Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-601DomainsSecurity
350-601Free — No Signup

Security

Practice 350-601 Security questions with full explanations on every answer.

50questions

Start practicing

Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

350-601 Domains

SecurityNetworkStorage NetworkAutomationCompute

Practice Security questions

10Q20Q30Q50Q

All 350-601 Security questions (50)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

In ACI, which model is used for micro-segmentation to allow traffic between EPGs?

2

An engineer needs to deny all traffic between two EPGs in ACI while allowing other EPG communications. Which construct should be used?

3

Which protocol is recommended by Cisco for network device administration AAA due to its separation of authentication, authorization, and accounting?

4

A Nexus switch is experiencing high CPU utilization due to control plane traffic. Which feature should be configured to protect the CPU?

5

In Cisco TrustSec, which technology is used to enforce east-west traffic policies based on identity without relying on IP addresses?

6

An administrator wants to prevent a rogue DHCP server from assigning IP addresses on a Nexus switch. Which feature should be enabled?

7

Which Nexus security feature validates the source IP address of packets on a per-port basis and drops packets with invalid source IPs?

8

An organization uses Cisco TrustSec to tag traffic. An endpoint is assigned SGT 5 (Developers) and another SGT 10 (Testers). The SGACL on the leaf switch permits traffic from SGT 5 to SGT 10 for HTTP but denies other. Which action is taken by the leaf switch?

9

Which feature on Nexus switches prevents ARP spoofing attacks by validating ARP packets?

10

An administrator needs to limit the number of MAC addresses learned on a Nexus access port to prevent MAC flooding attacks. Which feature should be configured?

11

In UCS Manager, which feature provides role-based access control for managing the fabric interconnects?

12

Which technology provides at-rest encryption for disk drives in UCS servers?

13

An organization wants to encrypt Fibre Channel traffic in-flight between storage and servers. Which standard should be used?

14

Which TWO features are commonly used together to prevent IP spoofing on a Nexus switch? (Choose two.)

15

An engineer is hardening a Nexus switch. Which THREE actions should be taken? (Choose three.)

16

A network engineer is configuring micro-segmentation in an ACI fabric. Two EPGs, Web and App, must communicate via HTTPS only. Which type of contract should be applied between the EPGs?

17

Which authentication protocol is recommended by Cisco for network device administration due to its separation of authentication, authorization, and accounting?

18

A Nexus switch is being hardened. An engineer wants to protect the control plane from CPU-targeted attacks, such as heavy ICMP traffic. Which feature should be configured?

19

An engineer is deploying Cisco TrustSec in a data center. Which technology uses Security Group Tags (SGTs) to enforce east-west traffic policies without relying on IP addresses?

20

In a UCS environment, an administrator needs to restrict access to the UCS Manager so that only specific users can configure server policies. Which feature should be used?

21

Which security feature on a Nexus switch prevents a rogue DHCP server from assigning invalid IP addresses to clients?

22

A data center uses self-encrypting drives (SEDs) in UCS servers. Which type of protection does SED provide?

23

An engineer applies an IPv4 ACL to a Nexus switch interface. The ACL must permit traffic from host 10.1.1.1 to host 10.2.2.2 on TCP port 443 and deny all other traffic. Which configuration is correct?

24

A Nexus switch is configured with port security. Which violation action will cause the switch to shut down the interface when a security violation occurs?

25

In an ACI fabric, a security policy requires that traffic from EPG1 to EPG2 be denied, but all other inter-EPG traffic is permitted by default. Which type of contract should be used?

26

Which Nexus security feature validates ARP packets to prevent ARP spoofing attacks?

27

An engineer is configuring 802.1X for network access control. Which AAA protocol should be used for communication between the authenticator (switch) and the authentication server?

28

Which feature on a Nexus switch uses DHCP snooping binding information to filter IP traffic on a per-port basis?

29

A UCS administrator needs to ensure that only the fabric interconnect management plane is accessible from the management network. Which feature should be implemented?

30

An engineer wants to enforce security policies in a data center based on user identity rather than IP addresses. Which Cisco technology enables identity-based tagging and policy enforcement?

31

A network engineer is hardening a Nexus switch. Which two security best practices should be applied? (Choose two.)

32

An engineer is deploying data encryption in a SAN environment. Which two methods provide at-rest encryption? (Choose two.)

33

Which three features are used on Nexus switches to mitigate Layer 2 attacks? (Choose three.)

34

An engineer is configuring micro-segmentation in an ACI fabric. Which object defines the whitelist model for communication between EPGs?

35

A Nexus switch is configured with DHCP snooping. Which switchport mode is required for trusted ports to prevent rogue DHCP server attacks?

36

A network administrator must enforce security policies for east-west traffic in a Cisco TrustSec-enabled data center without using IP-based ACLs. Which technology should be used?

37

Which AAA protocol is recommended by Cisco for network device administration, as it separates authentication, authorization, and accounting?

38

An engineer needs to protect the control plane of a Nexus 9000 switch from CPU-targeted attacks. Which feature should be configured?

39

In a UCS environment, which method provides management plane isolation for the fabric interconnects?

40

A Nexus administrator wants to apply an IPv4 ACL to filter traffic on a specific VLAN. Which command is correct?

41

Which feature prevents IP spoofing by ensuring that a client uses only the IP address assigned by DHCP?

42

An organization requires disk encryption for data at rest in their UCS environment. Which technology should be used?

43

In ACI, a tenant requires that all traffic between two EPGs is denied except for specific HTTP traffic. Which policy elements must be configured?

44

A network engineer is hardening a Nexus 9000 switch. Which action is most effective in reducing the attack surface?

45

Which Nexus feature dynamically validates ARP packets to prevent man-in-the-middle attacks?

46

In Cisco TrustSec, what is used to tag traffic based on identity or group membership?

47

A data center architect needs to enforce role-based access control for UCS Manager. What is the correct approach?

48

Which encryption technology is used to secure Fibre Channel traffic in flight between storage and switches?

49

A security engineer is deploying IP Source Guard on a Nexus switch. Which two components must be operational for IP Source Guard to function correctly?

50

An organization wants to encrypt data at rest in a storage array. Which two technologies can be used? (Choose two.)

Practice all 50 Security questions

Other 350-601 exam domains

NetworkStorage NetworkAutomationCompute

Frequently asked questions

What does the Security domain cover on the 350-601 exam?

The Security domain covers the key concepts tested in this area of the 350-601 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-601 domains — no account required.

How many Security questions are in the 350-601 question bank?

The Courseiva 350-601 question bank contains 50 questions in the Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security for 350-601?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security questions for 350-601?

Yes — the session launcher on this page draws questions exclusively from the Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your 350-601 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide