Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›350-401›Objectives›Security
Objective 500.020% of exam

Security

350-401 Practice Questions

Use this page to practise Security questions for this certification. Focus on how the exam tests security in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

350-401 Security — Key Topics

Security questions on this certification test your ability to deploy and manage security concepts in scenario-based situations.

  • Core Security concepts and how they apply in real-world cloud scenarios.
  • How to deploy security correctly and verify the outcome.
  • Troubleshooting security issues by interpreting error output and system state.
  • Cloud best practices and Security design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Security

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

350-401 Security — Practice Questions

15 questions from this objective · 20% of your 350-401 exam

Question 2mediummultiple choice
Full question →

A network engineer is configuring port security on a Cisco switch to prevent unauthorized devices from connecting. The requirement is to allow only the first two MAC addresses learned on an interface, and to disable the interface if a violation occurs. Which configuration achieves this?

Question 3easymultiple choice
Study the full AAA explanation →

An organization wants to implement 802.1X authentication on its wired network using Cisco ISE as the authentication server. The switches are configured with the necessary RADIUS settings. Which additional configuration is required on the switch interfaces to enable 802.1X?

Question 4hardmultiple choice
Study the full ACL explanation →

A security engineer is configuring CoPP (Control Plane Policing) on a Cisco router to protect the control plane from DoS attacks. The policy must rate-limit SSH traffic to 1 Mbps with a burst of 2000 bytes, and drop all other traffic destined to the control plane that exceeds a default rate. Which class-map and policy-map configuration is correct?

Question 5mediummultiple choice
Open the full VLAN trunking answer →

A company has deployed a Cisco ASA firewall in transparent mode. The internal network uses VLAN 10 and the external network uses VLAN 20. The ASA is configured with two bridge groups: BVI 10 for inside and BVI 20 for outside. The security policy must allow HTTPS traffic from inside to outside. Which access-list entry is correct?

Question 6hardmultiple choice
Open the full VLAN trunking answer →

A network administrator is troubleshooting a DHCP snooping issue on a Cisco switch. The switch is configured with DHCP snooping globally and on VLAN 10. The trusted interface is GigabitEthernet0/1 connected to the DHCP server. However, clients on VLAN 10 are not receiving IP addresses from the DHCP server. What is the most likely cause?

Question 7mediummulti select
Open the full VLAN trunking answer →

Which TWO of the following are valid methods to mitigate VLAN hopping attacks?

Question 8hardmulti select
Full question →

Which THREE of the following are characteristics of Cisco TrustSec (CTS) security architecture?

Question 9easymultiple choice
Read the full DHCP explanation →

Refer to the exhibit. A network administrator notices that some DHCP packets are being dropped due to 'MAC Address Mismatch'. What is the most likely cause of this drop?

Exhibit

Refer to the exhibit.

Switch# show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:1A:2B:3C:4D:5E  192.168.1.10     86400       dhcp-snooping   10    GigabitEthernet0/1
00:1A:2B:3C:4D:5F  192.168.1.11     86400       dhcp-snooping   10    GigabitEthernet0/2

Switch# show ip dhcp snooping statistics
Packets Processed by DHCP Snooping   = 100
Packets Dropped Because               = 5
  MAC Address Mismatch                 = 3
  Invalid Server Replies               = 2
Question 10hardmultiple choice
Full question →

Refer to the exhibit. A switch has IP Source Guard (IPSG) and port-security enabled on interface GigabitEthernet0/1. A host with IP 10.1.1.1 and MAC 00:1A:2B:3C:4D:5E is connected and tries to access a web server at 192.168.1.100. What will happen?

