Cisco 350-701 Online Practice Questions and Exam Preparation

Cisco 350-701 Online Questions & Answers

• Question 371:

  What are two recommended approaches to stop DNS tunneling for data exfiltration and command and control call backs? (Choose two.)

  A. Use intrusion prevention system.
  B. Block all TXT DNS records.
  C. Enforce security over port 53.
  D. Use next generation firewalls.
  E. Use Cisco Umbrella.
  C. Enforce security over port 53.
  E. Use Cisco Umbrella.

  ---

  Explanation

• Question 372:

  Based on the NIST 800-145 guide, which cloud architecture is provisioned for exclusive use by a specific group of consumers from different organizations and may be owned, managed, and operated by one or more of those organizations?

  A. community cloud
  B. private cloud
  C. public cloud
  D. hybrid cloud
  A. community cloud

  ---

  Explanation

• Question 373:

  Which two methods must be used to add switches into the fabric so that administrators can control how switches are added into DCNM for private cloud management? (Choose two.)

  A. Cisco Cloud Director
  B. Cisco Prime Infrastructure
  C. PowerOn Auto Provisioning
  D. Seed IP
  E. CDP AutoDiscovery
  C. PowerOn Auto Provisioning
  D. Seed IP

  ---

  Explanation

• Question 374:

  Refer to the exhibit.

  

  Which type of authentication is in use?

  A. LDAP authentication for Microsoft Outlook
  B. POP3 authentication
  C. SMTP relay server authentication
  D. external user and relay mail authentication
  A. LDAP authentication for Microsoft Outlook

  ---

  Explanation

  https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118545-technote-esa-00.html

• Question 375:

  A large organization wants to deploy a security appliance in the public cloud to form a site-to-site VPN and link the public cloud environment to the private cloud in the headquarters data center.

  Which Cisco security appliance meets these requirements?

  A. Cisco Cloud Orchestrator
  B. Cisco ASAv
  C. Cisco WSAv
  D. Cisco Stealthwatch Cloud
  B. Cisco ASAv

  ---

  Explanation

• Question 376:

  A malicious user gained network access by spoofing printer connections that were authorized using MAB on four different switch ports at the same time. What two catalyst switch security features will prevent further violations? (Choose two)

  A. DHCP Snooping
  B. 802.1AE MacSec
  C. Port security
  D. IP Device track
  E. Dynamic ARP inspection
  F. Private VLANs
  A. DHCP Snooping
  E. Dynamic ARP inspection

  ---

  Explanation

• Question 377:

  Which two services must remain as on-premises equipment when a hybrid email solution is deployed? (Choose two)

  A. DDoS
  B. antispam
  C. antivirus
  D. encryption
  E. DLP
  D. encryption
  E. DLP

  ---

  Explanation

  https://www.cisco.com/c/dam/en/us/td/docs/security/ces/overview_guide/Cisco_Cloud_Hyb rid_Email_Security_Overview_Guide.pdf

• Question 378:

  Which SNMPv3 configuration must be used to support the strongest security possible?

  A. asa-host(config)#snmp-server group myv3 v3 privasa-host(config)#snmp-server user andy myv3 auth sha cisco priv des ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
  B. asa-host(config)#snmp-server group myv3 v3 noauth asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
  C. asa-host(config)#snmpserver group myv3 v3 noauth asa-host(config)#snmp-server user andy myv3 auth sha cisco priv 3des ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
  D. asa-host(config)#snmp-server group myv3 v3 privasa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
  D. asa-host(config)#snmp-server group myv3 v3 privasa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy

  ---

  Explanation

  SNMPv3 offers three security levels: noAuthNoPriv, authNoPriv, and authPriv. The strongest security possible is achieved by using the authPriv security level. This level requires both an authentication and a privacy (encryption) protocol. Option D is using the authPriv security level, it uses the AES256 for encryption which is considered a stronger encryption algorithm than 3DES, and it uses the SHA for authentication which is considered a stronger authentication algorithm than MD5.

  It is important to note that the real configuration may vary depending on the device and the vendor.

• Question 379:

  How is data sent out to the attacker during a DNS tunneling attack?

  A. as part of the UDP/53 packet payload
  B. as part of the domain name
  C. as part of the TCP/53 packet header
  D. as part of the DNS response packet
  B. as part of the domain name

  ---

  Explanation

  https://www.cynet.com/attack-techniques-hands-on/how-hackers-use-dns-tunneling-to-own-your-network/

• Question 380:

  Refer to the exhibit.

  

  Refer to the exhibit. A Cisco ISE administrator adds a new switch to an 802.1X deployment and has difficulty with some endpoints gaining access.

  Most PCs and IP phones can connect and authenticate using their machine certificate credentials. However printer and video cameras cannot base d on the interface configuration provided, what must be to get these devices on to the network using Cisco ISE for authentication and authorization while maintaining security controls?

  A. Change the default policy in Cisco ISE to allow all devices not using machine authentication .
  B. Enable insecure protocols within Cisco ISE in the allowed protocols configuration.
  C. Configure authentication event fail retry 2 action authorize vlan 41 on the interface
  D. Add mab to the interface configuration.
  D. Add mab to the interface configuration.

  ---

  Explanation

  https://community.cisco.com/t5/network-access-control/problems-with-connecting-printers-via-mab/td-p/3528002