttl-security command, you must consider which two of these restrictions? (Choose two.)
A. This feature is supported for internal BGP (IBGP) peer groups.
B. This feature is not supported for internal BGP (IBGP) peers.
C. This feature cannot be configured for a peer that is configured with the neighbor next-hop-self command.
D. This feature cannot be configured for a peer that is configured with the neighbor ebgp-multihop command.
E. This feature cannot be configured for a peer that is configured with the neighbor send- community command.
Correct Answer: BD
Which five of these are criteria for rule-based rogue classification of access points by the Cisco Wireless LAN Controller? (Select five.)
A. Minimum RSSI
B. Open authentication
C. MAC address range
D. Whether it matches a managed AP SSID
E. Whether it matches a user-configured SSID
F. Whether it operates on an authorized channel
G. Time of day the rouge operates
H. Number of clients it has
Correct Answer: ABDEH
Which four routing protocols are supported when using Cisco Configuration Professional? (Choose four.)
A. RIPv1
B. RIPv2
Correct Answer: ABDE

Application layer protocol inspection is available for the Cisco ASA 5500 Series Adaptive Security
“First Test, First Pass” – 162 Cisco 350-018 Exam
Appliance. This feature performs which type of action on traffic traversing the firewall?
A. Classification and policing (for QoS)
B. Deep packet inspection
C. Flexible packet matching
D. Reverse path forwarding
E. Remote triggering of a black hole.
Correct Answer: B QUESTION 7
Refer to the exhibit.

“First Test, First Pass” – 163 Cisco 350-018 Exam
Which command is required to fix the issue identified by Cisco ASDM Packet Tracer in the image?
A. nat (inside) 1
B. global (outside) 1
C. global (outside) 1
D. access-list outside permit tcp host host eq www
E. nat (outside) 10

Correct Answer: C
EIHRP functionality is very similar to which of these protocols?
Correct Answer: B
Which four of these areas can be characterized for network risk assessment testing methodology?(Choose four)
A. Router hostname and IP addressing scheme
B. Router filtering rules
C. Route optimization
D. Database connectivity and RTT
E. Weak authentication mechanisms
F. Improperly configured email servers
G. Potential web server exploits
Correct Answer: BEFG
In the context of Cisco Configuration Professional, to ediscover?a router means to establish a session to the router using either secure or nonsecure means, do which of the following, and populate a screen with the information obtained?
A. read the configuration present in the router
B. read the IOS version in the router
C. read the interface(s) information in the router
D. read the CPU information in the router
E. check if the router is UP or Down
Correct Answer: A
Refer to the exhibit. From the ASDM NAT Rules table, inside host is translated to which IP address on the outside interface?

Correct Answer: E
When a failover takes place on an adaptive security appliance configured for failover, all active connections are dropped and clients must reestablish their connections, unless the adaptive security appliance is configured in which two of the following ways?(Choose two)
“First Test, First Pass” – 165 Cisco 350-018 Exam
A. active/standby failover
B. active/active failover
C. active/active failover and a state failover link has been configured
D. active/standby failover and a state failover link has been configured
E. to use a serial cable as the failover link
F. LAN-based failover
Correct Answer: CD
What is the main purpose of FlexConfig in Cisco Security Manager?
A. to share configuration between multiple devices
B. to configure device commands that are not supported by Cisco Security Manager
C. to duplicate/clone basic configuration of a device
D. to merge multiple policies into a simplified view
E. to configure complex commands for a device
Correct Answer: B
Refer to the Exhibit. The exhibit illustrates which type of attack?

