New Updated Cisco CCIE Security 350-018 Real Exam Download 221-230



Refer to the exhibit, which shows a partial configuration for the EzVPN server. Which three missing ISAKMP profile options are required to support EzVPN using DVTI? (Choose three.)






A.      match identity group

B.      trustpoint

C.      virtual-interface

D.      keyring

E.       enable udp-encapsulation

F.       isakmp authorization list

G.      virtual-template


Correct Answer: AFG




Which two certificate enrollment methods can be completed without an RA and require no direct connection to a CA by the end entity? (Choose two.)


A.      SCEP

B.      TFTP

C.      manual cut and paste

D.      enrollment profile with direct HTTP

E.       PKCS#12 import/export


Correct Answer: CE




Which four techniques can you use for IP data plane security? (Choose four.)


A.      Control Plane Policing

B.      interface ACLs

C.      uRPF

D.      MD5 authentication

E.       FPM

F.       QoS


Correct Answer: BCEF




In order to implement CGA on a Cisco IOS router for SeND, which three configuration steps are required? (Choose three.)


A.      Generate an RSA key pair.

B.      Define a site-wide pre-shared key.

C.      Define a hash algorithm that is used to generate the CGA.

D.      Generate the CGA modifier.

E.       Assign a CGA link-local or globally unique address to the interface.

F.       Define an encryption algorithm that is used to generate the CGA.


Correct Answer: ADE




As defined by Cisco TrustSec, which EAP method is used for Network Device Admission Control authentication?


A.      EAP-FAST

B.      EAP-TLS

C.      PEAP

D.      LEAP


Correct Answer: A




Which three statements about the keying methods used by MACSec are true? (Choose three.)


A.      Key management for host-to-switch and switch-to-switch MACSec sessions is provided by MKA.

B.      A valid mode for SAP is NULL.

C.      MKA is implemented as an EAPoL packet exchange.

D.      SAP is enabled by default for Cisco TrustSec in manual configuration mode.

E.       SAP is not supported on switch SVIs.

F.       SAP is supported on SPAN destination ports.


Correct Answer: BCE




What is the function of this command?


switch(config-if)# switchport port-security mac-address sticky


A.      It allows the switch to restrict the MAC addresses on the switch port, based on the static MAC addresses configured in the startup configuration.

B.      It allows the administrator to manually configure the secured MAC addresses on the switch port.

C.      It allows the switch to permanently store the secured MAC addresses in the MAC address table (CAM table).

D.      It allows the switch to perform sticky learning, in which the dynamically learned MAC addresses are copied from the MAC address table (CAM table) to the startup configuration.

E.       It allows the switch to dynamically learn the MAC addresses on the switch port, and the MAC addresses will be added to the running configuration


Correct Answer: E




When configuring a switchport for port security that will support multiple devices and that has already been configured for 802.1X support, which two commands need to be added? (Choose two.)


A.      The 802.1X port configuration must be extended with the command dot1x multiple-host.

B.      The 802.1X port configuration must be extended with the command dot1x port-security.

C.      The switchport configuration needs to include the command switchport port-security.

D.      The switchport configuration needs to include the port-security aging command.

E.       The 802.1X port configuration needs to remain in port-control force-authorized rather than portcontrol auto.


Correct Answer: AC




In Cisco IOS, what is the result of the ip dns spoofing command on DNS queries that are coming from the inside and are destined to DNS servers on the outside?


A.      The router will prevent DNS packets without TSIG information from passing through the router.

B.      The router will act as a proxy to the DNS request and reply to the DNS request with the IP address of the interface that received the DNS query if the outside interface is down.

C.      The router will take the DNS query and forward it on to the DNS server with its information in place of the client IP.

D.      The router will block unknown DNS requests on both the inside and outside interfaces.


Correct Answer: B




The Wi-Fi Alliance defined two certification programs, called WPA and WPA2, which are based on the IEEE 802.11i standard. Which three statements are true about these certifications? (Choose three.)


A.      WPA is based on the ratified IEEE 802.11i standard.

B.      WPA2 is based on the ratified IEEE 802.11i standard.

C.      WPA enhanced WEP with the introduction of TKIP.

D.      WPA2 requires the support of AES-CCMP.

E.       WPA2 supports only 802.1x/EAP authentication.


Correct Answer: BCD


Download Latest Complete collection of 350-018 Real Q&As ,help you to pass exam 100%.

Download FREE Ensurepass CCIE Security 350-018 Demo and Get the Discount Code
Ensurepass Cisco Certifications Exam Questions and Answers
Ensurepass CCIE ExamS Questions and Answers



You must be logged in to post a comment.

Proudly powered by WordPress   Premium Style Theme by