20+ practice questions focused on Infrastructure Security — one of the most tested topics on the ENCOR 350-401 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Infrastructure Security PracticeA network engineer is configuring port security on a Cisco switch. The requirement is to allow only the first MAC address that appears on the port to be learned and to automatically disable the port if a violation occurs. The engineer configures 'switchport port-security mac-address sticky' but does not specify a maximum number of secure MAC addresses. After connecting a single host, the port works. However, when the host is replaced with a different device, the port is error-disabled. What is the most likely reason?
Explanation: The sticky command learns MAC addresses dynamically and stores them in the running configuration. By default, the maximum number of secure MAC addresses is 1. When a new device is connected, its MAC address is different, causing a violation. The default violation mode is 'shutdown', which error-disables the port. Option A is correct because the sticky feature does not change the default maximum count. Option B is incorrect because sticky does not require a specific maximum; it uses the default. Option C is incorrect because the violation mode is shutdown by default, not restrict. Option D is incorrect because aging is not configured and does not cause this behavior.
An enterprise network uses 802.1X for wired access. The authentication server is a Cisco ISE. Recently, some Windows 10 clients fail to authenticate, while others succeed. The engineer checks the switch configuration and finds 'authentication port-control auto' and 'dot1x pae authenticator' are configured. The failing clients show 'EAP failure' in the logs. The engineer suspects a mismatch in EAP method. Which EAP method is most likely causing the issue if the ISE is configured to require EAP-TLS but the Windows clients are configured for PEAP-MSCHAPv2?
Explanation: EAP-TLS requires a client certificate, while PEAP-MSCHAPv2 uses a username/password inside a TLS tunnel. If ISE is configured to only accept EAP-TLS, clients attempting PEAP will receive an EAP failure. Option A is correct because EAP-TLS is certificate-based and different from PEAP. Option B is incorrect because EAP-FAST uses a PAC, not certificates. Option C is incorrect because LEAP is deprecated and uses MS-CHAPv2, but it is not the same as PEAP. Option D is incorrect because EAP-MD5 is a simple challenge-response and not typically used in enterprise 802.1X.
A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The router experiences high CPU utilization due to SSH and SNMP traffic. The engineer creates a class-map to match SSH (TCP/22) and SNMP (UDP/161) and applies a policy-map that polices this traffic to 1 Mbps. After applying the policy, legitimate SSH sessions from the management station start dropping intermittently. What is the most likely cause?
Explanation: CoPP polices traffic destined to the control plane. If the police rate is too low, even legitimate traffic can be dropped. The engineer set a 1 Mbps limit for both SSH and SNMP combined. If the management station generates bursts above this rate, packets are dropped. Option A is correct because the aggregate police rate may be insufficient. Option B is incorrect because CoPP does not affect transit traffic. Option C is incorrect because the policy is applied to the control plane, not an interface. Option D is incorrect because the class-map matches both protocols, but the issue is the police rate.
A network engineer is implementing DHCP snooping on a Cisco switch to prevent rogue DHCP servers. The switch has multiple VLANs, and the DHCP server is connected to interface GigabitEthernet0/1 in VLAN 10. The engineer enables DHCP snooping globally and for VLAN 10, then configures 'ip dhcp snooping trust' on GigabitEthernet0/1. However, clients in VLAN 10 are not receiving IP addresses. The engineer checks the DHCP snooping binding table and sees no entries. What is the most likely cause?
Explanation: DHCP snooping requires the DHCP server port to be trusted. If the server is on a different VLAN than the clients, the switch must also have IP routing enabled or use a DHCP relay. However, the scenario does not mention a relay. The most likely cause is that the DHCP server is not on the same subnet as the clients, and no IP helper address is configured. Option A is correct because without a helper address, DHCP broadcasts are not forwarded to the server. Option B is incorrect because the trust configuration is correct. Option C is incorrect because rate limiting is not configured. Option D is incorrect because DHCP snooping does not require a specific VLAN for the server port.
A network engineer is configuring dynamic ARP inspection (DAI) on a Cisco switch to prevent ARP spoofing. The switch has DHCP snooping enabled and the DHCP server is trusted. The engineer enables DAI on VLAN 10 and configures 'ip arp inspection trust' on the port connected to the DHCP server. After enabling DAI, some legitimate ARP replies from hosts are being dropped. The engineer checks the DAI statistics and sees 'ARP ACL drops' incrementing. What is the most likely reason?
Explanation: DAI validates ARP packets against the DHCP snooping binding table. If a host has a static IP address, its MAC-IP binding is not in the DHCP snooping database, so DAI drops the ARP replies unless an ARP ACL is configured to permit them. Option A is correct because static hosts need an ARP ACL. Option B is incorrect because the DHCP server port is trusted, but that does not affect host ARP replies. Option C is incorrect because DAI does not require the DHCP server to be in the same VLAN. Option D is incorrect because DAI validates source MAC and IP, not destination.
+15 more Infrastructure Security questions available
Practice all Infrastructure Security questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Infrastructure Security. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Infrastructure Security questions on the 350-401 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Infrastructure Security is tested as part of the ENCOR 350-401 blueprint. Practicing with targeted Infrastructure Security questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free 350-401 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Infrastructure Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Infrastructure Security practice session with instant scoring and detailed explanations.
Start Infrastructure Security Practice →