A. virus infection
B. worm propagation
C. port scanning
D. denial of service (Dos)
E. distributed Dos (DDos) “First Test, First Pass” – 166 Cisco 350-018 Exam
Correct Answer: E
All of these correctly describe SNMPv3 except which one?
A. does not provide any protection against denial of service attacks
B. provides a mechanism for verification that messages have not been altered in transit
C. requires the use of NTP to correctly synchronize timestamps and generate public/private key pairs used for encryption of messages
D. provides a mechanism for verification of the identity of the device that generated the message
E. includes timeliness indicators in each message so the receiving SNMP engine can determine if it was sent recently
Correct Answer: C

All of these are available from Cisco IPS Device Manager (Cisco IDM) except which one?
A. Interface Status
B. Global Correlation Reports
C. Sensor Information
D. CPU, Memory, and Load
E. Top Signatures
F. Top Applications
Correct Answer: E QUESTION 17

Which two of these properties does the UDP protocol itself provide? (Choose two)
A. reliable delivery of data
B. data rate negotiation
C. checksum to prevent data errors
D. prevention of data interception
E. efficient data transfer
Correct Answer: CE
Which two U.S. government entities are authorized to execute and enforce the penalties for violations of the Sarbanes-Oxley (SOX) act? (Choose two.)
A. Federal Trade Commission (FTC)
B. Federal Reserve Board
C. Securities and Exchange Commission (SEC)
D. Office of Civil Rights (OCR)
E. United States Citizenship and Immigration Services (USCIS) “First Test, First Pass” – 167 Cisco 350-018 Exam
F. Internal Revenue Service (IRS)
Correct Answer: BC
NHRP functionality is very similar to which of these protocols?
Correct Answer: B
You have recently deployed DMVPN Phase 3 for your WAN. Each of the spokes has a static IP assigned to it by the ISP, except one, which gets a dynamic IP. After a recent power loss during the day, the router rebooted, but was unable to bring the tunnel up to the hub immediately. The log on the spoke shows an NHRP registration reply from the hub indication an error.
%NHRP-3-PAKREPLY: Receive Registration Reply packet with error unique address registered already
(14) interface Tunnel0 ip address 17216. no ip redirects ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 10 ip nhrp holdtime 3600 ip nhrp redirect tunnel source FastEthermet0/0 tunnel mode gre multipoint
Below is the configuration of the tunnel interface of Spoke 1 Interface Tunnel 0 ip address 17216. no ip redirects ip nhrp authentication cisco ip nhrp map multicast ip nhrp map ip nhrp network-id 20 ip nhrp holdtime 3600 ip nhrp nhs ip nhrp shortcut tunnel source FastEthermet0/0 tunnel mode gre multipoint
Which of these actions could solve this problem?
A. Configure tunnel protection, with the appropriate cryptographic configuration on the hub and spokes
B. Configure the no ip nhrp registration unique command on the hub, Hub 1 “First Test, First Pass” 168 Cisco 350-018 Exam
C. Configure the ip nhrp registration no-unique command on the spoke, Spoke 1
D. Remove the ip nhrp shortcut command from the spoke, Spoke 1
Correct Answer: C
The Cisco IPsec VPN Shared Port Adapter (SPA) operates in which mode of IPsec implementation?
A. bump in the wire (BITW)
B. bump in the network (BITN)
C. bump in the stack (BITS)
D. hardware-assisted tunnel mode (HATM)
E. hardware-assisted transport mode (HATM)
Correct Answer: A
A Layer 2 switch forwards traffic based on which of these?
A. IP layer addresses
B. ARP layer addresses
C. MAC layer addresses
D. Forwarding information Base (FIB)
E. Hardware-Assisted Forwarding (HAF)
Correct Answer: C
A 1200-byte packet arrives on the LAN segment and needs to be fragmented before being forwarded to the egress interface. Which of these identifies the correct IP header fields for the IP fragments after fragmentation (where MF is the More Fragment flag bit, and FO is the Fragment Offset in the IP header)?
A. fragment1: id=1, length=1000, MF=0, FO=980; fragment2: id=2, length=220, MF=0, FO=980
B. fragment1: id=1, length=996, MF=1, FO=0; fragment2: id=1, length=224, MF=0, FO=122
C. fragment1: id=1, length=600, MF=1, FO=0, fragment2: id=2, length=620, MF=0, FO=75
D. fragment1: id=1, length=1000, MF=1, FO=0; fragment2: id=1, length=220, MF=0, FO=980
E. fragment1: id=1, length=600, MF=0, FO=580; fragment2: id=1, length=620, MF=0, FO=0
Correct Answer: B QUESTION 24

