Practice 350-601 Security questions with full explanations on every answer.
Start practicing
Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An engineer is configuring a new data center leaf switch to enforce micro-segmentation using Cisco ACI. The requirement is to permit traffic from web servers to application servers on TCP port 8080, but deny all other traffic. The web servers are in EPG 'web_EPG' and application servers in EPG 'app_EPG'. Which contract configuration should be applied?
2A customer is deploying Cisco ACI with a requirement to isolate tenant traffic in a multi-tenant environment. They want to ensure that a tenant admin can only manage their own tenant's objects. Which RBAC configuration should be implemented?
3An engineer needs to secure the management plane on a Cisco Nexus 9000 switch. Which feature should be configured to restrict access to the switch's management interface based on source IP?
4An organization is deploying Cisco ACI in a brownfield data center. They have existing VLANs that need to be mapped to ACI EPGs. The network team notices that some VLANs are used across multiple tenants. How should the engineer design the VLAN pool to support overlapping VLANs?
5A network administrator suspects that a rogue DHCP server is active on the data center network. The switches are Cisco Nexus 9000 series running NX-OS. Which configuration should be applied to prevent DHCP spoofing?
6A data center switch is configured with 802.1X port-based authentication for edge ports. Users report authentication failures. The engineer wants to verify the authentication status of a specific interface. Which command should be used?
7An engineer is configuring Cisco ACI to secure inter-tenant traffic. Tenants 'TenantA' and 'TenantB' need to communicate via a shared service, such as a DNS server in TenantA. How should the contract be configured?
8A data center architect is designing security for a Cisco ACI fabric that must comply with PCI DSS. The requirement is to encrypt all traffic between EPGs within the same tenant. Which solution should be used?
9Which TWO of these are best practices for securing the Cisco ACI fabric?
10Which THREE of the following are valid methods to secure the control plane on a Cisco Nexus 9000 switch?
11Which TWO of the following are required components for a Cisco ACI contract to allow communication between EPGs?
12A large financial institution has a Cisco ACI fabric with multiple tenants. The security team requires that all management access to the APIC controllers be authenticated via multi-factor authentication (MFA) using a RADIUS server. The RADIUS server is configured to send a One-Time Password (OTP) challenge during authentication. The current configuration uses local authentication. The engineer needs to implement RADIUS authentication with MFA for APIC GUI and CLI access. The RADIUS server is reachable at 10.10.10.10, shared secret 'SecureSecret123'. The APIC is running software version 4.2(3). The engineer must ensure that local authentication is used as fallback if the RADIUS server is unreachable. Which of the following actions should the engineer take?
13A data center engineer is troubleshooting connectivity issues between two EPGs in the same tenant on a Cisco ACI fabric. The first EPG 'web_epg' is in VLAN 100 and the second EPG 'db_epg' is in VLAN 200. The contract 'web_to_db' allows TCP port 3306 from web_epg to db_epg. The EPGs are in the same VRF. The engineer has verified that the physical connectivity is correct and the endpoints are learning their IP addresses. However, traffic from web_epg to db_epg is not reaching the destination. The engineer checks the contract and sees that the subject 'mysql_access' has filter 'mysql' with direction 'both'. The provider is db_epg and consumer is web_epg. The engineer also notices that the default action in the contract is 'deny'. What is the most likely cause of the issue?
14An engineer is configuring AAA on a Cisco Nexus switch to authenticate management access via TACACS+. The switch is reachable, but login attempts repeatedly fail. Which action should the engineer take to isolate the issue?
15A data center architect is designing access control for a Cisco ACI fabric. The requirement is to allow HTTP traffic from the web tier (EPG web) to the app tier (EPG app), but deny SSH from the management EPG to the web EPG. Which construct should be used?
16A network engineer is troubleshooting CoPP drops on a Cisco Nexus 9000 switch. The 'show control-plane' output indicates that packets are being dropped due to 'CoPP' on the 'default' control-plane class. Which action is most likely to resolve the issue without affecting routing protocol stability?
17An organization is deploying Cisco ISE for 802.1X authentication on Cisco Nexus switches. Some endpoints fail authentication and fall back to the MAB. The security policy requires that endpoints failing both 802.1X and MAB be placed in a restricted VLAN. Which configuration is needed on the switch port?
