Download Implementing and Operating Cisco Security Core Technologies.350-701.PassLeader.2025-05-14.620q.vcex

Vendor: Cisco
Exam Code: 350-701
Exam Name: Implementing and Operating Cisco Security Core Technologies
Date: May 14, 2025
File Size: 23 MB
Downloads: 1
Download Exam

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

Download
ProfExam Simulator

Purchase
Coupon: EXAMFILESCOM

Discount: 20%

ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator
ProfExam Discount

Demo Questions

Question 1
Which command enables 802.1X globally on a Cisco switch? 
 
  1. dot1x system-auth-control 
  2. dot1x pae authenticator 
  3. authentication port-control auto 
  4. aaa new-model  
Correct answer: A
Question 2
What is the function of Cisco Cloudlock for data security? 
 
  1. data loss prevention 
  2. controls malicious cloud apps 
  3. detects anomalies 
  4. user and entity behavior analytics  
Correct answer: A
Question 3
For which two conditions can an endpoint be checked using ISE posture assessment? (Choose two.) 
 
  1. computer identity 
  2. Windows service 
  3. user identity 
  4. Windows firewall 
  5. default browser  
Correct answer: BD
Question 4
What is a characteristic of Dynamic ARP Inspection? 
  1. DAI determines the validity of an ARP packet based on valid IP to MAC address bindings from the DHCP snooping binding database. 
  2. In a typical network, make all ports as trusted except for the ports connecting to switches, which are untrusted. 
  3. DAI associates a trust state with each switch. 
  4. DAI intercepts all ARP requests and responses on trusted ports only.  
Correct answer: A
Explanation:
Dynamic ARP Inspection To prevent ARP poisoning attacks such as the one described in the previous section, a switch must ensure that only valid ARP requests and responses are relayed. DAI prevents these attacks by intercepting all ARP requests and responses. Each of these intercepted packets is verified for valid MAC address to IP address bindings before the local ARP cache is updated or the packet is forwarded to the appropriate destination. Invalid ARP packets are dropped.  DAI determines the validity of an ARP packet based on valid MAC address to IP address bindings stored in a trusted database. This database is built at runtime by DHCP snooping, provided that it is enabled on the VLANs and on the switch in question. In addition, DAI can also validate ARP packets against user-configured ARP ACLs in order to handle hosts that use statically configured IP addresses.  DAI can also be configured to drop ARP packets when the IP addresses in the packet are invalid or when the MAC addresses in the body of the ARP packet do not match the addresses specified in the Ethernet header. 
Dynamic ARP Inspection 
To prevent ARP poisoning attacks such as the one described in the previous section, a switch must ensure that only valid ARP requests and responses are relayed. DAI prevents these attacks by intercepting all ARP requests and responses. Each of these intercepted packets is verified for valid MAC address to IP address bindings before the local ARP cache is updated or the packet is forwarded to the appropriate destination. Invalid ARP packets are dropped.  
DAI determines the validity of an ARP packet based on valid MAC address to IP address bindings stored in a trusted database. This database is built at runtime by DHCP snooping, provided that it is enabled on the VLANs and on the switch in question. In addition, DAI can also validate ARP packets against user-configured ARP ACLs in order to handle hosts that use statically configured IP addresses.  
DAI can also be configured to drop ARP packets when the IP addresses in the packet are invalid or when the MAC addresses in the body of the ARP packet do not match the addresses specified in the Ethernet header. 
Question 5
Which Cisco product provides proactive endpoint protection and allows administrators to centrally manage the deployment? 
 
