Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Infrastructure Security practice sets

CCNP Infrastructure Security • Complete Question Bank

CCNP Infrastructure Security — All Questions With Answers

Complete CCNP Infrastructure Security question bank — all 0 questions with answers and detailed explanations.

58
Questions
Free
No signup
Certifications/CCNP/Practice Test/Infrastructure Security/All Questions
Question 1mediummultiple choice
Read the full Infrastructure Security explanation →

A network engineer is configuring port security on a Cisco switch. The requirement is to allow only the first MAC address that appears on the port to be learned and to automatically disable the port if a violation occurs. The engineer configures 'switchport port-security mac-address sticky' but does not specify a maximum number of secure MAC addresses. After connecting a single host, the port works. However, when the host is replaced with a different device, the port is error-disabled. What is the most likely reason?

Question 2hardmultiple choice
Read the full Infrastructure Security explanation →

An enterprise network uses 802.1X for wired access. The authentication server is a Cisco ISE. Recently, some Windows 10 clients fail to authenticate, while others succeed. The engineer checks the switch configuration and finds 'authentication port-control auto' and 'dot1x pae authenticator' are configured. The failing clients show 'EAP failure' in the logs. The engineer suspects a mismatch in EAP method. Which EAP method is most likely causing the issue if the ISE is configured to require EAP-TLS but the Windows clients are configured for PEAP-MSCHAPv2?

Question 3mediummultiple choice
Study the full ACL explanation →

A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The router experiences high CPU utilization due to SSH and SNMP traffic. The engineer creates a class-map to match SSH (TCP/22) and SNMP (UDP/161) and applies a policy-map that polices this traffic to 1 Mbps. After applying the policy, legitimate SSH sessions from the management station start dropping intermittently. What is the most likely cause?

Question 4hardmultiple choice
Open the full VLAN trunking answer →

A network engineer is implementing DHCP snooping on a Cisco switch to prevent rogue DHCP servers. The switch has multiple VLANs, and the DHCP server is connected to interface GigabitEthernet0/1 in VLAN 10. The engineer enables DHCP snooping globally and for VLAN 10, then configures 'ip dhcp snooping trust' on GigabitEthernet0/1. However, clients in VLAN 10 are not receiving IP addresses. The engineer checks the DHCP snooping binding table and sees no entries. What is the most likely cause?

Question 5mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is configuring dynamic ARP inspection (DAI) on a Cisco switch to prevent ARP spoofing. The switch has DHCP snooping enabled and the DHCP server is trusted. The engineer enables DAI on VLAN 10 and configures 'ip arp inspection trust' on the port connected to the DHCP server. After enabling DAI, some legitimate ARP replies from hosts are being dropped. The engineer checks the DAI statistics and sees 'ARP ACL drops' incrementing. What is the most likely reason?

Question 6hardmultiple choice
Study the full IPv6 explanation →

A network engineer is configuring IPv6 First Hop Security on a Cisco switch to mitigate rogue RA attacks. The engineer enables RA guard on the switch and applies a policy that allows only the default gateway to send RAs. After configuration, hosts are unable to obtain IPv6 addresses via SLAAC. The engineer checks the switch and sees that RA guard is dropping all RAs. What is the most likely cause?

Question 7mediummultiple choice
Review the full routing breakdown →

A network engineer is configuring a zone-based firewall (ZBF) on a Cisco router to allow traffic from the inside zone to the outside zone while blocking traffic from outside to inside. The engineer creates zones, assigns interfaces, and configures a policy-map with a class-map that matches all traffic from inside to outside. The engineer applies the policy to the zone-pair inside-to-outside. However, traffic from inside to outside is being dropped. What is the most likely reason?

Question 8hardmultiple choice
Read the full Infrastructure Security explanation →

A network engineer is implementing MACsec on a Cisco switch-to-switch link to provide encryption. Both switches support MACsec and are configured with the same pre-shared key (PSK). The engineer configures 'mka' and 'macsec' on the interfaces. After configuration, the link does not come up, and the engineer sees 'MKA not operational' in the show macsec status. What is the most likely cause?

Question 9easymultiple choice
Read the full NAT/PAT explanation →

A network engineer is configuring uRPF (unicast Reverse Path Forwarding) on a Cisco router to prevent spoofed IP traffic. The engineer enables uRPF in strict mode on the ingress interface connected to the internal network. After enabling uRPF, legitimate traffic from internal hosts is being dropped. The engineer checks the routing table and sees that the routes for the internal subnets are present. What is the most likely cause?

