15+ practice questions focused on Security — one of the most tested topics on the ENCOR 350-401 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Security PracticeA network engineer is configuring port security on a Cisco switch to prevent unauthorized devices from connecting. The requirement is to allow only the first two MAC addresses learned on an interface, and to disable the interface if a violation occurs. Which configuration achieves this?
Explanation: Option B is correct because the 'shutdown' violation mode places the interface into an err-disabled state when a port security violation occurs, which matches the requirement to disable the interface. The 'maximum 2' command limits the number of allowed MAC addresses to two, and the first two learned MAC addresses are dynamically secured. This combination ensures that any additional MAC address triggers a violation and disables the port.
An organization wants to implement 802.1X authentication on its wired network using Cisco ISE as the authentication server. The switches are configured with the necessary RADIUS settings. Which additional configuration is required on the switch interfaces to enable 802.1X?
Explanation: Option B is correct because 'authentication port-control auto' is the required interface command to enable 802.1X authentication on a switch port. This command sets the port to initiate the authentication process, placing it in the unauthorized state until the client successfully authenticates via the RADIUS server (Cisco ISE). Without this command, the port will not enforce 802.1X.
A security engineer is configuring CoPP (Control Plane Policing) on a Cisco router to protect the control plane from DoS attacks. The policy must rate-limit SSH traffic to 1 Mbps with a burst of 2000 bytes, and drop all other traffic destined to the control plane that exceeds a default rate. Which class-map and policy-map configuration is correct?
Explanation: Option C is correct because it uses the 'match protocol ssh' class-map to identify SSH traffic, applies a police rate of 1,000,000 bps (1 Mbps) with a burst of 2000 bytes, and includes a class-default with a police rate of 8000 bps to drop all other control-plane traffic exceeding a default rate. This matches the requirement to rate-limit SSH and drop other traffic that exceeds a default rate, which is a common CoPP best practice to protect the control plane.
A company has deployed a Cisco ASA firewall in transparent mode. The internal network uses VLAN 10 and the external network uses VLAN 20. The ASA is configured with two bridge groups: BVI 10 for inside and BVI 20 for outside. The security policy must allow HTTPS traffic from inside to outside. Which access-list entry is correct?
Explanation: In transparent mode, the ASA acts as a Layer 2 bridge, so traffic must be permitted by a global access list applied to the bridge group virtual interface (BVI). Option D correctly uses the GLOBAL access list to permit TCP traffic from the inside subnet (192.168.1.0/24) to any destination on port 443 (HTTPS), which satisfies the security policy.
A network administrator is troubleshooting a DHCP snooping issue on a Cisco switch. The switch is configured with DHCP snooping globally and on VLAN 10. The trusted interface is GigabitEthernet0/1 connected to the DHCP server. However, clients on VLAN 10 are not receiving IP addresses from the DHCP server. What is the most likely cause?
Explanation: Option B is correct because the scenario states that DHCP snooping is configured globally and on VLAN 10, and that GigabitEthernet0/1 is connected to the DHCP server. However, for DHCP snooping to allow DHCP server messages (OFFER, ACK) to be forwarded, the interface connected to the legitimate DHCP server must be explicitly configured as a trusted port using the 'ip dhcp snooping trust' interface command. Without this, the switch treats all DHCP server responses as untrusted and drops them, preventing clients from receiving IP addresses.
+10 more Security questions available
Practice all Security questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Security. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Security questions on the 350-401 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Security is tested as part of the ENCOR 350-401 blueprint. Practicing with targeted Security questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free 350-401 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Security practice session with instant scoring and detailed explanations.
Start Security Practice →