Cisco CCNP 350-701 Questions & Answers

• Question 611:

  Which SNMPv3 configuration must be used to support the strongest security possible?

  A. asa-host(config)#snmp-server group myv3 v3 priv asa-host(config)#snmp-server user andy myv3 auth sha cisco priv des ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy

  B. asa-host(config)#snmp-server group myv3 v3 noauth asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy

  C. asa-host(config)#snmpserver group myv3 v3 noauth asa-host(config)#snmp-server user andy myv3 auth sha cisco priv 3des ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy

  D. asa-host(config)#snmp-server group myv3 v3 priv asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy

  Correct Answer: D

  SNMPv3 offers three security levels: noAuthNoPriv, authNoPriv, and authPriv. The strongest security possible is achieved by using the authPriv security level. This level requires both an authentication and a privacy (encryption) protocol. Option D is using the authPriv security level, it uses the AES256 for encryption which is considered a stronger encryption algorithm than 3DES, and it uses the SHA for authentication which is considered a stronger authentication algorithm than MD5.

  It is important to note that the real configuration may vary depending on the device and the vendor.

• Question 612:

  An organization is trying to improve their Defense in Depth by blocking malicious destinations prior to a connection being established. The solution must be able to block certain applications from being used within the network. Which product should be used to accomplish this goal?

  A. Cisco Firepower

  B. Cisco Umbrella

  C. ISE

  D. AMP

  Correct Answer: B

  ExplanationCisco Umbrella protects users from accessing malicious domains by proactively analyzing and blocking unsafe destinations ?before a connection is ever made. Thus it can protect from phishing attacks by blocking suspicious domains when users click on the given links that an attacker sent.

• Question 613:

  What is a characteristic of Cisco ASA Netflow v9 Secure Event Logging?

  A. It tracks flow-create, flow-teardown, and flow-denied events.

  B. It provides stateless IP flow tracking that exports all records of a specific flow.

  C. It tracks the flow continuously and provides updates every 10 seconds.

  D. Its events match all traffic classes in parallel.

  Correct Answer: A

  Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa- general-cli/ monitor-nsel.html

• Question 614:

  An engineer is trying to securely connect to a router and wants to prevent insecure algorithms from being used. However, the connection is failing. Which action should be taken to accomplish this goal?

  A. Disable telnet using the no ip telnet command.

  B. Enable the SSH server using the ip ssh server command.

  C. Configure the port using the ip ssh port 22 command.

  D. Generate the RSA key using the crypto key generate rsa command.

  Correct Answer: D

  In this question, the engineer was trying to secure the connection so maybe he was trying to allow SSH to the device. But maybe something went wrong so the connection was failing (the connection used to be good). So maybe he was missing the "crypto key generate rsa" command.

• Question 615:

  Why would a user choose an on-premises ESA versus the CES solution?

  A. Sensitive data must remain onsite.

  B. Demand is unpredictable.

  C. The server team wants to outsource this service.

  D. ESA is deployed inline.

  Correct Answer: A

• Question 616:

  An engineer configured a new network identity in Cisco Umbrella but must verify that traffic is being routed through the Cisco Umbrella network. Which action tests the routing?

  A. Ensure that the client computers are pointing to the on-premises DNS servers.

  B. Enable the Intelligent Proxy to validate that traffic is being routed correctly.

  C. Add the public IP address that the client computers are behind to a Core Identity.

  D. Browse to http://welcome.umbrella.com/ to validate that the new identity is working.

  Correct Answer: D

• Question 617:

  Which solution combines Cisco IOS and IOS XE components to enable administrators to recognize applications, collect and send network metrics to Cisco Prime and other third-party management tools, and prioritize application traffic?

  A. Cisco Security Intelligence

  B. Cisco Application Visibility and Control

  C. Cisco Model Driven Telemetry

  D. Cisco DNA Center

  Correct Answer: B

  Reference: https://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/guide/avc-user- guide/avc_tech_overview.html

• Question 618:

  What is a feature of the open platform capabilities of Cisco DNA Center?

  A. intent-based APIs

  B. automation adapters

  C. domain integration

  D. application adapters

  Correct Answer: A

  The Cisco DNA Center open platform for intent-based networking provides 360-degree extensibility across multiple components, including:

  ●

  Intent-based APIs

  ●

  Process adapters,

  ●

  Domain adapters,

  ●

  SDKs

• Question 619:

  What are two Detection and Analytics Engines of Cognitive Threat Analytics? (Choose two)

  A. data exfiltration

  B. command and control communication

  C. intelligent proxy

  D. snort

  E. URL categorization

  Correct Answer: AB

  Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/cognitive-threat- analytics/at-aglance-c45-736555.pdf

• Question 620:

  Which Cisco AMP file disposition valid?

  A. pristine

  B. malware

  C. dirty

  D. non malicious

  Correct Answer: B