Question 10mediummultiple choice
Review the full OSPF breakdown →

A network engineer runs the following command on Router R1:

R1# show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.2         1   FULL/DR         00:00:38    192.168.1.2     GigabitEthernet0/0
10.0.0.3         1   2WAY/DROTHER   00:00:32    192.168.1.3     GigabitEthernet0/0
10.0.0.4         1   FULL/BDR        00:00:35    192.168.1.4     GigabitEthernet0/0

Based on this output, what can be concluded?

Question 11mediummultiple choice
Open the full VLAN trunking answer →

A network engineer runs the following command on Switch SW1:

SW1# show spanning-tree vlan 10

VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address 0011.2233.4455 Cost 19 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0011.2233.4466 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec

Interface           Role Sts Cost      Prio.Nbr Type

------------------- ---- --- --------- -------- -------------------------------- Gi0/1 Root FWD 19 128.1 P2p Gi0/2 Altn BLK 19 128.2 P2p Gi0/3 Desg FWD 19 128.3 P2p

Based on this output, what can be concluded?

Question 12easymultiple choice
Review the full routing breakdown →

A network engineer runs the following command on Router R1:

R1# show ip access-lists 101

Extended IP access list 101

10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (100 matches)
    
20 deny tcp any any eq 23 (50 matches)
    
30 permit ip any any (200 matches)

Based on this output, what can be concluded?

Question 13mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 203.0.113.10 192.168.1.10 --- --- --- 203.0.113.11 192.168.1.11 --- --- tcp 203.0.113.10:1024 192.168.1.10:1024 198.51.100.5:80 198.51.100.5:80

Based on this output, what can be concluded?

Question 14hardmultiple choice
Study the full QoS explanation →

A network engineer runs the following command on Router R1:

R1# show policy-map interface GigabitEthernet0/0

GigabitEthernet0/0

Service-policy input: QOS_POLICY

Class-map: VOICE (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef (46) Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 police cir 1000000 bc 31250 be 31250 conformed 0 bytes; actions: transmit exceeded 0 bytes; actions: drop violated 0 bytes; actions: drop

Class-map: class-default (match-any) 100 packets, 12000 bytes 5 minute offered rate 8000 bps, drop rate 0 bps Match: any Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 100/12000

Based on this output, what can be concluded?

Question 15mediummultiple choice
Study the full AAA explanation →

A network engineer runs the following command on Router R1:

R1# show aaa sessions

Total sessions since last reset: 10

Session Id: 5 Unique Id: 5 User Name: admin

IP Address: 192.168.1.100

Idle Time: 0:00:05 Timeout: 0:10:00 Type: SSH Method: local

Session Id: 6 Unique Id: 6 User Name: neteng

IP Address: 10.0.0.2

Idle Time: 0:02:30 Timeout: 0:10:00 Type: SSH Method: tacacs+

Based on this output, what can be concluded?

Question 16easymultiple choice
Read the full VRF explanation →

A network engineer runs the following command on Router R1:

R1# show vrf brief

Name Default RD Protocols Interfaces CUSTOMER_A 65000:100 ipv4 Gi0/0.100 CUSTOMER_B 65000:200 ipv4 Gi0/0.200 MANAGEMENT 65000:999 ipv4 Gi0/1

Based on this output, what can be concluded?

Question 17hardmultiple choice
Open the full BGP breakdown →

A network engineer runs the following command on Router R1:

R1# show ip bgp summary

BGP router identifier 10.0.0.1, local AS number 65001 BGP table version is 10, main routing table version 10

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.2     4        65002    1024    1020       10    0    0 02:30:15       5
192.168.1.3     4        65003     500     498       10    0    0 00:15:20       3
10.0.0.2        4        65004       0       0        0    0    0 never    Active

Based on this output, what can be concluded?

Question 18mediummultiple choice
Read the full MPLS explanation →

A network engineer runs the following command on Router R1:

R1# show mpls ldp neighbor

Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.49231 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 01:23:45 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 192.168.1.2 Addresses bound to peer LDP Ident:

10.0.0.2        192.168.1.2

Based on this output, what can be concluded?

