Cisco CCNP Security 350-701 Questions & Answers

• Question 531:

  Which statement about IOS zone-based firewalls is true?

  A. An unassigned interface can communicate with assigned interfaces

  B. Only one interface can be assigned to a zone.

  C. An interface can be assigned to multiple zones.

  D. An interface can be assigned only to one zone.

  Correct Answer: D

  https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

• Question 532:

  Refer to the exhibit.

  

  An engineer configured wired 802.1x on the network and is unable to get a laptop to authenticate. Which port configuration is missing?

  A. authentication open

  B. dotlx reauthentication

  C. cisp enable

  D. dot1x pae authenticator

  Correct Answer: D

• Question 533:

  An MDM provides which two advantages to an organization with regards to device management? (Choose two)

  A. asset inventory management

  B. allowed application management

  C. Active Directory group policy management

  D. network device management

  E. critical device management

  Correct Answer: AB

• Question 534:

  A malicious user gained network access by spoofing printer connections that were authorized using MAB on four different switch ports at the same time. What two catalyst switch security features will prevent further violations? (Choose two)

  A. DHCP Snooping

  B. 802.1AE MacSec

  C. Port security

  D. IP Device track

  E. Dynamic ARP inspection

  F. Private VLANs

  Correct Answer: AE

• Question 535:

  Which technology must be used to implement secure VPN connectivity among company branches over a private IP cloud with any-to-any scalable connectivity?

  A. DMVPN

  B. FlexVPN

  C. IPsec DVTI

  D. GET VPN

  Correct Answer: D

  Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/group- encrypted-transport-vpn/GETVPN_DIG_version_2_0_External.pdf

• Question 536:

  Which solution protects hybrid cloud deployment workloads with application visibility and segmentation?

  A. Nexus

  B. Stealthwatch

  C. Firepower

  D. Tetration

  Correct Answer: D

• Question 537:

  What provides the ability to program and monitor networks from somewhere other than the DNAC GUI?

  A. NetFlow

  B. desktop client

  C. ASDM

  D. API

  Correct Answer: D

• Question 538:

  Under which two circumstances is a CoA issued? (Choose two)

  A. A new authentication rule was added to the policy on the Policy Service node.

  B. An endpoint is deleted on the Identity Service Engine server.

  C. C. A new Identity Source Sequence is created and referenced in the authentication policy.

  D. An endpoint is profiled for the first time.

  E. A new Identity Service Engine server is added to the deployment with the Administration persona

  Correct Answer: BD

  The profiling service issues the change of authorization in the following cases:?Endpoint deleted--When an endpoint is deleted from the Endpoints page and the endpoint is disconnectedor removed from the network.An exception action is configured--If you have an exception action configured per profile that leads to anunusual or an unacceptable event from that endpoint. The profiling service moves the endpoint to thecorresponding static profile by issuing a CoA.?An endpoint is profiled for the first time--When an endpoint is not statically assigned and profiled for the first time; for example, the profile changes from an unknown to a known profile.+ An endpoint identity group has changed--When an endpoint is added or removed from an endpoint identity group that is used by an authorization policy.The profiling service issues a CoA when there is any change in an endpoint identity group, and the endpoint identity group is used in the authorization policy for the following: Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2- 1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010100.html

• Question 539:

  Refer to the exhibit.

  

  A network administrator configured a site-to-site VPN tunnel between two Cisco IOS routers, and hosts are unable to communicate between two sites of VPN. The network administrator runs the debug crypto isakmp sa command to track VPN status. What is the problem according to this command output?

  A. hashing algorithm mismatch

  B. encryption algorithm mismatch

  C. authentication key mismatch

  D. interesting traffic was not applied

  Correct Answer: C

• Question 540:

  What is the difference between deceptive phishing and spear phishing?

  A. Deceptive phishing is an attacked aimed at a specific user in the organization who holds a C-level role.

  B. A spear phishing campaign is aimed at a specific person versus a group of people.

  C. Spear phishing is when the attack is aimed at the C-level executives of an organization.

  D. Deceptive phishing hijacks and manipulates the DNS server of the victim and redirects the user to a false webpage.

  Correct Answer: B

  In deceptive phishing, fraudsters impersonate a legitimate company in an attempt to steal people's personal data or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing what the attackers want. Spear phishing is carefully designed to get a single recipient to respond. Criminals select an individual target within an organization, using social media and other public information ?and craft a fake email tailored for that person.