All of these correctly describe advantages of GETVPN compared to traditional IPsec except which one?
A. Eliminates the need for tunnels, and therefore scales better
B. Provides always-on full mesh encryption capability
C. Provides native multicast encryption “First Test, First Pass” – 169 Cisco 350-018 Exam
D. Allows all members to dynamically discover each either with no static peer configuration required
E. Can take advantage of the existing routing infrastructure, and does not require overlay routing
Correct Answer: D
Hypertext Transfer Protocol Secure (HTTPS) was created to provide which of these?
A. a secure connection over a secure network
B. a secure connection over an insecure network
C. an authenticated connection over a secure network
D. an authenticated connection over an insecure network
E. an authorized connection over an insecure network
Correct Answer: B
Which three of these statements about a zone-based policy firewall are correct? (Choose three)
A. An interface can be assigned to only one security zone.
B. Traffic cannot flow between a zone member interface and any interface that is not a zone member.
C. By default, all traffic to and from an interface that belongs to a security zone is dropped unless explicitly allowed in the zone-pair policy.
D. In order to pass traffic between two interfaces that belong to the same security zone, you must configure a pass action using class-default
E. Firewall policies, such as the pass, inspect, and drop actions, can only be applied between two zones.
Correct Answer: ABE
The Rivest, Shamir, and Adleman (RSA) algorithm can be used to create digital signatures for authentication. Suppose Alice wants to sign a message using RSA and send it to Bob. Which one of the following statements most accurately describes this operation?
A. Alice creates a hash of her messages, and then encrypts this hash with her public key to create the signature to be sent along with the message to Bob
B. Alice creates a hash of her message, and then encrypts this hash with her private key to create the signature to be sent along with the message to Bob
C. Alice creates a hash based on her message combined with her public key, and then uses this hash to create the signature to be sent along with the message to Bob
D. Alice creates a hash based on her message combined with her private key, and then uses this hash to create the signature to be sent along with the message to Bob
E. Alice encrypts her message with her public key, creates a signature by hashing this encrypted message. Then sends it along with the message to Bob
Correct Answer: B
Refer to the exhibit. Client1 has an IPsec VPN tunnel established to a Cisco ASA adaptive security
“First Test, First Pass” – 170 Cisco 350-018 Exam
appliance in Chicago. The remote access VPN client wants to access, but split tunneling is disabled. Which of these is the appropriate configuration on the Cisco ASA adaptive security appliance if the VPN client’s public IP address is and it is assigned a private address from

