Ask Question
Cisco 350-701 Practice Test - Questions Answers, Page 11
List of questions
Question 101
A malicious user gained network access by spoofing printer connections that were authorized using MAB on four different switch ports at the same time. What two catalyst switch security features will prevent further violations? (Choose two)
DHCP Snooping
802.1AE MacSec
Port security
IP Device track
Dynamic ARP inspection
Private VLANs
Question 102
Which command enables 802.1X globally on a Cisco switch?
dot1x system-auth-control
dot1x pae authenticator
authentication port-control aut
aaa new-model
Question 103
Which RADIUS attribute can you use to filter MAB requests in an 802.1 x deployment?
1
2
6
31
Because MAB uses the MAC address as a username and password, you should make sure that the RADIUS server can differentiate MAB requests from other types of requests for network access. This precaution will prevent other clients from attempting to use a MAC address as a valid credential.
Cisco switches uniquely identify MAB requests by setting Attribute 6 (Service-Type) to 10 (Call-Check) in a MAB Access- Request message. Therefore, you can use Attribute 6 to filter MAB requests at the RADIUS server.
Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-basednetworkingservices/config_guide_c17-663759.html
Question 104
A network administrator configures Dynamic ARP Inspection on a switch. After Dynamic ARP Inspection is applied, all users on that switch are unable to communicate with any destination. The network administrator checks the interface status of all interfaces, and there is no err-disabled interface. What is causing this problem?
DHCP snooping has not been enabled on all VLANs.
The ip arp inspection limit command is applied on all interfaces and is blocking the traffic of all users.
Dynamic ARP Inspection has not been enabled on all VLANs
The no ip arp inspection trust command is applied on all user host interfaces
Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in- the-middle attacks. After enabling DAI, all ports become untrusted ports.
Question 105
Refer to the exhibit.
An engineer configured wired 802.1x on the network and is unable to get a laptop to authenticate.
Which port configuration is missing?
authentication open
dotlx reauthentication
cisp enable
dot1x pae authenticator
Question 106
Which SNMPv3 configuration must be used to support the strongest security possible?
asa-host(config)#snmp-server group myv3 v3 priv asa-host(config)#snmp-server user andy myv3 auth sha cisco priv des ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
asa-host(config)#snmp-server group myv3 v3 noauth asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
asa-host(config)#snmpserver group myv3 v3 noauth asa-host(config)#snmp-server user andy myv3 auth sha cisco priv 3des ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
asa-host(config)#snmp-server group myv3 v3 priv asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
Question 107
Refer to the exhibit.
Which command was used to generate this output and to show which ports are authenticating with dot1x or mab?
show authentication registrations
show authentication method
show dot1x all
show authentication sessions
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-xe-3se-3850-cr-book/sec-s1-xe-3se-3850-cr-book_chapter_01.html#wp3404908137Displaying the Summary of All Auth Manager Sessions on the SwitchEnter the following:
Switch# show authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi1/48 0015.63b0.f676 dot1x DATA Authz Success 0A3462B1000000102983C05C
Gi1/5 000f.23c4.a401 mab DATA Authz Success 0A3462B10000000D24F80B58
Gi1/5 0014.bf5d.d26d dot1x DATA Authz Success 0A3462B10000000E29811B94
Question 108
What Cisco command shows you the status of an 802.1X connection on interface gi0/1?
show authorization status
show authen sess int gi0/1
show connection status gi0/1
show ver gi0/1
Question 109
Refer to the exhibit.
What does the number 15 represent in this configuration?
privilege level for an authorized user to this router
access list that identifies the SNMP devices that can access the router
interval in seconds between SNMPv3 authentication attempts
number of possible failed attempts until the SNMPv3 user is locked out
The syntax of this command is shown below: snmp-server group [group-name {v1 | v2c | v3 [auth | noauth | priv]}] [read read-view] [write writeview] [notify notify-view] [access access-list] The command above restricts which IP source addresses are allowed to access SNMP functions on the router. You could restrict SNMP access by simply applying an interface ACL to block incoming SNMP packets that don't come from trusted servers. However, this would not be as effective as using the global SNMP commands shown in this recipe. Because you can apply this method once for the whole router, it is much simpler than applying ACLs to block SNMP on all interfaces separately. Also, using interface
ACLs would block not only SNMP packets intended for this router, but also may stop SNMP packets that just happened to be passing through on their way to some other destination device.
Question 110
Under which two circumstances is a CoA issued? (Choose two)
A new authentication rule was added to the policy on the Policy Service node.
An endpoint is deleted on the Identity Service Engine server.
A new Identity Source Sequence is created and referenced in the authentication policy.
An endpoint is profiled for the first time.
A new Identity Service Engine server is added to the deployment with the Administration persona
The profiling service issues the change of authorization in the following cases:
– Endpoint deleted—When an endpoint is deleted from the Endpoints page and the endpoint is disconnected or removed from the network.
An exception action is configured—If you have an exception action configured per profile that leads to an unusual or an unacceptable event from that endpoint. The profiling service moves the endpoint to the corresponding static profile by issuing a CoA.
– An endpoint is profiled for the first time—When an endpoint is not statically assigned and profiled for the first time; for example, the profile changes from an unknown to a known profile.
+ An endpoint identity group has changed—When an endpoint is added or removed from an endpoint identity group that is used by an authorization policy.
The profiling service issues a CoA when there is any change in an endpoint identity group, and the endpoint identity group is used in the authorization policy for the following:
++ The endpoint identity group changes for endpoints when they are dynamically profiled ++ The endpoint identity group changes when the static assignment flag is set to true for a dynamic endpoint – An endpoint profiling policy has changed and the policy is used in an authorization policy—When an endpoint profiling policy changes, and the policy is included in a logical profile that is used in an authorization policy. The endpoint profiling policy may change due to the profiling policy match or when an endpoint is statically assigned to an endpoint profiling policy, which is associated to a logical profile. In both the cases, the profiling service issues a CoA, only when the endpoint profiling policy is used in an authorization policy.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/ b_ise_admin_guide_20_chapter_010100.html
Related questions
Export
If you didn't receive an email within 5 minutes, you should submit a support request to [email protected].
|
BASIC - 1 Month
$
10
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
PLUS - 2 Months
$
15
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
PRO - 6 Months
$
40
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Selling illegal goods, money scams etc.
Serious attack on a group.
Harassing an individual (including doxing)
Threatening or glorifying violence or serious harm, including self-harm
Nudity/Sexual content
Sexually explicit or suggestive imagery or writing involving minors
Sexually explicit or suggestive imagery or writing involving non-consenting adults or non-humans
Reusing content without attribution (link and blockquotes)
Not in English or has very bad formatting, grammar, and spelling
Author's credential is offensive, spam, or impersonation
Ex. Illegal content, incomplete question...
Question