18Which TWO statements about Cisco TrustSec in a data center are true?
19Refer to the exhibit. A server connected to Ethernet1/1 is experiencing intermittent connectivity. The server sends BPDUs, causing the switch to place the port into a blocking state. Which configuration change should be made to prevent this while maintaining rapid convergence?
20A company runs a multi-tenant data center using Cisco ACI with multiple tenants. Each tenant has its own VRF and EPGs. The security policy requires that tenant A's web servers (EPG web_tenantA) be accessible from tenant B's application servers (EPG app_tenantB) only via HTTPS (TCP 443). The ACI fabric is configured with contracts. The administrator has created a contract with a filter for HTTPS (tcp dstPort 443) and applied it as a provider contract on EPG web_tenantA and as a consumer contract on EPG app_tenantB. However, traffic from tenant B's app servers to tenant A's web servers is being dropped. The administrator has verified that the contracts are applied correctly and the filter is correct. What is the most likely cause of the traffic drop?
21Order the steps to upgrade the software on a Cisco Nexus switch using ISSU.
22Match each Cisco data center security feature to its purpose.
23A network engineer is configuring device access control for Cisco NX-OS switches. The requirement is to use a protocol that separates authentication, authorization, and accounting, and encrypts all communication except the header. Which solution meets this requirement?
24A data center switch has DHCP snooping enabled globally. Which of the following is a best practice to ensure DHCP server legitimacy?
25An engineer notices that AAA authentication using RADIUS is failing, and the RADIUS server logs show no incoming authentication requests. Which of the following is the most likely cause?
26A data center switch is experiencing high CPU due to excessive BGP updates. Which action can mitigate this without affecting legitimate BGP traffic?
27An organization uses VXLAN EVPN for network segmentation. Which component provides per-tenant isolation of control plane traffic?
28A server team reports that after connecting a new server to a switchport, the server can receive traffic but cannot send traffic. The port is configured with port security. What is the most likely cause?
29A company uses Cisco ISE for 802.1X authentication on data center edge switches. After a recent upgrade, some endpoints that previously authenticated successfully now fail. The ISE logs show the endpoint is in the wrong authorization profile. What is the most likely cause?
30An attacker attempts to spoof a legitimate client's IP address to intercept traffic. DHCP snooping is enabled. Which feature prevents this spoofing by validating source IP in data packets?
31Two data center switches are connected via a fiber link. They need to encrypt all traffic at Layer 2. Which configuration is required on both switches to establish MACsec?
32Which two statements are true about Cisco TrustSec? (Choose two.)
33Which two mechanisms are used by Dynamic ARP Inspection to prevent ARP spoofing? (Choose two.)
34Which three actions can be taken when a port security violation occurs? (Choose three.)
35Refer to the exhibit. A DHCP server is connected to Ethernet1/1 and a client in VLAN 10 is connected to Ethernet1/2. The client obtains an IP address. Which statement is best supported?
36Refer to the exhibit. An administrator connects a new server to Ethernet1/1 and the port immediately goes into errdisable state. The previous device was connected to that port. What is the most likely cause?
37Refer to the exhibit. A web server in VLAN 10 with IP 10.0.0.5 is experiencing connectivity issues. Clients from subnet 10.0.0.0/24 can access the server, but clients from other subnets cannot. What is the most likely cause?
38A network administrator configures DHCP snooping on a Nexus 9000 switch. The legitimate DHCP server is connected to Ethernet 1/1. An unauthorized DHCP server is detected on Ethernet 1/2. Which action should be taken to prevent the unauthorized server from offering IP addresses?
39A Nexus switch experiences high CPU utilization due to excessive ICMP traffic. An engineer applies a CoPP policy that includes a class matching ICMP with a drop action. After applying, legitimate OSPF hello packets are also being dropped. What is the most likely cause?
40An engineer wants to prevent unauthorized devices from connecting to access ports. Which port security violation mode will disable the port and generate a syslog message?
41A VACL is configured to capture traffic between hosts in the same VLAN. The capture port is configured and the VACL is applied to the VLAN. However, no traffic is being captured. What is a likely reason?
42Two Nexus switches are configured for MACsec using MKA. The link between them is up, but MKA does not establish. Which issue is most likely?
43An administrator configures 'aaa authentication login default group tacacs+ local'. What happens if the TACACS+ server is unreachable?