A. same-security-traffic permit intra-interface Ip local pool ippool Global (outside) 1 Nat (inside) 1
B. same-security-traffic permit intra-interface Ip local pool ippool Global (outside) 1 Nat (outside) 1
C. same-security-traffic permit intra-interface Ip local pool ippool Global (inside) 1 Nat (inside) 1
D. same-security-traffic permit intra-interface Ip local pool ippool Global (outside) 1 Nat (outside) 1
E. same-security-traffic permit intra-interface Ip local pool ippool Global (outside) 1 Nat (inside) 1
F. same-security-traffic permit intra-interface Ip local pool ippool Global (inside) 1 Nat (inside) 1
Correct Answer: B
One of the main security issues with the WEP protocol stems from?
A. lack of any integrity checking
B. having a maximum key of 40 bits
C. use of Open System authentication
D. use of RC4
E. lack of standardization of the WEP protocol itself
Correct Answer: D
How can you configure Cisco Easy VPN Server on a Cisco IOS router in order to allow you to apply various QoS policies to different VPN groups?
A. Configure the command qos pre-classify under the crypto map that references each VPN group.
B. Configure Cisco Easy VPN using IPsec Dynamic Virtual Tunnel Interface (DVTI) and apply service policies on the VTI that are referenced by the ISAKMP profiles matching the respective VPN groups
C. It is not currently possible to apply QoS to different VPN groups
D. Configure s static VTI that allows configuration of QoS service policies with each VTI referenced by the respective VPN groups
Correct Answer: B
Which three of these are considered TCP/IP protocols? (Choose three)
D. Ethernet
Correct Answer: ACF
All of these are application layer protocols based on the OSI model except which one?
D. Telnet
Correct Answer: F
Which of these notification protocols are supported in Cisco Security MARS?
A. SNMP trap only
B. syslog only
C. email (Sendmail) adn SMS only
D. SNMP trap and syslog only
E. syslog email (Sendmail), SMS, and SNMP trap
Correct Answer: E
“First Test, First Pass” – 172 Cisco 350-018 Exam
The Network Participation feature of Cisco IPS gathers all of these when it collects real-time data from IPS sensors except which one?
A. signature ID
B. signature name
C. attacker port
D. reputation score
E. signature version
F. victim port
Correct Answer: B
Assessing your network for potential security risks (risk assessment) should be an integral element of your network architecture. Which four task items need to be performed for an effective risk assessment and to evaluate network posture? (Choose four.)
A. Notification
B. Discovery
C. Profiling
D. Scanning
E. Base lining
F. Validation
G. Mitigation
Correct Answer: BCDF
Which two of these devices can be used as Cisco Easy VPN Remote hardware clients? (Choose two)
A. ASA5510 Adaptive Security Appliance
B. 800 Series Router
C. ASA5505 Adaptive Security Appliance
D. PIX 515E Security Appliance
E. 7200 Series Router
Correct Answer: BC
If single sign-on (SSO) is not working for a Layer 2 out-of-band (OOB) virtual gateway implementation, which two of these can you check to troubleshoot the issue? (Choose two.)
A. The clock between the NAC server and the Active Directory server is synchronized.
B. The KTPass.exe command was executed on the domain controller with the /RC4Only option.
C. The adkernel.exe process on the domain controller is accepting requests from the Cisco Clean Access Server.
D. The Active Directory domain definition was defined in upper case on the Cisco Clean Access Manager.
E. The ports are open to the appropriate domain controller in the guest role on Cisco Clean Access Manager. “First Test, First Pass” – 173 Cisco 350-018 Exam
Correct Answer: AD

The major difference between VTP version 1 and VTP version 2 is which of these?
A. Extended VLAN range support
B. Gigabit Ethernet Support
C. VTP domain and password support
D. Token Ring support
E. Transparent mode support
Correct Answer: D QUESTION 39

Which two of these statements are true about the Host Scan capabilities of Cisco ASA adaptive security appliances? (Choose two.)
A. Endpoint assessment functionality within Host Scan requires you to purchase an “Endpoint Assessment “license
B. Host Scan functionality occurs after Cisco Secure Desktop goes through the preiogin assessment and before DAP enforces its polices
C. You must use the advanced endpoint Host Scan to collect end-host information such as the end-no suppuration system, registry, files, or actively running processes.
D. The Host Scan database must be updated every 60 days to ensure that the antivirus and antispyware database is accurate.
E. Host Scan is a modular component of Cisco Secure Desktp
Correct Answer: BE
Which four of these attacks or wireless tools can the standard IDS signatures on a wireless LAN controller detect? (Choose four)
A. Association flood
B. SYN flood
C. NetStumbler
D. Fragment Overlap attack
E. Deautheorization flood
F. Long HTTP request
G. AirSnort
H. Wellenreiter
Correct Answer: ACEH
The Gramm-Leach-Bliley Act (GLBA), was enacted by the United States Congress in 1999. This act is used primarily for which two of these? (Choose two.)
“First Test, First Pass” – 174 Cisco 350-018 Exam
A. Organizations in the financial sector
B. Assurace of the accuracy of financial records
C. Confidentility of personal healthcare information
D. Organizations tha offer loans
E. Organizations in the education sector
Correct Answer: AD

Which of these standards replaced 3DES?
B. Blowfish
C. RC4
D. SHA-1
F. MD5
Correct Answer: E
Which two of these multicast addresses does OSPF use?(Choose two)
A. to send hello packets to discover and maintain neighbor relationships
B. to send hello packets to discover and maintain neighbor relationships
C. to send hello packets to discover and maintain neighbor relationships
D. to send OSPF routing information to designated routers on a network segment
E. to send OSPF routing information to designated routers on a network segment
F. to send OSPF routing information to designated routers on a network segment
Correct Answer: AE
What is the highest target value rating that you can assign to an ip address in Cisco IPS?
A. Medium
B. High
C. Mission-Critical
D. Serve
E. Important
Correct Answer: C
LEAP authentication is provided by which of these?
A. Hashing of the password before sending
B. User-level certificates “First Test, First Pass” – 175 Cisco 350-018 Exam
C. PAC exchange
D. Modified MS-CHAP
Correct Answer: D

