Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-401TopicsSecurity
Free · No Signup RequiredCisco · 350-401

350-401 Security Practice Questions

15+ practice questions focused on Security — one of the most tested topics on the ENCOR 350-401 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Security Practice

Exam Domains

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Security Questions

Practice all 15+ →
1.

A network engineer is configuring port security on a Cisco switch to prevent unauthorized devices from connecting. The requirement is to allow only the first two MAC addresses learned on an interface, and to disable the interface if a violation occurs. Which configuration achieves this?

A.switchport port-security maximum 2 switchport port-security violation err-disable
B.switchport port-security maximum 2 switchport port-security violation shutdown
C.switchport port-security maximum 2 switchport port-security violation protect
D.switchport port-security maximum 2 switchport port-security violation restrict

Explanation: Option B is correct because the 'shutdown' violation mode places the interface into an err-disabled state when a port security violation occurs, which matches the requirement to disable the interface. The 'maximum 2' command limits the number of allowed MAC addresses to two, and the first two learned MAC addresses are dynamically secured. This combination ensures that any additional MAC address triggers a violation and disables the port.

2.

An organization wants to implement 802.1X authentication on its wired network using Cisco ISE as the authentication server. The switches are configured with the necessary RADIUS settings. Which additional configuration is required on the switch interfaces to enable 802.1X?

A.dot1x pae authenticator
B.authentication port-control auto
C.authentication port-control force-authorized
D.authentication port-control force-unauthorized

Explanation: Option B is correct because 'authentication port-control auto' is the required interface command to enable 802.1X authentication on a switch port. This command sets the port to initiate the authentication process, placing it in the unauthorized state until the client successfully authenticates via the RADIUS server (Cisco ISE). Without this command, the port will not enforce 802.1X.

3.

A security engineer is configuring CoPP (Control Plane Policing) on a Cisco router to protect the control plane from DoS attacks. The policy must rate-limit SSH traffic to 1 Mbps with a burst of 2000 bytes, and drop all other traffic destined to the control plane that exceeds a default rate. Which class-map and policy-map configuration is correct?

A.class-map match-all SSH match protocol ssh policy-map COPP class SSH police 1000000 2000 conform-action transmit exceed-action drop
B.class-map match-all SSH match access-group name SSH_ACL policy-map COPP class SSH police 1000000 2000 conform-action transmit exceed-action drop class class-default police 8000 conform-action transmit exceed-action drop
C.class-map match-all SSH match protocol ssh policy-map COPP class SSH police 1000000 2000 conform-action transmit exceed-action drop class class-default police 8000 conform-action transmit exceed-action drop
D.class-map match-all SSH match protocol ssh policy-map COPP class SSH police 2000 1000000 conform-action transmit exceed-action drop

Explanation: Option C is correct because it uses the 'match protocol ssh' class-map to identify SSH traffic, applies a police rate of 1,000,000 bps (1 Mbps) with a burst of 2000 bytes, and includes a class-default with a police rate of 8000 bps to drop all other control-plane traffic exceeding a default rate. This matches the requirement to rate-limit SSH and drop other traffic that exceeds a default rate, which is a common CoPP best practice to protect the control plane.

4.

A company has deployed a Cisco ASA firewall in transparent mode. The internal network uses VLAN 10 and the external network uses VLAN 20. The ASA is configured with two bridge groups: BVI 10 for inside and BVI 20 for outside. The security policy must allow HTTPS traffic from inside to outside. Which access-list entry is correct?

A.access-list INSIDE extended permit tcp 192.168.1.0 255.255.255.0 any eq 443 access-group INSIDE in interface inside
B.access-list GLOBAL extended permit ip 192.168.1.0 255.255.255.0 any
C.access-list GLOBAL extended permit tcp any any eq 443
D.access-list GLOBAL extended permit tcp 192.168.1.0 255.255.255.0 any eq 443

Explanation: In transparent mode, the ASA acts as a Layer 2 bridge, so traffic must be permitted by a global access list applied to the bridge group virtual interface (BVI). Option D correctly uses the GLOBAL access list to permit TCP traffic from the inside subnet (192.168.1.0/24) to any destination on port 443 (HTTPS), which satisfies the security policy.

5.

A network administrator is troubleshooting a DHCP snooping issue on a Cisco switch. The switch is configured with DHCP snooping globally and on VLAN 10. The trusted interface is GigabitEthernet0/1 connected to the DHCP server. However, clients on VLAN 10 are not receiving IP addresses from the DHCP server. What is the most likely cause?

A.The switch has IP Source Guard enabled, blocking valid DHCP traffic.
B.The interface GigabitEthernet0/1 is not configured as a trusted port for DHCP snooping.
C.The DHCP server is on a different subnet and the switch lacks an IP helper address.
D.The DHCP server is sending offers too quickly, exceeding the rate-limit on the switch.

Explanation: Option B is correct because the scenario states that DHCP snooping is configured globally and on VLAN 10, and that GigabitEthernet0/1 is connected to the DHCP server. However, for DHCP snooping to allow DHCP server messages (OFFER, ACK) to be forwarded, the interface connected to the legitimate DHCP server must be explicitly configured as a trusted port using the 'ip dhcp snooping trust' interface command. Without this, the switch treats all DHCP server responses as untrusted and drops them, preventing clients from receiving IP addresses.

+10 more Security questions available

Practice all Security questions

How to master Security for 350-401

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Security. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Security questions on the 350-401 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many 350-401 Security questions are on the real exam?

The exact number varies per candidate. Security is tested as part of the ENCOR 350-401 blueprint. Practicing with targeted Security questions ensures you can handle any format or difficulty that appears.

Are these 350-401 Security practice questions free?

Yes. Courseiva provides free 350-401 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Security one of the harder 350-401 topics?

Difficulty is subjective, but Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Security practice session with instant scoring and detailed explanations.

Start Security Practice →

Topic Info

Topic

Security

Exam

350-401

Questions available

15+