44In a private VLAN configuration, a host in a community VLAN needs to communicate with a host in the primary VLAN. What configuration is required on the switch?
45In an ACI fabric, an EPG is configured with a contract that allows HTTP traffic to an external network. The external network is reachable via a Layer 3 Outside. However, HTTP traffic from the EPG fails. What is the most likely cause?
46A data center switch port is configured for 802.1X with MAB as fallback. A device that does not support 802.1X is connected. Which method will allow the device to authenticate?
47Which TWO security features rely on the DHCP snooping binding table? (Select exactly 2)
48Which THREE are characteristics of Cisco TrustSec? (Select exactly 3)
49Which TWO features are used to validate ARP packets and prevent ARP spoofing attacks? (Select exactly 2)
50Refer to the exhibit. A client connected to Ethernet1/2 cannot obtain an IP address via DHCP. What is the most likely cause?
51Refer to the exhibit. The CoPP policy above is applied. Which traffic is most likely to be dropped?
52Refer to the exhibit. Two Nexus switches are connected via Ethernet1/1. MKA does not initiate. What is the issue?
53A network engineer is configuring VLAN ACLs on a Cisco Nexus 9000 switch to enforce traffic filtering between VLANs. Which configuration step is required to apply a VACL to a VLAN?
54A data center administrator is implementing Cisco TrustSec on a Nexus 7000 switch to enforce role-based access control. After configuring a security group tag (SGT) classification policy, users report that traffic between two servers is not being tagged. What is the most likely cause?
55During a security audit, you discover that a Cisco Nexus 9000 switch is allowing traffic between two ports in the same VLAN despite having a VLAN ACL that should deny it. The VACL is applied correctly, and the ACL entries are properly configured. What is the most likely reason for this behavior?
56An engineer needs to implement port security on a Cisco Nexus 1000v virtual switch to prevent MAC flooding attacks. The requirement is to allow only the first MAC address learned on the port. Which command sequence accomplishes this?
57A Cisco ACI fabric administrator wants to implement microsegmentation using Cisco Group-Based Policy (GBP) in a network that hosts virtual machines and bare-metal servers. Which component must be used to enforce microsegmentation policies for bare-metal servers?
58A network administrator is configuring copp (Control Plane Policing) on a Cisco Nexus 9300 to protect the control plane from high-rate traffic. After applying the policy, the switch becomes unresponsive to SSH sessions, but ICMP still works. What is the most likely misconfiguration?
59A data center engineer is configuring 802.1X authentication on Cisco Nexus switches for wired endpoints. The requirement is to allow traffic on the port even if no EAPOL packet is received from the endpoint (e.g., a printer). Which authentication method should be used?
60A Cisco ACI fabric has contracts configured to allow traffic between two EPGs. After deployment, traffic between endpoints in these EPGs is being dropped, but contract statistics show no packets have been permitted. The administrator checks the contract configuration and it looks correct. What is the most likely cause?
61An organization is deploying Cisco Nexus 9000 switches with NX-OS and needs to prevent ARP spoofing attacks. The network engineer enables Dynamic ARP Inspection (DAI) on all VLANs. However, some legitimate hosts are unable to obtain IP addresses via DHCP. What is the most likely reason?
62Which TWO of the following are valid methods to enforce security on a Cisco Nexus switch? (Choose two.)
63Which TWO security features are used to prevent MAC address flooding attacks on a Cisco Nexus switch? (Choose two.)
64Which THREE of the following must be enabled to implement 802.1X authentication with MAB fallback on a Cisco Nexus switch for a mixed environment of 802.1X-capable and non-802.1X endpoints? (Choose three.)
65Refer to the exhibit. The TACACS+ server at 10.1.1.1 is unreachable. What will happen when a user tries to authenticate to the switch using SSH?
66Refer to the exhibit. The interface showed a security violation 15 seconds ago and has a violation count of 5. What would happen if a frame with source MAC 0011.2233.4477 arrived now?
67Refer to the exhibit. The configuration is intended to provide Layer 2 isolation within VLAN 100 while allowing the promiscuous port (Ethernet 1/1) to communicate with all ports in the community VLAN. However, hosts in VLAN 100 cannot communicate with each other. What is the most likely misconfiguration?