Which three of these are true statements about TLS? (Choose three.)
A. It is a secure protocol encapsulated within SSL
B. It is a more recent version of SSL
C. It allows for client authentication via certificates
D. If a third-party (man i-the-middle) observes the entire handshake between client and server. The third-party can decrypt the encrypted data the passes between them
E. It can be used to secure SIP
F. It cannot be used for HTTPS
Correct Answer: BCE

All of these tools are available from the Cisco IPS manager Express (Cisco IME) GUI except which one?
B. Traceroute
C. Telnet
D. DNS lookup
E. ping
Correct Answer: C
Which of these is true of the NHRP network ID (specified by the command ip nhrp network-id)?
A. It needs to be the same on all routers within the DMVPN cloud for the tunnels to come up.
B. It is locally significant, and is not sent as part of the NHRP packet.
C. It is not required for the DMVPN to come up, only the tunnel key is required.
D. It is only required on the hub with multiple DMVPN clouds, in order to segregate the clouds on the hub.
Correct Answer: B
All of these are layers in the OSI model except which one?
A. presentation layer
B. physical layer
C. application layer
D. service layer “First Test, First Pass” – 176 Cisco 350-018 Exam
E. transport layer
Correct Answer: D
On a Cisco Catalyst switch, which three modes can a port be set to for trunking? (Choose three.)
A. dynamic auto
B. off
C. on
D. nonegotiate
E. dynamic desirable
F. negotiate
G. trunk
Correct Answer: AEG

What are IKE Phase 1 Exchange (Main Mode) messages 3 and 4 used for?
A. generate SKEYID_e, which is used to encrypt IKE messages
B. generate SKEYID_a, which is used to provide data integrity and authentication to IKE messages
C. exchange authentication information (pre-shared key)
D. exchange information that is required for key generation using Diffie-Hellman (DH)
E. authenticate the digital signature (certifications)
Correct Answer: D
With GETVPN, if a key server is configured to use multicast as the rekey transport mechanism, then under which of these conditions will the key server retransmit the rekey message?
A. It never retransmits the rekey message.
B. It only retransmits the rekey message when it does not receive the rekey acknowledgement from at least one group member.
C. It only retransmits the rekey message when it does not receive the rekey acknowledgement from all group members.
D. It only retransmits the rekey message when DPD to the group member fails.
E. It always retransmits the rekey message.
Correct Answer: E
Which two of these are things an attacker can do with an encrypted RC4 data stream? (Choose two.)
A. use XOR to match the encrypted stream to itself, in order to retrieve the key
B. filter out the keystream if the attacker gets two streams encrypted with the same RC4 key
C. calculate the checksum of the encrypted stream “First Test, First Pass” – 177 Cisco 350-018 Exam
D. retrieve the private key if the attacker has access to the public key
E. flip a bit of the encrypted text, which will flip a corresponding bit in the cleartext once it is decrypted
Correct Answer: BE
When a DHCP server offers an IP address to a client, which field is populated with the client’s IP address?
Correct Answer: B
Which four of these support mutual authentication? (Choose four.)
Correct Answer: ABCF

