Cisco 350-701 Online Practice Questions and Exam Preparation

Cisco 350-701 Online Questions & Answers

• Question 551:

  Refer to the exhibit.

  

  What does the number 15 represent in this configuration?

  A. privilege level for an authorized user to this router
  B. access list that identifies the SNMP devices that can access the router
  C. interval in seconds between SNMPv3 authentication attempts
  D. number of possible failed attempts until the SNMPv3 user is locked out
  B. access list that identifies the SNMP devices that can access the router

  ---

  Explanation

  The syntax of this command is shown below:

  snmp-server group [group-name {v1 | v2c | v3 [auth | noauth | priv]}] [read read-view] [ write write-view] [notify notify-view] [access access-list] The command above restricts which IP source addresses are allowed to access SNMP functions on the router. You could restrict SNMP access by simply applying an interface ACL to block incoming SNMP packets that don't come from trusted servers. However, this would not be as effective as using the global SNMP commands shown in this recipe. Because you can apply this method once for the whole router, it is much simpler than applying ACLs to block SNMP on all interfaces separately. Also, using interface ACLs would block not only SNMP packets intended for this router, but also may stop SNMP packets that just happened to be passing through on their way to some other destination device.

• Question 552:

  How many interfaces per bridge group does an ASA bridge group deployment support?

  A. up to 2
  B. up to 4
  C. up to 8
  D. up to 16
  B. up to 4

  ---

  Explanation

  https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/intro-fw.html

• Question 553:

  Which component of Cisco umbrella architecture increases reliability of the service?

  A. Anycast IP
  B. AMP Threat grid
  C. Cisco Talos
  D. BGP route reflector
  A. Anycast IP

  ---

  Explanation

  Anycast would increase the resiliency of the product. Reliability and resiliency are different. With Cisco Talos, the reliability of Cisco Umbrella threat detection is increased.

• Question 554:

  DRAG DROP

  Drag and drop the capabilities from the left onto the correct technologies on the right.

  Select and Place:

  

  

• Question 555:

  Refer to the exhibit.

  

  An organization is using DHCP Snooping within their network. A user on VLAN 41 on a new switch is complaining that an IP address is not being obtained. Which command should be configured on the switch interface in order to provide the user with network connectivity?

  A. ip dhcp snooping verify mac-address
  B. ip dhcp snooping limit 41
  C. ip dhcp snooping vlan 41
  D. ip dhcp snooping trust
  D. ip dhcp snooping trust

  ---

  Explanation

  To understand DHCP snooping we need to learn about DHCP spoofing attack first.

  DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a "man-in-the-middle".The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is "closer" than the DHCP Server then he doesn't need to do anything. Or he can DoS the DHCP Server so that it can't send the DHCP Response.DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature thatdetermines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

  Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down. The port connected to a DHCP server should be configured as trusted port with the "ip dhcp snooping trust" command. Other ports connecting to hosts are untrusted ports by default.

  In this question, we need to configure the uplink to "trust" (under interface Gi1/0/1) as shown below.

• Question 556:

  DRAG DROP

  Drag and drop the VPN functions from the left onto the description on the right.

  Select and Place:

  

  

• Question 557:

  An organization wants to use Cisco FTD or Cisco ASA devices. Specific URLs must be blocked from being accessed via the firewall which requires that the administrator input the bad URL categories that the organization wants blocked into the access policy. Which solution should be used to meet this requirement?

  A. Cisco ASA because it enables URL filtering and blocks malicious URLs by default, whereas Cisco FTD does not
  B. Cisco ASA because it includes URL filtering in the access control policy capabilities, whereas Cisco FTD does not
  C. Cisco FTD because it includes URL filtering in the access control policy capabilities, whereas Cisco ASA does not
  D. Cisco FTD because it enables URL filtering and blocks malicious URLs by default, whereas Cisco ASA does not
  C. Cisco FTD because it includes URL filtering in the access control policy capabilities, whereas Cisco ASA does not

  ---

  Explanation

• Question 558:

  How does a Cisco Secure Web Appliance integrated with LDAP handle the permissions of a currently logged in Active Directory group member when the Active Directory administrator changes the permissions of the user's group mid session?

  A. If the Cisco Secure Client Mobility Client is configured on the endpoint to provide Active Directory updates, the Cisco Secure Web Appliance changes the user's permissions immediately when alerted by the client.
  B. If the Cisco Secure Web Appliance is configured to receive real-time updates from the Active Directory user agent, it changes the user's permissions immediately when the agent sends the update.
  C. The Cisco Secure Web Appliance terminates the current session and prompts the user to re-authenticate in order to update the effective permissions.
  D. The Cisco Secure Web Appliance continues to operate using the permissions that were in effect when the user logged in for the duration of the user's session.
  D. The Cisco Secure Web Appliance continues to operate using the permissions that were in effect when the user logged in for the duration of the user's session.

  ---

  Explanation

• Question 559:

  A security engineer is tasked with configuring TACACS on a Cisco ASA firewall. The engineer must be able to access the firewall command line interface remotely. The authentication must fall back to the local user database of the Cisco ASA firewall. AAA server group named TACACS-GROUP is already configured with TACACS server IP address 192.168.10.10 and key C1sc0512222832!. Which configuration must be done next to meet the requirement?

  A. aaa authentication ssh console LOCAL TACACS-GROUP
  B. aaa authentication ssh console TACACS-GROUP LOCAL
  C. aaa authentication serial console LOCAL TACACS-GROUP
  D. aaa authentication http console TACACS-GROUP LOCAL
  B. aaa authentication ssh console TACACS-GROUP LOCAL

  ---

  Explanation

• Question 560:

  An engineer is deploying Cisco Advanced Malware Protection (AMP) for Endpoints and wants to create a policy that prevents users from executing file named abc424952615.exe without quarantining that file.

  What type of Outbreak Control list must the SHA.-256 hash value for the file be added to in order to accomplish this?

  A. Advanced Custom Detection
  B. Blocked Application
  C. Isolation
  D. Simple Custom Detection
  B. Blocked Application

  ---

  Explanation