Free Practice Questions for Cisco 350-701 Exam

 SaaS stands for Software as a Service, which is a cloud service offering that allows customers to access a web application that is being hosted, managed, and maintained by a cloud service provider. SaaS applications are typically accessed through a web browser or a mobile app, and the customers do not need to install, update, or maintain any software or hardware on their own. SaaS applications can provide various benefits, such as lower upfront costs, faster deployment, scalability, and automatic updates. Some examples of SaaS applications are Gmail, Salesforce, Zoom, and Netflix123.

IaC stands for Infrastructure as Code, which is a method of provisioning and managing cloud resources using code or scripts, rather than manual processes or graphical user interfaces. IaC can help automate and standardize the deployment and configuration of cloud infrastructure, as well as improve consistency, reliability, and security. IaC is not a cloud service offering, but rather a technique or practice that can be used with different cloud service models, such as IaaS or PaaS45.

IaaS stands for Infrastructure as a Service, which is a cloud service offering that provides customers with access to virtualized computing resources, such as servers, storage, networks, and operating systems. IaaS customers can rent or lease these resources from a cloud service provider, and have full control over their configuration and management. IaaS customers are responsible for installing, updating, and maintaining their own applications and middleware on top of the cloud infrastructure. IaaS can provide various benefits, such as flexibility, scalability, cost-effectiveness, and security. Some examples of IaaS providers are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform .

PaaS stands for Platform as a Service, which is a cloud service offering that provides customers with access to a cloud-based platform that includes the infrastructure, operating system, middleware, and development tools needed to build, deploy, and run applications. PaaS customers can focus on developing and running their own applications, without worrying about the underlying cloud infrastructure or software. PaaS can provide various benefits, such as faster development, scalability, compatibility, and security. Some examples of PaaS providers are Heroku, AWS Elastic Beanstalk, and Google App Engine .

References := 1: IaaS vs. PaaS vs. SaaS | IBM 2: What is SaaS? Software as a service explained | InfoWorld 3: SaaS - Software as a Service | Oracle 4: What is Infrastructure as Code (IaC)? | Red Hat 5: Infrastructure as Code (IaC) | AWS : What is IaaS? Infrastructure as a service explained | InfoWorld : IaaS - Infrastructure as a Service | Oracle : Cloud Computing Services | Google Cloud : What is PaaS? Platform as a service explained | InfoWorld : PaaS - Platform as a Service | Oracle : Cloud Services - Deploy Cloud Apps & APIs | Microsoft Azure

 The Cisco Umbrella roaming client is a cloud-delivered security service for Cisco’s next-generation firewall that protects employees when they are off the VPN. No additional agents are required. Simply enable the Umbrella functionality in the Cisco AnyConnect client. One of the advantages of the Umbrella roaming client is that it provides visibility into IP-based threats by tunneling suspicious IP connections to the Umbrella cloud for inspection and blocking. This way, the roaming client can prevent malware, phishing, and command-and-control callbacks from reaching malicious domains and IPs, regardless of the port or protocol. The Umbrella roaming client also provides DNS-layer security when the VPN is off, and proactive blocking of emerging threats using real-time data analysis. References:

Cisco Umbrella Roaming

3 Benefits of Using Roaming Client with Cisco Umbrella

Secure remote workers with the Cisco Umbrella roaming client

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (Module 5.1.1)

Explanation

Micro-segmentation secures applications by expressly allowing particular application traffic and, by default,

denying all other traffic. Micro-segmentation is the foundation for implementing a zero-trust security model for

application workloads in the data center and cloud.

Cisco Tetration is an application workload security platform designed to secure your compute instances across

any infrastructure and any cloud. To achieve this, it uses behavior and attribute-driven microsegmentation

policy generation and enforcement. It enables trusted access through automated, exhaustive context from

various systems to automatically adapt security policies.

To generate accurate microsegmentation policy, Cisco Tetration performs application dependency mapping to

discover the relationships between different application tiers and infrastructure services. In addition, the

platform supports “what-if” policy analysis using real-time data or historical data to assist in the validation and risk assessment of policy application pre-enforcement to ensure ongoing application availability. The

normalized microsegmentation policy can be enforced through the application workload itself for a consistent approach to workload microsegmentation across any environment, including virtualized, bare-metal, and container workloads running in any public cloud or any data center. Once the microsegmentation policy is enforced, Cisco Tetration continues to monitor for compliance deviations, ensuring the segmentation policy is up to date as the application behavior change.

An active/active FlexVPN configuration allows for multiple routers or VRFs to act as hubs for different VPN groups, providing load balancing and redundancy1. This is useful when the VPN deployment has a large number of spokes or different security policies for different groups of spokes. DMVPN, on the other hand, only supports a single hub or a pair of hubs in active/standby mode for each VPN group2. This limits the scalability and flexibility of DMVPN deployments. Therefore, an engineer would opt for an active/active FlexVPN configuration as opposed to DMVPN when multiple routers or VRFs are required. References :=

Cisco FlexVPN: Benefits and Best Practices

Cisco DMVPN Design Guide

Explanation

The appliance will try once to upload the file; if upload is not successful, for example because of

connectivity problems, the file may not be uploaded. If the failure was because the file analysis server was overloaded, the upload will be attempted once more.