68A data center engineer configures an ACL on a Nexus 9000 switch to block all traffic from the management network (10.10.0.0/16) to the production servers (192.168.1.0/24) except for SSH access from a specific jump host (10.10.1.100). The ACL is applied inbound on the management interface. Which ACL entry is correctly ordered to achieve this requirement?
69An engineer needs to ensure that only authorized servers can connect to a specific switch port in a data center. The port connects to a critical database server with fixed MAC address 00:1a:2b:3c:4d:5e. Which configuration is most appropriate?
70A Nexus 7000 switch is experiencing high CPU utilization due to control plane traffic. The engineer notices that many packets are being punted to the CPU from the data plane, particularly ARP packets. After examining the CoPP configuration, the engineer sees that the 'arp' class-map is matched in a policy-map with a police rate of 1000 pps and a conform-action of 'transmit'. The current ARP rate is 2000 pps. What is the immediate impact?
71A company uses Cisco TrustSec in its data center to enforce segmentation. Servers in VLAN 10 (Finance) should only communicate with servers in VLAN 20 (ERP) via an application gateway. Which TrustSec component is used to assign a Security Group Tag (SGT) to traffic from the Finance servers?
72A data center network engineer wants to encrypt all traffic between two top-of-rack (ToR) switches that are connected via a direct link. The encryption should be transparent to upper-layer protocols and operate at Layer 2. Which technology should be used?
73An engineer is troubleshooting a DHCP issue in a data center VLAN. Clients are unable to obtain IP addresses from the DHCP server. The switch has DHCP snooping enabled on the VLAN, and the DHCP server is connected to a trusted port. The clients are on untrusted ports. Which additional security feature is most likely causing the problem if the DHCP server is on a different subnet and the switch is not configured as a DHCP relay?
74A network administrator wants to prevent IP spoofing attacks on a data center access switch. The switch has IP Source Guard enabled on the client-facing ports. Which condition must be met for IP Source Guard to work properly?
75Which control plane protection mechanism should be configured to limit the rate of BGP updates destined to the CPU of a Nexus 9000 switch to prevent CPU overload?
76An ACI fabric administrator wants to enable microsegmentation for workloads in a Virtual Routing and Forwarding (VRF) instance. The security policy must allow communication between two endpoints based on their EPG (Endpoint Group) membership, regardless of IP address. Which construct must be used?
77Which TWO statements about Cisco TrustSec in a data center environment are true? (Choose two.)
78Which THREE security features are commonly used on Cisco Nexus switches to prevent DHCP-based attacks? (Choose three.)
79Which THREE are best practices for securing a data center network? (Choose three.)
80A network administrator implements the ACL shown. After verifying the ACL statistics, all counters show 0 matches. What is the most likely cause?
81An engineer observes that ARP packets are being dropped. Based on the exhibit, what is the drop rate percentage for ARP packets?
82A large enterprise data center uses Cisco ACI with a spine-leaf architecture. The security team requires that all traffic between the Web and App tiers be inspected by a firewall, but traffic within the same tier should be allowed directly. The Web EPG is in VRF PROD with Bridge Domain WEB-BD, and App EPG is in VRF PROD with Bridge Domain APP-BD. The firewall is connected as a service graph device in a different VRF (FW-VRF). The administrator configures a contract between Web and App EPGs that redirects traffic through the firewall. However, after implementation, traffic from Web to App is not passing through the firewall; instead, it is forwarded directly. The contract is applied correctly. What is the most likely cause?
83A network engineer is troubleshooting inter-VLAN routing on a Cisco Nexus 9000 switch. The switch is configured with VLAN 10 and VLAN 20. Hosts in VLAN 10 cannot ping hosts in VLAN 20. The engineer checks the VLAN ACL (VACL) applied to VLAN 10 and finds the following configuration: ip access-list VACL-FILTER 10 permit ip any any ... vlan access-map VACL-MAP 10 match ip address VACL-FILTER action forward vlan filter VACL-MAP vlan-list 10 What is the most likely reason for the connectivity failure?
84An engineer is configuring AAA authentication on a Cisco MDS 9000 series switch. The goal is to authenticate users via RADIUS first, then local as a fallback. Which command sequence should be used?
85Which THREE methods can be used to propagate Cisco TrustSec Security Group Tags (SGTs) across a network? (Choose three.)
