Practice 350-401 Infrastructure Security questions with full explanations on every answer.
Start practicing
Infrastructure Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A network engineer is configuring port security on a Cisco switch. The requirement is to allow only the first MAC address that appears on the port to be learned and to automatically disable the port if a violation occurs. The engineer configures 'switchport port-security mac-address sticky' but does not specify a maximum number of secure MAC addresses. After connecting a single host, the port works. However, when the host is replaced with a different device, the port is error-disabled. What is the most likely reason?
2An enterprise network uses 802.1X for wired access. The authentication server is a Cisco ISE. Recently, some Windows 10 clients fail to authenticate, while others succeed. The engineer checks the switch configuration and finds 'authentication port-control auto' and 'dot1x pae authenticator' are configured. The failing clients show 'EAP failure' in the logs. The engineer suspects a mismatch in EAP method. Which EAP method is most likely causing the issue if the ISE is configured to require EAP-TLS but the Windows clients are configured for PEAP-MSCHAPv2?
3A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The router experiences high CPU utilization due to SSH and SNMP traffic. The engineer creates a class-map to match SSH (TCP/22) and SNMP (UDP/161) and applies a policy-map that polices this traffic to 1 Mbps. After applying the policy, legitimate SSH sessions from the management station start dropping intermittently. What is the most likely cause?
4A network engineer is implementing DHCP snooping on a Cisco switch to prevent rogue DHCP servers. The switch has multiple VLANs, and the DHCP server is connected to interface GigabitEthernet0/1 in VLAN 10. The engineer enables DHCP snooping globally and for VLAN 10, then configures 'ip dhcp snooping trust' on GigabitEthernet0/1. However, clients in VLAN 10 are not receiving IP addresses. The engineer checks the DHCP snooping binding table and sees no entries. What is the most likely cause?
5A network engineer is configuring dynamic ARP inspection (DAI) on a Cisco switch to prevent ARP spoofing. The switch has DHCP snooping enabled and the DHCP server is trusted. The engineer enables DAI on VLAN 10 and configures 'ip arp inspection trust' on the port connected to the DHCP server. After enabling DAI, some legitimate ARP replies from hosts are being dropped. The engineer checks the DAI statistics and sees 'ARP ACL drops' incrementing. What is the most likely reason?
6A network engineer is configuring IPv6 First Hop Security on a Cisco switch to mitigate rogue RA attacks. The engineer enables RA guard on the switch and applies a policy that allows only the default gateway to send RAs. After configuration, hosts are unable to obtain IPv6 addresses via SLAAC. The engineer checks the switch and sees that RA guard is dropping all RAs. What is the most likely cause?
7A network engineer is configuring a zone-based firewall (ZBF) on a Cisco router to allow traffic from the inside zone to the outside zone while blocking traffic from outside to inside. The engineer creates zones, assigns interfaces, and configures a policy-map with a class-map that matches all traffic from inside to outside. The engineer applies the policy to the zone-pair inside-to-outside. However, traffic from inside to outside is being dropped. What is the most likely reason?
8A network engineer is implementing MACsec on a Cisco switch-to-switch link to provide encryption. Both switches support MACsec and are configured with the same pre-shared key (PSK). The engineer configures 'mka' and 'macsec' on the interfaces. After configuration, the link does not come up, and the engineer sees 'MKA not operational' in the show macsec status. What is the most likely cause?
9A network engineer is configuring uRPF (unicast Reverse Path Forwarding) on a Cisco router to prevent spoofed IP traffic. The engineer enables uRPF in strict mode on the ingress interface connected to the internal network. After enabling uRPF, legitimate traffic from internal hosts is being dropped. The engineer checks the routing table and sees that the routes for the internal subnets are present. What is the most likely cause?
10A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.0.0.2 1 FULL/DR 00:00:38 192.168.1.2 GigabitEthernet0/0 10.0.0.3 1 2WAY/DROTHER 00:00:32 192.168.1.3 GigabitEthernet0/0 10.0.0.4 1 FULL/BDR 00:00:35 192.168.1.4 GigabitEthernet0/0 Based on this output, what can be concluded?
