Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-601DomainsSecurity
350-601Free — No Signup

Security

Practice 350-601 Security questions with full explanations on every answer.

95questions

Start practicing

Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

350-601 Domains

NetworkComputeStorage NetworkAutomationSecurity

Practice Security questions

10Q20Q30Q50Q

All 350-601 Security questions (95)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An engineer is configuring a new data center leaf switch to enforce micro-segmentation using Cisco ACI. The requirement is to permit traffic from web servers to application servers on TCP port 8080, but deny all other traffic. The web servers are in EPG 'web_EPG' and application servers in EPG 'app_EPG'. Which contract configuration should be applied?

2

A customer is deploying Cisco ACI with a requirement to isolate tenant traffic in a multi-tenant environment. They want to ensure that a tenant admin can only manage their own tenant's objects. Which RBAC configuration should be implemented?

3

An engineer needs to secure the management plane on a Cisco Nexus 9000 switch. Which feature should be configured to restrict access to the switch's management interface based on source IP?

4

An organization is deploying Cisco ACI in a brownfield data center. They have existing VLANs that need to be mapped to ACI EPGs. The network team notices that some VLANs are used across multiple tenants. How should the engineer design the VLAN pool to support overlapping VLANs?

5

A network administrator suspects that a rogue DHCP server is active on the data center network. The switches are Cisco Nexus 9000 series running NX-OS. Which configuration should be applied to prevent DHCP spoofing?

6

A data center switch is configured with 802.1X port-based authentication for edge ports. Users report authentication failures. The engineer wants to verify the authentication status of a specific interface. Which command should be used?

7

An engineer is configuring Cisco ACI to secure inter-tenant traffic. Tenants 'TenantA' and 'TenantB' need to communicate via a shared service, such as a DNS server in TenantA. How should the contract be configured?

8

A data center architect is designing security for a Cisco ACI fabric that must comply with PCI DSS. The requirement is to encrypt all traffic between EPGs within the same tenant. Which solution should be used?

9

Which TWO of these are best practices for securing the Cisco ACI fabric?

10

Which THREE of the following are valid methods to secure the control plane on a Cisco Nexus 9000 switch?

11

Which TWO of the following are required components for a Cisco ACI contract to allow communication between EPGs?

12

A large financial institution has a Cisco ACI fabric with multiple tenants. The security team requires that all management access to the APIC controllers be authenticated via multi-factor authentication (MFA) using a RADIUS server. The RADIUS server is configured to send a One-Time Password (OTP) challenge during authentication. The current configuration uses local authentication. The engineer needs to implement RADIUS authentication with MFA for APIC GUI and CLI access. The RADIUS server is reachable at 10.10.10.10, shared secret 'SecureSecret123'. The APIC is running software version 4.2(3). The engineer must ensure that local authentication is used as fallback if the RADIUS server is unreachable. Which of the following actions should the engineer take?

13

A data center engineer is troubleshooting connectivity issues between two EPGs in the same tenant on a Cisco ACI fabric. The first EPG 'web_epg' is in VLAN 100 and the second EPG 'db_epg' is in VLAN 200. The contract 'web_to_db' allows TCP port 3306 from web_epg to db_epg. The EPGs are in the same VRF. The engineer has verified that the physical connectivity is correct and the endpoints are learning their IP addresses. However, traffic from web_epg to db_epg is not reaching the destination. The engineer checks the contract and sees that the subject 'mysql_access' has filter 'mysql' with direction 'both'. The provider is db_epg and consumer is web_epg. The engineer also notices that the default action in the contract is 'deny'. What is the most likely cause of the issue?

14

An engineer is configuring AAA on a Cisco Nexus switch to authenticate management access via TACACS+. The switch is reachable, but login attempts repeatedly fail. Which action should the engineer take to isolate the issue?

15

A data center architect is designing access control for a Cisco ACI fabric. The requirement is to allow HTTP traffic from the web tier (EPG web) to the app tier (EPG app), but deny SSH from the management EPG to the web EPG. Which construct should be used?

16

A network engineer is troubleshooting CoPP drops on a Cisco Nexus 9000 switch. The 'show control-plane' output indicates that packets are being dropped due to 'CoPP' on the 'default' control-plane class. Which action is most likely to resolve the issue without affecting routing protocol stability?

17

An organization is deploying Cisco ISE for 802.1X authentication on Cisco Nexus switches. Some endpoints fail authentication and fall back to the MAB. The security policy requires that endpoints failing both 802.1X and MAB be placed in a restricted VLAN. Which configuration is needed on the switch port?