Which two of these statements are true about the Cisco Clean Access solution? (Choose two.)
A. When two Cisco Clean Access Managers (Cisco CAMs) are set up in failover, the “service IP address” is the IP address of the primary Cisco CAM.
B. If a single Cisco Clean Access Server (Cisco CAS) operating in in-band device mode dies, 289 traffic cannot pass through the hardware.
C. When a Cisco Clean Access Server (Cisco CAS) is unable to communicate with the Cisco CAM, users who are already connected will not be affected, but new users will not be able to log in.
D. When a Cisco Clean Access Server (Cisco CAS) is unable to communicate with the Cisco CAM, all users (previously authenticated users and new users) will pass traffic due to its default behavior of Fail Open.
E. The clock between the Cisco Clean Access Server (Cisco CAS) and the Cisco Clean Access Manager (Cisco CAM) must be synchronized for Active Directory single sign-on to work.
Correct Answer: BC
Which statement in reference to IPv6 multicast is true?
A. PIM dense mode is not part of IPv6 multicast. “First Test, First Pass” – 178 Cisco 350-018 Exam
B. The first 12 bits of an IPv6 multicast address are always FF.
C. IPv6 multicast uses Multicast Listener Discovery (MLD).
D. IPv6 multicast requires Multicast Source Discovery Protocol (MSDP).
Correct Answer: C
What is the DNS transaction ID (TXID) used for?
A. tracking anomalous behaviors of name servers
B. tracking queries and responses to queries
C. Message Tracking Query Protocol (MTQP)
D. tracking queries on behalf of another DNS resolver
E. tracking Time To Live (TTL) set in the RR
Correct Answer: B
A customer just deployed Cisco IOS firewall, and it has started to experience issues with applications timing out and overall network slowness during peak hours. The network administrator noticed the following syslog messages around the time of the problem:
%FW-4-ALERT_ON: getting aggressive, count (501/500) current 1-min rate: 200
What could the problem be, and how might it be mitigated?
A. The DoS max half-open session threshold has been reached. Increase the threshold with the ip inspect max-incomplete high configuration.
B. The Cisco IOS Firewall session license limit has been exceeded. Obtain a new license with more sessions.
C. The router system resource limit threshold has been reached. Replace the router with one that has more memory and CPU power.
D. The aggregate virus detection threshold has been reached. Identify the affected host and patch accordingly.
E. The per-host new session establishment rate has been reached. Increase the threshold with the ip inspect tcp max-incomplete host configuration.
Correct Answer: A

All of these are predefined reports in the Cisco IPS Manager Express (Cisco IME) GUI except which one?
A. Attacks Overtime Report
B. Top Victims Report
C. Top Attacker Report
D. Top Application Report
E. Top Signature Report
Correct Answer: D
A false negative represents which of these scenarios?
A. when an intrusion system generates an alarm after processing traffic that it is designed to detect
B. when an intrusion system generates an alarm after processing normal user traffic
C. when an intrusion system fails to generate an alarm after processing traffic that it is designed to detect
D. when an intrusion system fails to generate an alarm after processing normal user traffic
Correct Answer: C
During a computer security forensic investigation, a laptop computer is retrieved that requires content analysis and information retrieval. Which file system is on it, assuming it has the default installation of Microsoft Windows Vista operating system?
B. WinFS
E. FAT32
Correct Answer: C
Which of the following is used in PEAP to provide authentication for the EAP exchange?
A. RC4
Correct Answer: B
During a DoS attack, all of the data is lost from a user’s laptop, and the user must now rebuild the system. Which tool can the user use to extract the Outlook PST file from the Microsoft Exchange server database?
A. NTbackup.exe
B. Exmerge.exe
C. Eseutil.exe
D. Ost2pst.exe
Correct Answer: B

The BPDU guard feature disables which kind of port when the port receives a BPDU packet?
“First Test, First Pass” – 180 Cisco 350-018 Exam
A. any port
B. nonegotiate port
C. access port
D. PortFast port
E. root port
Correct Answer: D
A DNS server that responds to query messages with information stored in Resource Records (RRs) for a domain name space stored on the server is known as which of these?
A. LDAP resolver
B. recursive resolver
C. zone
D. authoritative server
E. local server
Correct Answer: D
The Sarbanes-Oxley (SOX) act is a United States federal law that was enacted in July, 2002. SOX was introduced to provide which two of these? (Choose two.)
A. confidentiality and integrity of customer records and information
B. corporate fraud accountability
C. security standards that protect healthcare patient data
D. confidentiality of personal health information
E. assurance of the accuracy of financial records
Correct Answer: BE
Which two identifiers are used by a Cisco Easy VPN Server to reference the correct group policy information for connecting a Cisco Easy VPN Client? (Choose two.)
B. OU field in a certificate that is presented by a client
C. XAUTH username
D. hash of the OTP that is sent during XAUTH challenge/response
Correct Answer: AB