  1. NGFW 
  2. AMP 
  3. WSA 
  4. ESA  
Correct answer: B
Explanation:
 
 
Question 6
Where are individual sites specified to be blacklisted in Cisco Umbrella? 
  1. application settings
  2. content categories 
  3. security settings 
  4. destination lists  
Correct answer: D
Explanation:
To block a URL, simply enter it into a blocked destination list, or create a new blocked destination list just for URLs. To do this, navigate to Policies > Destination Lists, expand a Destination list, add a URL and then click Save. Reference:https://support.umbrella.com/hc/en-us/articles/115004518146-Umbrella-Dashboard-New-Features-Custom-blocked-URLs 
To block a URL, simply enter it into a blocked destination list, or create a new blocked destination list just for URLs. To do this, navigate to Policies > Destination Lists, expand a Destination list, add a URL and then click Save. 
Reference:
https://support.umbrella.com/hc/en-us/articles/115004518146-Umbrella-Dashboard-New-Features-Custom-blocked-URLs 
Question 7
Which statement about IOS zone-based firewalls is true? 
  1. An unassigned interface can communicate with assigned interfaces 
  2. Only one interface can be assigned to a zone. 
  3. An interface can be assigned to multiple zones. 
  4. An interface can be assigned only to one zone.  
Correct answer: D
Question 8
Which ID store requires that a shadow user be created on Cisco ISE for the admin login to work? 
  1. RSA SecureID 
  2. Internal Database 
  3. Active Directory 
  4. LDAP  
Correct answer: A
Explanation:
In Cisco ISE, you can authenticate administrators via an external identity store such as Active Directory, LDAP, or RSA SecureID. There are two models you can use to provide authentication via an external identity store: External Authentication and Authorization: There are no credentials that are specified in the local Cisco ISE database for the administrator, and authorization is based on external identity store group membership only. This model is used for Active Directory and LDAP authentication. External Authentication and Internal Authorization: The administrator’s authentication credentials come from the external identity source, and authorization and administrator role assignment take place using the local Cisco ISE database. This model is used for RSA SecurID authentication. This method requires you to configure the same username in both the external identity store and the local Cisco ISE database. Source: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_011010.html Scroll down to: "Administrative Access to Cisco ISE Using an External Identity Store" 
In Cisco ISE, you can authenticate administrators via an external identity store such as Active Directory, LDAP, or RSA SecureID. There are two models you can use to provide authentication via an external identity store: 
External Authentication and Authorization: There are no credentials that are specified in the local Cisco ISE database for the administrator, and authorization is based on external identity store group membership only. This model is used for Active Directory and LDAP authentication. 
External Authentication and Internal Authorization: The administrator’s authentication credentials come from the external identity source, and authorization and administrator role assignment take place using the local Cisco ISE database. This model is used for RSA SecurID authentication. 
This method requires you to configure the same username in both the external identity store and the local Cisco ISE database. 
Source: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_011010.html 
Scroll down to: "Administrative Access to Cisco ISE Using an External Identity Store" 
Question 9
Which VPN technology can support a multivendor environment and secure traffic between sites? 
 
  1. SSL VPN 
  2. GET VPN 
  3. FlexVPN 
  4. DMVPN  
Correct answer: C
Explanation:
Third-party compatibility: As the IT world transitions to cloud- and mobile-based computing, more and more VPN routers and VPN endpoints from different vendors are required. The Cisco IOS FlexVPN solution provides compatibility with any IKEv2-based third-party VPN vendors, including native VPN clients from Apple iOS and Android devices. 
Third-party compatibility: As the IT world transitions to cloud- and mobile-based computing, more and more VPN routers and VPN endpoints from different vendors are required. The Cisco IOS FlexVPN solution provides compatibility with any IKEv2-based third-party VPN vendors, including native VPN clients from Apple iOS and Android devices. 
Question 10
Which SNMPv3 configuration must be used to support the strongest security possible? 
 
  1. asa-host(config)#snmp-server group myv3 v3 priv  
    asa-host(config)#snmp-server user andy myv3 auth sha cisco priv des ciscXXXXXXXX  
    asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy 
  2. asa-host(config)#snmp-server group myv3 v3 noauth  
    asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX 
    asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy 
  3. asa-host(config)#snmp-server group myv3 v3 noauth  
    asa-host(config)#snmp-server user andy myv3 auth sha cisco priv 3des ciscXXXXXXXX  
    asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy 
  4. asa-host(config)#snmp-server group myv3 v3 priv  
    asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX 
    asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy 
Correct answer: D
Explanation:
AES allows you to choose a 128-bit, 192-bit or 256-bit key, making it exponentially stronger than the 56-bit key of DES.    
AES allows you to choose a 128-bit, 192-bit or 256-bit key, making it exponentially stronger than the 56-bit key of DES. 
 
 
CONNECT US
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!