18

Which TWO statements about Cisco TrustSec in a data center are true?

19

Refer to the exhibit. A server connected to Ethernet1/1 is experiencing intermittent connectivity. The server sends BPDUs, causing the switch to place the port into a blocking state. Which configuration change should be made to prevent this while maintaining rapid convergence?

20

A company runs a multi-tenant data center using Cisco ACI with multiple tenants. Each tenant has its own VRF and EPGs. The security policy requires that tenant A's web servers (EPG web_tenantA) be accessible from tenant B's application servers (EPG app_tenantB) only via HTTPS (TCP 443). The ACI fabric is configured with contracts. The administrator has created a contract with a filter for HTTPS (tcp dstPort 443) and applied it as a provider contract on EPG web_tenantA and as a consumer contract on EPG app_tenantB. However, traffic from tenant B's app servers to tenant A's web servers is being dropped. The administrator has verified that the contracts are applied correctly and the filter is correct. What is the most likely cause of the traffic drop?

21

Order the steps to upgrade the software on a Cisco Nexus switch using ISSU.

22

Match each Cisco data center security feature to its purpose.

23

A network engineer is configuring device access control for Cisco NX-OS switches. The requirement is to use a protocol that separates authentication, authorization, and accounting, and encrypts all communication except the header. Which solution meets this requirement?

24

A data center switch has DHCP snooping enabled globally. Which of the following is a best practice to ensure DHCP server legitimacy?

25

An engineer notices that AAA authentication using RADIUS is failing, and the RADIUS server logs show no incoming authentication requests. Which of the following is the most likely cause?

26

A data center switch is experiencing high CPU due to excessive BGP updates. Which action can mitigate this without affecting legitimate BGP traffic?

27

An organization uses VXLAN EVPN for network segmentation. Which component provides per-tenant isolation of control plane traffic?

28

A server team reports that after connecting a new server to a switchport, the server can receive traffic but cannot send traffic. The port is configured with port security. What is the most likely cause?

29

A company uses Cisco ISE for 802.1X authentication on data center edge switches. After a recent upgrade, some endpoints that previously authenticated successfully now fail. The ISE logs show the endpoint is in the wrong authorization profile. What is the most likely cause?

30

An attacker attempts to spoof a legitimate client's IP address to intercept traffic. DHCP snooping is enabled. Which feature prevents this spoofing by validating source IP in data packets?

31

Two data center switches are connected via a fiber link. They need to encrypt all traffic at Layer 2. Which configuration is required on both switches to establish MACsec?

32

Which two statements are true about Cisco TrustSec? (Choose two.)

33

Which two mechanisms are used by Dynamic ARP Inspection to prevent ARP spoofing? (Choose two.)

34

Which three actions can be taken when a port security violation occurs? (Choose three.)

35

Refer to the exhibit. A DHCP server is connected to Ethernet1/1 and a client in VLAN 10 is connected to Ethernet1/2. The client obtains an IP address. Which statement is best supported?

36

Refer to the exhibit. An administrator connects a new server to Ethernet1/1 and the port immediately goes into errdisable state. The previous device was connected to that port. What is the most likely cause?

37

Refer to the exhibit. A web server in VLAN 10 with IP 10.0.0.5 is experiencing connectivity issues. Clients from subnet 10.0.0.0/24 can access the server, but clients from other subnets cannot. What is the most likely cause?

38

A network administrator configures DHCP snooping on a Nexus 9000 switch. The legitimate DHCP server is connected to Ethernet 1/1. An unauthorized DHCP server is detected on Ethernet 1/2. Which action should be taken to prevent the unauthorized server from offering IP addresses?

39

A Nexus switch experiences high CPU utilization due to excessive ICMP traffic. An engineer applies a CoPP policy that includes a class matching ICMP with a drop action. After applying, legitimate OSPF hello packets are also being dropped. What is the most likely cause?

40

An engineer wants to prevent unauthorized devices from connecting to access ports. Which port security violation mode will disable the port and generate a syslog message?

41

A VACL is configured to capture traffic between hosts in the same VLAN. The capture port is configured and the VACL is applied to the VLAN. However, no traffic is being captured. What is a likely reason?

42

Two Nexus switches are configured for MACsec using MKA. The link between them is up, but MKA does not establish. Which issue is most likely?

43

An administrator configures 'aaa authentication login default group tacacs+ local'. What happens if the TACACS+ server is unreachable?