11A network engineer runs the following command on Switch SW1: SW1# show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address 0011.2233.4455 Cost 19 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0011.2233.4466 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi0/1 Root FWD 19 128.1 P2p Gi0/2 Altn BLK 19 128.2 P2p Gi0/3 Desg FWD 19 128.3 P2p Based on this output, what can be concluded?
12A network engineer runs the following command on Router R1: R1# show ip access-lists 101 Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (100 matches) 20 deny tcp any any eq 23 (50 matches) 30 permit ip any any (200 matches) Based on this output, what can be concluded?
13A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 203.0.113.10 192.168.1.10 --- --- --- 203.0.113.11 192.168.1.11 --- --- tcp 203.0.113.10:1024 192.168.1.10:1024 198.51.100.5:80 198.51.100.5:80 Based on this output, what can be concluded?
14A network engineer runs the following command on Router R1: R1# show policy-map interface GigabitEthernet0/0 GigabitEthernet0/0 Service-policy input: QOS_POLICY Class-map: VOICE (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef (46) Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 police cir 1000000 bc 31250 be 31250 conformed 0 bytes; actions: transmit exceeded 0 bytes; actions: drop violated 0 bytes; actions: drop Class-map: class-default (match-any) 100 packets, 12000 bytes 5 minute offered rate 8000 bps, drop rate 0 bps Match: any Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 100/12000 Based on this output, what can be concluded?
15A network engineer runs the following command on Router R1: R1# show aaa sessions Total sessions since last reset: 10 Session Id: 5 Unique Id: 5 User Name: admin IP Address: 192.168.1.100 Idle Time: 0:00:05 Timeout: 0:10:00 Type: SSH Method: local Session Id: 6 Unique Id: 6 User Name: neteng IP Address: 10.0.0.2 Idle Time: 0:02:30 Timeout: 0:10:00 Type: SSH Method: tacacs+ Based on this output, what can be concluded?
16A network engineer runs the following command on Router R1: R1# show vrf brief Name Default RD Protocols Interfaces CUSTOMER_A 65000:100 ipv4 Gi0/0.100 CUSTOMER_B 65000:200 ipv4 Gi0/0.200 MANAGEMENT 65000:999 ipv4 Gi0/1 Based on this output, what can be concluded?
17A network engineer runs the following command on Router R1: R1# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 65001 BGP table version is 10, main routing table version 10 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.2 4 65002 1024 1020 10 0 0 02:30:15 5 192.168.1.3 4 65003 500 498 10 0 0 00:15:20 3 10.0.0.2 4 65004 0 0 0 0 0 never Active Based on this output, what can be concluded?
18A network engineer runs the following command on Router R1: R1# show mpls ldp neighbor Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.49231 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 01:23:45 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 192.168.1.2 Addresses bound to peer LDP Ident: 10.0.0.2 192.168.1.2 Based on this output, what can be concluded?
19Examine the following interface configuration on a Cisco IOS-XE switch: ``` interface GigabitEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address sticky ``` What is the effect of this configuration?
20Consider the following configuration on a Cisco IOS-XE router: ``` ip access-list extended BLOCK_SSH deny tcp any any eq 22 permit ip any any ! line vty 0 4 access-class BLOCK_SSH in ``` Which statement is true about this configuration?
21Examine the following CoPP configuration on a Cisco IOS-XE router: ``` class-map match-all CONTROL-PLANE match access-group name COPP-ACL ! policy-map COPP-POLICY class CONTROL-PLANE police 1000000 200000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP-POLICY ``` What is the effect of this configuration?
22Consider the following DHCP snooping configuration on a Cisco IOS-XE switch: ``` ip dhcp snooping ip dhcp snooping vlan 10 interface GigabitEthernet0/1 ip dhcp snooping trust ! interface GigabitEthernet0/2 ip dhcp snooping limit rate 10 ``` Which statement is true?