According ISO27001 ISMS, which of the following are mandatory documents? (Choose 4)
A. ISMS Policy “First Test, First Pass” – 181 Cisco 350-018 Exam
B. Corrective Action Procedure
C. IS Procedures
D. Risk Assessment Reports
E. Complete Inventory of all information assets
Correct Answer: ABCD

Which current RFC made RFCs 2409, 2407, and 2408 obsolete?
A. RFC 4306
B. RFC 2401
C. RFC 5996
D. RFC 4301
E. RFC 1825
Correct Answer: C
Which two answers describe provisions of the SOX Act and its international counterpart Acts? (Choose two.)
A. confidentiality and integrity of customer records and credit card information
B. accountability in the event of corporate fraud
C. financial information handled by entities such as banks, and mortgage and insurance brokers
D. assurance of the accuracy of financial records
E. US Federal government information
F. security standards that protect healthcare patient data
Correct Answer: BD
Which three statements about the IANA are true? (Choose three.)
A. IANA is a department that is operated by the IETF.
B. IANA oversees global IP address allocation.
C. IANA managed the root zone in the DNS.
D. IANA is administered by the ICANN.
E. IANA defines URI schemes for use on the Internet.
Correct Answer: BCD
Since HTTP is one of the most common protocols used in the internet, what should be done at a firewall level to ensure that the protocol is being used correctly?
A. Ensure that HTTP is always authenticated.
B. Ensure that a stateful firewall allows only HTTP traffic destined for valid web server IP address. “First Test, First Pass” – 182 Cisco 350-018 Exam
C. Ensure that your web server is in a different zone than your backend servers such as SQL and DNS.
D. Ensure that your firewall enforces HTTP protocol compliance to ensure that only valid flows are allowed in and out of your network.
E. Ensure that a firewall has SYN flood and DDoS protection applied specifically for valid web servers.
Correct Answer: D

What is the main reason for using the “ip ips deny-action ips-interface” IOS command?
A. To support load-balancing configurations in which traffic can arrive via multiple interfaces.
B. To selectively apply drop actions to specific interfaces.
C. This is not a valid IOS command.
D. To enable IOS to drop traffic for signatures configured with the Drop action.
Correct Answer: A
Which three control plane subinterfaces are available when implementing Cisco IOS Control Plane Protection? (Choose three.)
B. host
C. fast-cache
D. transit
E. CEF-exception
F. management
Correct Answer: BDE
Which type of PVLAN ports can communicate among themselves and with the promiscuous port?
A. isolated
B. community
C. primary
D. secondary
E. protected
Correct Answer: B
An internal DNS server requires a NAT on a Cisco IOS router that is dual-homed to separate ISPs using distinct CIDR blocks. Which NAT capability is required to allow hosts in each CIDR block to contact the DNS server via one translated address?
A. NAT overload
B. NAT extendable
C. NAT TCP load balancing “First Test, First Pass” – 183 Cisco 350-018 Exam
D. NAT service-type DNS
E. NAT port-to-application mapping
Correct Answer: B
Which three configuration components are required to implement QoS policies on Cisco routers using MQC? (Choose three.)
A. class-map
B. global-policy
C. policy-map
D. service-policy
E. inspect-map
Correct Answer: ACD

Which four items may be checked via a Cisco NAC Agent posture assessment? (Choose four.)
A. Microsoft Windows registry keys
B. the existence of specific processes in memory
C. the UUID of an Apple iPad or iPhone
D. if a service is started on a Windows host
E. the HTTP User-Agent string of a device
F. if an Apple iPad or iPhone has been “jail-broken”
G. if an antivirus application is installed on an Apple MacBook
Correct Answer: ABDG

Cisco 350-018 Exam Certification Guide is part of a recommended study program from Cisco 350-018 that includes simulation and hands-on training from authorized Cisco 350-018 Learning Partners and self-study products from Cisco 350-018.Find out more about instructor-led, e-learning, and hands-on instruction offered by authorized Cisco 350-018 Learning Partners worldwide