44

In a private VLAN configuration, a host in a community VLAN needs to communicate with a host in the primary VLAN. What configuration is required on the switch?

45

In an ACI fabric, an EPG is configured with a contract that allows HTTP traffic to an external network. The external network is reachable via a Layer 3 Outside. However, HTTP traffic from the EPG fails. What is the most likely cause?

46

A data center switch port is configured for 802.1X with MAB as fallback. A device that does not support 802.1X is connected. Which method will allow the device to authenticate?

47

Which TWO security features rely on the DHCP snooping binding table? (Select exactly 2)

48

Which THREE are characteristics of Cisco TrustSec? (Select exactly 3)

49

Which TWO features are used to validate ARP packets and prevent ARP spoofing attacks? (Select exactly 2)

50

Refer to the exhibit. A client connected to Ethernet1/2 cannot obtain an IP address via DHCP. What is the most likely cause?

51

Refer to the exhibit. The CoPP policy above is applied. Which traffic is most likely to be dropped?

52

Refer to the exhibit. Two Nexus switches are connected via Ethernet1/1. MKA does not initiate. What is the issue?

53

A network engineer is configuring VLAN ACLs on a Cisco Nexus 9000 switch to enforce traffic filtering between VLANs. Which configuration step is required to apply a VACL to a VLAN?

54

A data center administrator is implementing Cisco TrustSec on a Nexus 7000 switch to enforce role-based access control. After configuring a security group tag (SGT) classification policy, users report that traffic between two servers is not being tagged. What is the most likely cause?

55

During a security audit, you discover that a Cisco Nexus 9000 switch is allowing traffic between two ports in the same VLAN despite having a VLAN ACL that should deny it. The VACL is applied correctly, and the ACL entries are properly configured. What is the most likely reason for this behavior?

56

An engineer needs to implement port security on a Cisco Nexus 1000v virtual switch to prevent MAC flooding attacks. The requirement is to allow only the first MAC address learned on the port. Which command sequence accomplishes this?

57

A Cisco ACI fabric administrator wants to implement microsegmentation using Cisco Group-Based Policy (GBP) in a network that hosts virtual machines and bare-metal servers. Which component must be used to enforce microsegmentation policies for bare-metal servers?

58

A network administrator is configuring copp (Control Plane Policing) on a Cisco Nexus 9300 to protect the control plane from high-rate traffic. After applying the policy, the switch becomes unresponsive to SSH sessions, but ICMP still works. What is the most likely misconfiguration?

59

A data center engineer is configuring 802.1X authentication on Cisco Nexus switches for wired endpoints. The requirement is to allow traffic on the port even if no EAPOL packet is received from the endpoint (e.g., a printer). Which authentication method should be used?

60

A Cisco ACI fabric has contracts configured to allow traffic between two EPGs. After deployment, traffic between endpoints in these EPGs is being dropped, but contract statistics show no packets have been permitted. The administrator checks the contract configuration and it looks correct. What is the most likely cause?

61

An organization is deploying Cisco Nexus 9000 switches with NX-OS and needs to prevent ARP spoofing attacks. The network engineer enables Dynamic ARP Inspection (DAI) on all VLANs. However, some legitimate hosts are unable to obtain IP addresses via DHCP. What is the most likely reason?

62

Which TWO of the following are valid methods to enforce security on a Cisco Nexus switch? (Choose two.)

63

Which TWO security features are used to prevent MAC address flooding attacks on a Cisco Nexus switch? (Choose two.)

64

Which THREE of the following must be enabled to implement 802.1X authentication with MAB fallback on a Cisco Nexus switch for a mixed environment of 802.1X-capable and non-802.1X endpoints? (Choose three.)

65

Refer to the exhibit. The TACACS+ server at 10.1.1.1 is unreachable. What will happen when a user tries to authenticate to the switch using SSH?

66

Refer to the exhibit. The interface showed a security violation 15 seconds ago and has a violation count of 5. What would happen if a frame with source MAC 0011.2233.4477 arrived now?

67

Refer to the exhibit. The configuration is intended to provide Layer 2 isolation within VLAN 100 while allowing the promiscuous port (Ethernet 1/1) to communicate with all ports in the community VLAN. However, hosts in VLAN 100 cannot communicate with each other. What is the most likely misconfiguration?

68

A data center engineer configures an ACL on a Nexus 9000 switch to block all traffic from the management network (10.10.0.0/16) to the production servers (192.168.1.0/24) except for SSH access from a specific jump host (10.10.1.100). The ACL is applied inbound on the management interface. Which ACL entry is correctly ordered to achieve this requirement?