23Examine the following BGP configuration on a Cisco IOS-XE router: ``` router bgp 65000 bgp default local-preference 150 neighbor 10.1.1.1 remote-as 65001 neighbor 10.1.1.1 password cisco123 neighbor 10.1.1.1 route-map SET-MED out ! route-map SET-MED permit 10 set metric 50 ``` What is the effect of the route-map on outbound updates to 10.1.1.1?
24Consider the following IPv6 access-list on a Cisco IOS-XE router: ``` ipv6 access-list PERMIT_ICMP permit icmp any any echo-request permit icmp any any echo-reply deny ipv6 any any ! interface GigabitEthernet0/0 ipv6 traffic-filter PERMIT_ICMP in ``` What is the effect of this configuration?
25What is the default OSPF hello interval on an Ethernet link in a Cisco router?
26Which BGP attribute is used as the first tie-breaker when multiple paths are available and the weight is equal?
27What is the maximum hop count for EIGRP?
28Drag and drop the steps of Cisco IBNS 2.0 policy configuration into the correct order, from first to last.
29Drag and drop the steps of configuring a Cisco IOS Zone-Based Firewall (ZBFW) into the correct order, from first to last.
30Drag and drop the steps of configuring Control Plane Policing (CoPP) on a Cisco IOS router into the correct order, from first to last.
31Drag and drop the steps of Control Plane Policing (CoPP) rate-limit evaluation into the correct order, from first to last.
32Drag and drop the steps of Cisco DHCP snooping binding table population into the correct order, from first to last.
33Drag and drop the steps of Dynamic ARP Inspection (DAI) packet validation into the correct order, from first to last.
34Drag and drop the steps of IP Source Guard binding and enforcement into the correct order, from first to last.
35Drag and drop the steps of Unicast Reverse Path Forwarding (uRPF) check process into the correct order, from first to last.
36Drag and drop the steps of Control Plane Policing (CoPP) rate-limit evaluation into the correct order, from first to last.
37Drag and drop the steps of Cisco DHCP snooping binding table population into the correct order, from first to last.
38Drag and drop the steps of Dynamic ARP Inspection (DAI) packet validation into the correct order, from first to last.
39Drag and drop the steps of IP Source Guard binding and enforcement into the correct order, from first to last.
40Drag and drop the steps of Unicast Reverse Path Forwarding (uRPF) check process into the correct order, from first to last.
41Drag and drop each Layer 2 attack on the left to its matching mitigation feature on the right.
42Drag and drop each Control plane protection feature on the left to its matching threat on the right.
43Drag and drop each AAA service on the left to its matching protocol on the right.
44Drag and drop each Cisco security feature on the left to its matching OSI layer on the right.
45Drag and drop each infrastructure hardening technique on the left to its matching configuration command on the right.
46Drag and drop each Layer 2 attack on the left to its matching mitigation feature on the right.
47Drag and drop each Control plane protection feature on the left to its matching threat on the right.
48Drag and drop each AAA service on the left to its matching protocol on the right.
49Drag and drop each Cisco security feature on the left to its matching OSI layer on the right.
50Drag and drop each infrastructure hardening technique on the left to its matching configuration command on the right.
51Which two statements about BGP TTL security are true? (Choose two.)
52Which three statements about DHCP snooping are true? (Choose three.)
53Which two statements about IP Source Guard are true? (Choose two.)
54Which three statements about dynamic ARP inspection (DAI) are true? (Choose three.)
55Which two statements about 802.1X port-based authentication on a Cisco switch are true? (Choose two.)
56Which three statements about DHCP snooping are true? (Choose three.)
57Which two statements about IP Source Guard are true? (Choose two.)
58Which three statements about Control Plane Policing (CoPP) are true? (Choose three.)
The Infrastructure Security domain covers the key concepts tested in this area of the 350-401 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-401 domains — no account required.
The Courseiva 350-401 question bank contains 58 questions in the Infrastructure Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Infrastructure Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included