Practice 350-601 Security questions with full explanations on every answer.
Start practicing
Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
In ACI, which model is used for micro-segmentation to allow traffic between EPGs?
2An engineer needs to deny all traffic between two EPGs in ACI while allowing other EPG communications. Which construct should be used?
3Which protocol is recommended by Cisco for network device administration AAA due to its separation of authentication, authorization, and accounting?
4A Nexus switch is experiencing high CPU utilization due to control plane traffic. Which feature should be configured to protect the CPU?
5In Cisco TrustSec, which technology is used to enforce east-west traffic policies based on identity without relying on IP addresses?
6An administrator wants to prevent a rogue DHCP server from assigning IP addresses on a Nexus switch. Which feature should be enabled?
7Which Nexus security feature validates the source IP address of packets on a per-port basis and drops packets with invalid source IPs?
8An organization uses Cisco TrustSec to tag traffic. An endpoint is assigned SGT 5 (Developers) and another SGT 10 (Testers). The SGACL on the leaf switch permits traffic from SGT 5 to SGT 10 for HTTP but denies other. Which action is taken by the leaf switch?
9Which feature on Nexus switches prevents ARP spoofing attacks by validating ARP packets?
10An administrator needs to limit the number of MAC addresses learned on a Nexus access port to prevent MAC flooding attacks. Which feature should be configured?
11In UCS Manager, which feature provides role-based access control for managing the fabric interconnects?
12Which technology provides at-rest encryption for disk drives in UCS servers?
13An organization wants to encrypt Fibre Channel traffic in-flight between storage and servers. Which standard should be used?
14Which TWO features are commonly used together to prevent IP spoofing on a Nexus switch? (Choose two.)
15An engineer is hardening a Nexus switch. Which THREE actions should be taken? (Choose three.)
16A network engineer is configuring micro-segmentation in an ACI fabric. Two EPGs, Web and App, must communicate via HTTPS only. Which type of contract should be applied between the EPGs?
17Which authentication protocol is recommended by Cisco for network device administration due to its separation of authentication, authorization, and accounting?
18A Nexus switch is being hardened. An engineer wants to protect the control plane from CPU-targeted attacks, such as heavy ICMP traffic. Which feature should be configured?
19An engineer is deploying Cisco TrustSec in a data center. Which technology uses Security Group Tags (SGTs) to enforce east-west traffic policies without relying on IP addresses?
20In a UCS environment, an administrator needs to restrict access to the UCS Manager so that only specific users can configure server policies. Which feature should be used?
21Which security feature on a Nexus switch prevents a rogue DHCP server from assigning invalid IP addresses to clients?
22A data center uses self-encrypting drives (SEDs) in UCS servers. Which type of protection does SED provide?
23An engineer applies an IPv4 ACL to a Nexus switch interface. The ACL must permit traffic from host 10.1.1.1 to host 10.2.2.2 on TCP port 443 and deny all other traffic. Which configuration is correct?
24A Nexus switch is configured with port security. Which violation action will cause the switch to shut down the interface when a security violation occurs?
25In an ACI fabric, a security policy requires that traffic from EPG1 to EPG2 be denied, but all other inter-EPG traffic is permitted by default. Which type of contract should be used?
26Which Nexus security feature validates ARP packets to prevent ARP spoofing attacks?
27An engineer is configuring 802.1X for network access control. Which AAA protocol should be used for communication between the authenticator (switch) and the authentication server?
28Which feature on a Nexus switch uses DHCP snooping binding information to filter IP traffic on a per-port basis?
29A UCS administrator needs to ensure that only the fabric interconnect management plane is accessible from the management network. Which feature should be implemented?
30An engineer wants to enforce security policies in a data center based on user identity rather than IP addresses. Which Cisco technology enables identity-based tagging and policy enforcement?
31A network engineer is hardening a Nexus switch. Which two security best practices should be applied? (Choose two.)
32An engineer is deploying data encryption in a SAN environment. Which two methods provide at-rest encryption? (Choose two.)
33Which three features are used on Nexus switches to mitigate Layer 2 attacks? (Choose three.)
34An engineer is configuring micro-segmentation in an ACI fabric. Which object defines the whitelist model for communication between EPGs?
35A Nexus switch is configured with DHCP snooping. Which switchport mode is required for trusted ports to prevent rogue DHCP server attacks?
36A network administrator must enforce security policies for east-west traffic in a Cisco TrustSec-enabled data center without using IP-based ACLs. Which technology should be used?
37Which AAA protocol is recommended by Cisco for network device administration, as it separates authentication, authorization, and accounting?
38An engineer needs to protect the control plane of a Nexus 9000 switch from CPU-targeted attacks. Which feature should be configured?
39In a UCS environment, which method provides management plane isolation for the fabric interconnects?
40A Nexus administrator wants to apply an IPv4 ACL to filter traffic on a specific VLAN. Which command is correct?
41Which feature prevents IP spoofing by ensuring that a client uses only the IP address assigned by DHCP?
42An organization requires disk encryption for data at rest in their UCS environment. Which technology should be used?
43In ACI, a tenant requires that all traffic between two EPGs is denied except for specific HTTP traffic. Which policy elements must be configured?
44A network engineer is hardening a Nexus 9000 switch. Which action is most effective in reducing the attack surface?
45Which Nexus feature dynamically validates ARP packets to prevent man-in-the-middle attacks?
46In Cisco TrustSec, what is used to tag traffic based on identity or group membership?
47A data center architect needs to enforce role-based access control for UCS Manager. What is the correct approach?
48Which encryption technology is used to secure Fibre Channel traffic in flight between storage and switches?
49A security engineer is deploying IP Source Guard on a Nexus switch. Which two components must be operational for IP Source Guard to function correctly?
50An organization wants to encrypt data at rest in a storage array. Which two technologies can be used? (Choose two.)
The Security domain covers the key concepts tested in this area of the 350-601 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-601 domains — no account required.
The Courseiva 350-601 question bank contains 50 questions in the Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included