Question 19mediummultiple choice
Read the full Infrastructure Security explanation →

Examine the following interface configuration on a Cisco IOS-XE switch: ```

interface GigabitEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security violation restrict
 switchport port-security mac-address sticky

``` What is the effect of this configuration?

Question 20mediummultiple choice
Review the full routing breakdown →

Consider the following configuration on a Cisco IOS-XE router: ```

ip access-list extended BLOCK_SSH
 deny tcp any any eq 22
 permit ip any any

!

line vty 0 4

access-class BLOCK_SSH in ``` Which statement is true about this configuration?

Question 21mediummultiple choice
Study the full ACL explanation →

Examine the following CoPP configuration on a Cisco IOS-XE router: ``` class-map match-all CONTROL-PLANE match access-group name COPP-ACL ! policy-map COPP-POLICY

class CONTROL-PLANE

police 1000000 200000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP-POLICY ``` What is the effect of this configuration?

Question 22mediummultiple choice
Open the full VLAN trunking answer →

Consider the following DHCP snooping configuration on a Cisco IOS-XE switch: ```

ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/1
 ip dhcp snooping trust

!

interface GigabitEthernet0/2
 ip dhcp snooping limit rate 10

``` Which statement is true?

Question 23mediummultiple choice
Open the full BGP breakdown →

Examine the following BGP configuration on a Cisco IOS-XE router: ```

router bgp 65000

bgp default local-preference 150

neighbor 10.1.1.1 remote-as 65001
 neighbor 10.1.1.1 password cisco123
 neighbor 10.1.1.1 route-map SET-MED out

! route-map SET-MED permit 10 set metric 50 ``` What is the effect of the route-map on outbound updates to 10.1.1.1?

Question 24mediummultiple choice
Study the full IPv6 explanation →

Consider the following IPv6 access-list on a Cisco IOS-XE router: ``` ipv6 access-list PERMIT_ICMP

permit icmp any any echo-request
 permit icmp any any echo-reply
 deny ipv6 any any

!

interface GigabitEthernet0/0

ipv6 traffic-filter PERMIT_ICMP in ``` What is the effect of this configuration?

Question 25easymultiple choice
Review the full OSPF breakdown →

What is the default OSPF hello interval on an Ethernet link in a Cisco router?

Question 26mediummultiple choice
Open the full BGP breakdown →

Which BGP attribute is used as the first tie-breaker when multiple paths are available and the weight is equal?

Question 27easymultiple choice
Study the full EIGRP explanation →

What is the maximum hop count for EIGRP?

Question 28mediumdrag order
Read the full Infrastructure Security explanation →

Drag and drop the steps of Cisco IBNS 2.0 policy configuration into the correct order, from first to last.

Question 29mediumdrag order
Read the full Infrastructure Security explanation →

Drag and drop the steps of configuring a Cisco IOS Zone-Based Firewall (ZBFW) into the correct order, from first to last.

Question 30mediumdrag order
Study the full ACL explanation →

Drag and drop the steps of configuring Control Plane Policing (CoPP) on a Cisco IOS router into the correct order, from first to last.

Question 31mediumdrag order
Study the full ACL explanation →

Drag and drop the steps of Control Plane Policing (CoPP) rate-limit evaluation into the correct order, from first to last.

Question 32mediumdrag order
Read the full DHCP explanation →

Drag and drop the steps of Cisco DHCP snooping binding table population into the correct order, from first to last.

Question 33mediumdrag order
Read the full Infrastructure Security explanation →

Drag and drop the steps of Dynamic ARP Inspection (DAI) packet validation into the correct order, from first to last.

Question 34mediumdrag order
Read the full Infrastructure Security explanation →

Drag and drop the steps of IP Source Guard binding and enforcement into the correct order, from first to last.

Question 35mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps of Unicast Reverse Path Forwarding (uRPF) check process into the correct order, from first to last.

Question 36mediumdrag order
Study the full ACL explanation →

Drag and drop the steps of Control Plane Policing (CoPP) rate-limit evaluation into the correct order, from first to last.

Question 37mediumdrag order
Read the full DHCP explanation →

Drag and drop the steps of Cisco DHCP snooping binding table population into the correct order, from first to last.

Question 38mediumdrag order
Read the full Infrastructure Security explanation →

Drag and drop the steps of Dynamic ARP Inspection (DAI) packet validation into the correct order, from first to last.