69

An engineer needs to ensure that only authorized servers can connect to a specific switch port in a data center. The port connects to a critical database server with fixed MAC address 00:1a:2b:3c:4d:5e. Which configuration is most appropriate?

70

A Nexus 7000 switch is experiencing high CPU utilization due to control plane traffic. The engineer notices that many packets are being punted to the CPU from the data plane, particularly ARP packets. After examining the CoPP configuration, the engineer sees that the 'arp' class-map is matched in a policy-map with a police rate of 1000 pps and a conform-action of 'transmit'. The current ARP rate is 2000 pps. What is the immediate impact?

71

A company uses Cisco TrustSec in its data center to enforce segmentation. Servers in VLAN 10 (Finance) should only communicate with servers in VLAN 20 (ERP) via an application gateway. Which TrustSec component is used to assign a Security Group Tag (SGT) to traffic from the Finance servers?

72

A data center network engineer wants to encrypt all traffic between two top-of-rack (ToR) switches that are connected via a direct link. The encryption should be transparent to upper-layer protocols and operate at Layer 2. Which technology should be used?

73

An engineer is troubleshooting a DHCP issue in a data center VLAN. Clients are unable to obtain IP addresses from the DHCP server. The switch has DHCP snooping enabled on the VLAN, and the DHCP server is connected to a trusted port. The clients are on untrusted ports. Which additional security feature is most likely causing the problem if the DHCP server is on a different subnet and the switch is not configured as a DHCP relay?

74

A network administrator wants to prevent IP spoofing attacks on a data center access switch. The switch has IP Source Guard enabled on the client-facing ports. Which condition must be met for IP Source Guard to work properly?

75

Which control plane protection mechanism should be configured to limit the rate of BGP updates destined to the CPU of a Nexus 9000 switch to prevent CPU overload?

76

An ACI fabric administrator wants to enable microsegmentation for workloads in a Virtual Routing and Forwarding (VRF) instance. The security policy must allow communication between two endpoints based on their EPG (Endpoint Group) membership, regardless of IP address. Which construct must be used?

77

Which TWO statements about Cisco TrustSec in a data center environment are true? (Choose two.)

78

Which THREE security features are commonly used on Cisco Nexus switches to prevent DHCP-based attacks? (Choose three.)

79

Which THREE are best practices for securing a data center network? (Choose three.)

80

A network administrator implements the ACL shown. After verifying the ACL statistics, all counters show 0 matches. What is the most likely cause?

81

An engineer observes that ARP packets are being dropped. Based on the exhibit, what is the drop rate percentage for ARP packets?

82

A large enterprise data center uses Cisco ACI with a spine-leaf architecture. The security team requires that all traffic between the Web and App tiers be inspected by a firewall, but traffic within the same tier should be allowed directly. The Web EPG is in VRF PROD with Bridge Domain WEB-BD, and App EPG is in VRF PROD with Bridge Domain APP-BD. The firewall is connected as a service graph device in a different VRF (FW-VRF). The administrator configures a contract between Web and App EPGs that redirects traffic through the firewall. However, after implementation, traffic from Web to App is not passing through the firewall; instead, it is forwarded directly. The contract is applied correctly. What is the most likely cause?

83

A network engineer is troubleshooting inter-VLAN routing on a Cisco Nexus 9000 switch. The switch is configured with VLAN 10 and VLAN 20. Hosts in VLAN 10 cannot ping hosts in VLAN 20. The engineer checks the VLAN ACL (VACL) applied to VLAN 10 and finds the following configuration: ip access-list VACL-FILTER 10 permit ip any any ... vlan access-map VACL-MAP 10 match ip address VACL-FILTER action forward vlan filter VACL-MAP vlan-list 10 What is the most likely reason for the connectivity failure?

84

An engineer is configuring AAA authentication on a Cisco MDS 9000 series switch. The goal is to authenticate users via RADIUS first, then local as a fallback. Which command sequence should be used?

85

Which THREE methods can be used to propagate Cisco TrustSec Security Group Tags (SGTs) across a network? (Choose three.)

86

Which TWO statements are true about Control Plane Policing (CoPP) on a Cisco Nexus 9000 switch? (Choose two.)