Exhibit

Refer to the exhibit.

interface GigabitEthernet0/1
 ip access-group ACL-IN in
 ip verify source port-security
!
ip access-list extended ACL-IN
 permit tcp 10.0.0.0 0.255.255.255 any eq 80
 permit tcp 10.0.0.0 0.255.255.255 any eq 443
 deny ip any any
Question 11mediummultiple choice
Study the full AAA explanation →

A medium-sized enterprise is migrating to a Cisco DNA Center-managed network. The security policy requires that all administrative access to network devices be authenticated via TACACS+ and that authorization for commands be enforced per user role. The network team has configured ISE as the AAA server and integrated it with DNA Center. After configuration, engineers report that they can log in to devices via SSH but are not prompted for a password when entering 'enable' mode; instead, they are granted full privileges immediately. Additionally, while in configuration mode, some engineers can issue 'debug' commands that they should not have access to. The configuration on the devices includes 'aaa new-model', 'aaa authentication login default group tacacs+ local', 'aaa authorization exec default group tacacs+ local', and 'aaa authorization commands 15 default group tacacs+ local'. What is the most likely cause of the privilege escalation and missing authorization?

Question 12easymulti select
Full question →

Which TWO features are part of Cisco TrustSec for providing role-based access control?

Question 13mediummultiple choice
Open the full BGP breakdown →

A network engineer applies the above CoPP policy on a router. The router has BGP peers, SSH management, and SNMP monitoring. After applying this policy, which traffic will be affected?

Network Topology
Access-list for CoPP!Class-mapPolicy-mapApply to control-planeRefer to the exhibit.ip access-list extended COPP_ACLclass-map match-all COPP_CLASSmatch access-group name COPP_ACLpolicy-map COPP_POLICYclass COPP_CLASSpolice cir 8000 bc 1500conform-action transmitexceed-action dropcontrol-planeservice-policy input COPP_POLICY
Question 14hardmultiple choice
Open the full VLAN trunking answer →

Your company has deployed a Cisco Catalyst 9300 switch stack as the distribution layer for a campus network. The network uses VLANs 10 (data), 20 (voice), and 30 (management). The switch stack is configured with DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard (IPSG) on access ports. Recently, users in VLAN 10 report intermittent connectivity issues. You notice that some users receive duplicate IP addresses from the DHCP server. The DHCP server is connected to a trunk port on the switch stack. After reviewing logs, you see that DHCPACK messages are being dropped on the trunk port. The DHCP snooping binding table shows entries for legitimate clients, but also some entries with MAC addresses from a different vendor. Which action should you take to resolve the issue?

Question 15mediumdrag order
Full question →

Drag and drop the steps to configure port security on a Cisco switch in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 16mediummatching
Open the full STP breakdown →

Match each Spanning Tree Protocol (STP) variant to its key characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Original standard, slow convergence

Fast convergence, backward compatible

Multiple spanning trees per VLAN group

Cisco proprietary, per-VLAN STP

Cisco proprietary, per-VLAN RSTP

←

Previous objective

IP SLA

Next objective

AAA, RADIUS, and TACACS+

→

All 350-401 Objectives

  • 100.Architecture15%
  • 101.Enterprise Network Design
  • 102.SD-Access Architecture
  • 103.SD-WAN Architecture
  • 104.QoS Architecture
  • 200.Virtualization10%
  • 201.Network Function Virtualization
  • 202.Virtual Machines and Hypervisors
  • 203.VRF and Path Isolation
  • 300.Infrastructure30%
  • 301.OSPF
  • 302.BGP
  • 303.EIGRP
  • 304.VLANs and Trunking
  • 305.Spanning Tree Protocol
  • 306.EtherChannel
  • 307.Wireless Infrastructure
  • 308.MPLS
  • 309.WAN Technologies
  • 310.NAT and DHCP
  • 311.IP Multicast
  • 312.QoS
  • 400.Network Assurance10%
  • 401.SNMP and Syslog
  • 402.NetFlow and Telemetry
  • 403.SPAN and RSPAN
  • 404.IP SLA
  • 500.Security20%
  • 501.AAA, RADIUS, and TACACS+
  • 502.ACLs and CoPP
  • 503.802.1X and TrustSec
  • 504.VPN Technologies
  • 505.Infrastructure Security
  • 600.Automation15%
  • 601.Python for Network Automation
  • 602.Ansible Automation
  • 603.REST APIs and Data Models
  • 604.Cisco DNA Center
  • 605.Model-Driven Telemetry