Explanation

Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks. After enabling DAI, all ports become untrusted ports.

Data is sent out to the attacker during a DNS tunneling attack as part of the domain name. DNS tunneling is a technique that encodes the data of other protocols or programs in DNS queries and responses. The attacker registers a domain, such as badsite.com, and points it to a server under their control, where a tunneling program is installed. The attacker infects a device with malware, which sends DNS queries to the attacker’s server, using subdomains of badsite.com to encode the data. For example, the malware could send a query for 1234.badsite.com, where 1234 is the encoded data. The attacker’s server decodes the data from the subdomain and sends back a DNS response, which may also contain encoded data in the answer section12. The other options are not correct, because they do not use the domain name to encode the data. The UDP/53 and TCP/53 packet payload and header are used to transport the DNS query and response, but they are not modified by the tunneling technique. The DNS response packet contains the answer to the query, but it is not the only way to send data to the attacker3. References:

1: DNS Tunneling attack - What is it, and how to protect ourselves?

2: What Is DNS Tunneling? - Palo Alto Networks

3: What Are DNS Attacks? - Palo Alto Networks

The kind of API that is used with Cisco DNA Center to provision SSIDs, QoS policies, and update software versions on switches is the Intent API. The Intent API is a category of APIs that allows users to express their desired network outcomes or intents, such as creating a site, adding a device, or deploying a network profile. The Intent API then translates these intents into specific network configurations and commands, and applies them to the relevant network devices and services. The Intent API simplifies and automates the network provisioning and management process, and enables users to focus on the business objectives rather than the technical details. Some examples of Intent APIs are:

Site Management API: This API allows users to create, update, delete, and retrieve sites and buildings in Cisco DNA Center. A site is a logical grouping of network devices and services that share common characteristics, such as location, policies, or functions. A site can have one or more buildings, and a building can have one or more floors. Sites are used to organize and manage the network hierarchy and topology.

Network Settings API: This API allows users to configure and manage network-wide settings, such as global credentials, network discovery, IP address pools, DHCP and DNS servers, and SNMP settings. These settings are applied to all network devices and services that are managed by Cisco DNA Center.

Network Profile API: This API allows users to create, update, delete, and retrieve network profiles in Cisco DNA Center. A network profile is a collection of network settings and policies that define how a network segment or service should operate, such as SSIDs, QoS policies, security policies, and device roles. Network profiles are used to standardize and simplify the network configuration and deployment process, and to ensure consistency and compliance across the network.

Software Image Management API: This API allows users to manage the software images and versions of network devices that are managed by Cisco DNA Center. Users can import, export, delete, and retrieve software images, as well as assign them to network devices or device groups. Users can also schedule and monitor software image updates, and view the software image compliance status of network devices.

Wired 802.1X authentication is a port-based network access control that uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port1. Wired 802.1X authentication requires three components: a supplicant, an authenticator, and an authentication server2. The supplicant is the client device that requests access to the network. The authenticator is the switch port that controls the access to the network based on the authentication result. The authentication server is the server that validates the credentials of the supplicant and sends the authentication result to the authenticator3.

In this question, option A is correct because Cisco Identity Service Engine (ISE) is an example of an authentication server that supports wired 802.1X authentication4. Option C is correct because Cisco Catalyst switch is an example of an authenticator that supports wired 802.1X authentication5. Option B is incorrect because Cisco AnyConnect ISE Posture module is not a supplicant, but a software component that checks the compliance status of the supplicant. Option D is incorrect because Cisco ISE is not an authenticator, but an authentication server. Option E is incorrect because Cisco Prime Infrastructure is not an authentication server, but a network management tool.

 1: Wired 802.1X Deployment Guide - Cisco 2: 802.1X Authenticated Wired Access Overview | Microsoft Learn 3: About 802.1X Authentication - Aruba 4: Cisco Identity Services Engine - Products & Services - Cisco 5: Cisco Catalyst 2960-X Series Switches - Products & Services - Cisco : Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Configure Posture [Cisco AnyConnect Secure Mobility Client] - Cisco : Cisco Prime Infrastructure - Products & Services - Cisco

To route inbound email to Cisco Cloud Email Security (CES), the engineer must modify the MX record of the domain to point to the CES hostname or IP address. The MX record is a DNS record that specifies the mail server responsible for accepting email messages on behalf of a domain name. By changing the MX record, the engineer can direct all incoming email traffic to the CES gateway, where it can be filtered and scanned for threats before being delivered to the Microsoft Office 365 mailboxes. The other options are not relevant for this task. A CNAME record is a DNS record that maps an alias name to a canonical name. An SPF record is a DNS record that identifies the authorized senders of email for a domain. A DKIM record is a DNS record that contains a public key for verifying the digital signature of email messages sent from a domain. References :=

Some possible references for this question are:

Configure Microsoft 365 with Secure Email

Configure Microsoft 365 with Secure Email - More

[Cisco Cloud Email Security - Configuration Guide]