Question 39mediumdrag order
Read the full Infrastructure Security explanation →

Drag and drop the steps of IP Source Guard binding and enforcement into the correct order, from first to last.

Question 40mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps of Unicast Reverse Path Forwarding (uRPF) check process into the correct order, from first to last.

Question 41mediummatching
Read the full Infrastructure Security explanation →

Drag and drop each Layer 2 attack on the left to its matching mitigation feature on the right.

Question 42mediummatching
Read the full Infrastructure Security explanation →

Drag and drop each Control plane protection feature on the left to its matching threat on the right.

Question 43mediummatching
Study the full AAA explanation →

Drag and drop each AAA service on the left to its matching protocol on the right.

Question 44mediummatching
Read the full Infrastructure Security explanation →

Drag and drop each Cisco security feature on the left to its matching OSI layer on the right.

Question 45mediummatching
Read the full Infrastructure Security explanation →

Drag and drop each infrastructure hardening technique on the left to its matching configuration command on the right.

Question 46mediummatching
Read the full Infrastructure Security explanation →

Drag and drop each Layer 2 attack on the left to its matching mitigation feature on the right.

Question 47mediummatching
Read the full Infrastructure Security explanation →

Drag and drop each Control plane protection feature on the left to its matching threat on the right.

Question 48mediummatching
Study the full AAA explanation →

Drag and drop each AAA service on the left to its matching protocol on the right.

Question 49mediummatching
Read the full Infrastructure Security explanation →

Drag and drop each Cisco security feature on the left to its matching OSI layer on the right.

Question 50mediummatching
Read the full Infrastructure Security explanation →

Drag and drop each infrastructure hardening technique on the left to its matching configuration command on the right.

Question 51mediummulti select
Open the full BGP breakdown →

Which two statements about BGP TTL security are true? (Choose two.)

Question 52mediummulti select
Read the full DHCP explanation →

Which three statements about DHCP snooping are true? (Choose three.)

Question 53hardmulti select
Read the full Infrastructure Security explanation →

Which two statements about IP Source Guard are true? (Choose two.)

Question 54hardmulti select
Read the full Infrastructure Security explanation →

Which three statements about dynamic ARP inspection (DAI) are true? (Choose three.)

Question 55mediummulti select
Read the full Infrastructure Security explanation →

Which two statements about 802.1X port-based authentication on a Cisco switch are true? (Choose two.)

Question 56hardmulti select
Read the full DHCP explanation →

Which three statements about DHCP snooping are true? (Choose three.)

Question 57mediummulti select
Read the full Infrastructure Security explanation →

Which two statements about IP Source Guard are true? (Choose two.)

Question 58hardmulti select
Study the full ACL explanation →

Which three statements about Control Plane Policing (CoPP) are true? (Choose three.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CCNP Practice Test 1 — 10 Questions→CCNP Practice Test 2 — 10 Questions→CCNP Practice Test 3 — 10 Questions→CCNP Practice Test 4 — 10 Questions→CCNP Practice Test 5 — 10 Questions→CCNP Practice Exam 1 — 20 Questions→CCNP Practice Exam 2 — 20 Questions→CCNP Practice Exam 3 — 20 Questions→CCNP Practice Exam 4 — 20 Questions→Free CCNP Practice Test 1 — 30 Questions→Free CCNP Practice Test 2 — 30 Questions→Free CCNP Practice Test 3 — 30 Questions→CCNP Practice Questions 1 — 50 Questions→CCNP Practice Questions 2 — 50 Questions→CCNP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationVirtual Machines and HypervisorsVRF and Path IsolationInfrastructureOSPFBGPEIGRPVLANs and TrunkingSpanning Tree ProtocolEtherChannelWireless InfrastructureMPLSWAN TechnologiesNAT and DHCPIP MulticastQoSNetwork AssuranceSNMP and SyslogNetFlow and TelemetrySPAN and RSPANIP SLASecurityAAA, RADIUS, and TACACS+ACLs and CoPP802.1X and TrustSecVPN TechnologiesInfrastructure SecurityAutomationPython for Network AutomationAnsible AutomationREST APIs and Data ModelsCisco DNA CenterModel-Driven Telemetry

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Infrastructure Security setsAll Infrastructure Security questionsCCNP Practice Hub