86Which TWO statements are true about Control Plane Policing (CoPP) on a Cisco Nexus 9000 switch? (Choose two.)
87A data center network uses Cisco Nexus 9000 switches running NX-OS. The operations team notices that the CPU utilization on the supervisor module spikes intermittently, causing BGP session flaps. Analysis shows that the CPU spikes coincide with traceroute probes from external networks, which generate ICMP TTL exceeded messages that are process-switched. The engineer must implement a solution to protect the control plane without affecting normal ICMP functionality. The goal is to rate-limit ICMP traffic to a maximum of 1000 packets per second with a burst of 200 bytes, while allowing other control plane traffic without restriction. Which configuration should be applied?
88A Cisco MDS 9000 switch is used in a storage network. The security policy requires that a junior administrator named 'user1' can view zone configurations but cannot make any changes. Currently, 'user1' is assigned the default 'network-operator' role, which allows read-only access to most configuration, but the engineer wants to ensure that zone modification is explicitly denied. The engineer creates a custom role named 'zone-viewer' and assigns it to 'user1'. The role should permit viewing of the running configuration related to zones but deny any command that modifies zone or zoneset configurations. Which configuration best achieves this objective?
89A network engineer is configuring DHCP snooping on a Cisco Nexus 9000 switch to prevent rogue DHCP server attacks. The switch connects to the legitimate DHCP server on Ethernet 1/1. Clients are connected to ports Ethernet 1/2 through 1/24. The engineer enables DHCP snooping globally and on VLAN 10, but clients are unable to obtain IP addresses from the DHCP server. Other connectivity between clients and the server works (e.g., static IPs). What is the most likely cause and solution?
90In a Cisco Application Centric Infrastructure (ACI) fabric, a tenant has two EPGs: Web and App. A contract is created between Web (consumer) and App (provider) with a filter that permits TCP port 8080 (the only port used by the application). However, traffic from App to Web is failing. The application requires bidirectional communication: Web initiates requests to App on TCP 8080, and App responds on the same connection (stateful). The engineer verifies that the filter is correctly applied and that both EPGs are in the same VRF. The contract is applied in the direction Web -> App. What is the most efficient way to resolve this issue without compromising security?
91Two Cisco Nexus 9000 switches are connected via Ethernet interface 1/1. The engineer wishes to secure the link using MACsec (IEEE 802.1ae) with a pre-shared key for connectivity association key (CAK) protection. Both switches have the same hardware and software version supporting MACsec. The engineer configures the following on both switches: feature macsec macsec policy MACSEC_POLICY cipher-suite gcm-aes-128 security-mode no-encrypt mka sak-rekey-time 30 interface ethernet 1/1 macsec policy MACSEC_POLICY However, the link comes up without MACsec encryption (the port counter shows MACsec frames dropped). The engineer checks that the pre-shared key is configured correctly via 'macsec key-chain' but notices it was not explicitly applied. What is the most likely reason for MACsec failing to establish?
92A network engineer is implementing port security on a Cisco Nexus 9000 switch to limit the number of MAC addresses learned on a single access port. The switchport is configured as follows: interface Ethernet 1/2 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky After connecting two authorized devices, a third unauthorized device is connected, causing the port to enter the err-disabled state. The engineer needs to restore connectivity for the two authorized devices as quickly as possible, while maintaining the security posture. What is the best practice to recover the port automatically in the future?
93Which TWO methods are used to secure management plane access on Cisco Nexus 9000 series switches?
94Refer to the exhibit. What is the effect of this configuration on traffic in VLAN 10?
95A data center engineer is troubleshooting high CPU utilization on a Cisco Nexus 9000 switch. The engineer suspects a distributed denial-of-service (DDoS) attack targeting the switch. To mitigate the attack, the engineer configures a Control Plane Policing (CoPP) policy that drops all ICMP packets destined to the switch. The policy is applied to the control-plane using the 'service-policy input COPP' command. After applying the policy, the switch CPU utilization remains high, and ICMP traffic is still reaching the switch. The engineer verifies that the CoPP policy is applied and that the class-map matches ICMP. The policy-map has the correct police and drop actions. No other CoPP policies are applied. What is the most likely cause of the issue?
The Security domain covers the key concepts tested in this area of the 350-601 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-601 domains — no account required.
The Courseiva 350-601 question bank contains 95 questions in the Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included