87

A data center network uses Cisco Nexus 9000 switches running NX-OS. The operations team notices that the CPU utilization on the supervisor module spikes intermittently, causing BGP session flaps. Analysis shows that the CPU spikes coincide with traceroute probes from external networks, which generate ICMP TTL exceeded messages that are process-switched. The engineer must implement a solution to protect the control plane without affecting normal ICMP functionality. The goal is to rate-limit ICMP traffic to a maximum of 1000 packets per second with a burst of 200 bytes, while allowing other control plane traffic without restriction. Which configuration should be applied?

88

A Cisco MDS 9000 switch is used in a storage network. The security policy requires that a junior administrator named 'user1' can view zone configurations but cannot make any changes. Currently, 'user1' is assigned the default 'network-operator' role, which allows read-only access to most configuration, but the engineer wants to ensure that zone modification is explicitly denied. The engineer creates a custom role named 'zone-viewer' and assigns it to 'user1'. The role should permit viewing of the running configuration related to zones but deny any command that modifies zone or zoneset configurations. Which configuration best achieves this objective?

89

A network engineer is configuring DHCP snooping on a Cisco Nexus 9000 switch to prevent rogue DHCP server attacks. The switch connects to the legitimate DHCP server on Ethernet 1/1. Clients are connected to ports Ethernet 1/2 through 1/24. The engineer enables DHCP snooping globally and on VLAN 10, but clients are unable to obtain IP addresses from the DHCP server. Other connectivity between clients and the server works (e.g., static IPs). What is the most likely cause and solution?

90

In a Cisco Application Centric Infrastructure (ACI) fabric, a tenant has two EPGs: Web and App. A contract is created between Web (consumer) and App (provider) with a filter that permits TCP port 8080 (the only port used by the application). However, traffic from App to Web is failing. The application requires bidirectional communication: Web initiates requests to App on TCP 8080, and App responds on the same connection (stateful). The engineer verifies that the filter is correctly applied and that both EPGs are in the same VRF. The contract is applied in the direction Web -> App. What is the most efficient way to resolve this issue without compromising security?

91

Two Cisco Nexus 9000 switches are connected via Ethernet interface 1/1. The engineer wishes to secure the link using MACsec (IEEE 802.1ae) with a pre-shared key for connectivity association key (CAK) protection. Both switches have the same hardware and software version supporting MACsec. The engineer configures the following on both switches: feature macsec macsec policy MACSEC_POLICY cipher-suite gcm-aes-128 security-mode no-encrypt mka sak-rekey-time 30 interface ethernet 1/1 macsec policy MACSEC_POLICY However, the link comes up without MACsec encryption (the port counter shows MACsec frames dropped). The engineer checks that the pre-shared key is configured correctly via 'macsec key-chain' but notices it was not explicitly applied. What is the most likely reason for MACsec failing to establish?

92

A network engineer is implementing port security on a Cisco Nexus 9000 switch to limit the number of MAC addresses learned on a single access port. The switchport is configured as follows: interface Ethernet 1/2 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky After connecting two authorized devices, a third unauthorized device is connected, causing the port to enter the err-disabled state. The engineer needs to restore connectivity for the two authorized devices as quickly as possible, while maintaining the security posture. What is the best practice to recover the port automatically in the future?

93

Which TWO methods are used to secure management plane access on Cisco Nexus 9000 series switches?

94

Refer to the exhibit. What is the effect of this configuration on traffic in VLAN 10?

95

A data center engineer is troubleshooting high CPU utilization on a Cisco Nexus 9000 switch. The engineer suspects a distributed denial-of-service (DDoS) attack targeting the switch. To mitigate the attack, the engineer configures a Control Plane Policing (CoPP) policy that drops all ICMP packets destined to the switch. The policy is applied to the control-plane using the 'service-policy input COPP' command. After applying the policy, the switch CPU utilization remains high, and ICMP traffic is still reaching the switch. The engineer verifies that the CoPP policy is applied and that the class-map matches ICMP. The policy-map has the correct police and drop actions. No other CoPP policies are applied. What is the most likely cause of the issue?

Practice all 95 Security questions

Other 350-601 exam domains

NetworkComputeStorage NetworkAutomation

Frequently asked questions

What does the Security domain cover on the 350-601 exam?

The Security domain covers the key concepts tested in this area of the 350-601 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-601 domains — no account required.

How many Security questions are in the 350-601 question bank?

The Courseiva 350-601 question bank contains 95 questions in the Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security for 350-601?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security questions for 350-601?

Yes — the session launcher on this page draws questions exclusively from the Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your 350-601 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide