Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-601Exam Questions

Cisco · Free Practice Questions · Last reviewed May 2026

350-601 Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

90 exam questions
120 min time limit
Pass: Variable
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Network2. Compute3. Storage Network4. Automation5. Security
1

Domain 1: Network

All Network questions
Q1
mediumFull explanation →

A data center engineer is troubleshooting intermittent connectivity between two servers in different VLANs. The servers are connected to different leaf switches in a VXLAN EVPN fabric. When checking the fabric, the engineer notices that the NVE interface on one leaf is up/up but the VNI for the server VLAN is not listed in 'show nve vni'. What is the most likely cause?

A

MTU mismatch on the underlay network

B

Anycast gateway is not configured on the leaf

C

BGP EVPN peers are not established

D

The VLAN-to-VNI mapping is missing under the VLAN configuration

The VNI must be mapped to a VLAN using 'vn-segment vlan-id' under the VLAN configuration; without it, the VNI does not appear in the NVE interface.

Why: The NVE interface being up/up indicates the overlay tunnel is operational, but the absence of the VNI in 'show nve vni' means the VNI is not instantiated on the NVE. This typically occurs when the VLAN-to-VNI mapping is missing under the VLAN configuration (e.g., 'vlan 100' then 'vn-segment 10100'), which prevents the VNI from being associated with the NVE interface and advertised via BGP EVPN.
Q2
hardFull explanation →

An organization is deploying a new ACI fabric. The design requires that traffic between EPGs in the same bridge domain be allowed by default, but traffic between EPGs in different bridge domains must be denied unless explicitly permitted. Which contract scope configuration meets this requirement?

A

Context (default)

B

Application-profile

C

Global

D

VRF

VRF scope allows contracts to apply across bridge domains within the same VRF; without a contract, traffic is denied, and with a contract, permitted.

Why: The VRF (private L3 context) is the correct scope because contract scope determines the boundary within which a contract is effective. By setting the contract scope to VRF, the contract applies only to EPGs within the same VRF. Since EPGs in different bridge domains are typically in the same VRF, you must explicitly configure contracts to permit inter-EPG traffic; otherwise, it is denied by default. This matches the requirement that traffic between EPGs in the same bridge domain is allowed by default (via the default intra-EPG and intra-bridge domain forwarding), while traffic between EPGs in different bridge domains requires an explicit contract.
Q3
easyFull explanation →

A network engineer is configuring OSPF on a Cisco Nexus switch for a data center network. The requirement is to ensure that the switch does not become the Designated Router (DR) on a multi-access segment. Which OSPF configuration achieves this?

A

Set OSPF priority to 255 on the interface

B

Set OSPF priority to 0 on the interface

Priority 0 means the router will never become DR or BDR.

C

Change the OSPF network type to point-to-point

D

Configure the interface as passive under OSPF

Why: Setting the OSPF priority to 0 on the interface prevents the switch from participating in the DR/BDR election process, ensuring it will never become the Designated Router (DR) or Backup Designated Router (BDR) on a multi-access segment. This is the standard method per RFC 2328 to make a router ineligible for DR/BDR status while still allowing it to form full adjacencies with the DR and BDR.
Q4
hardFull explanation →

During a maintenance window, a network engineer plans to upgrade the NX-OS software on a pair of Nexus 9000 switches configured as vPC peers. The engineer wants to minimize traffic disruption. Which upgrade sequence is recommended?

A

Upgrade both switches simultaneously using ISSU

B

Reload both switches to a previous version, then upgrade

C

Upgrade the primary vPC peer first, then the secondary

D

Upgrade the secondary vPC peer first, then the primary

Upgrading secondary first ensures the primary remains operational; after secondary upgrade, it can take over if needed during primary upgrade.

Why: In a vPC pair, the secondary peer is upgraded first to preserve the primary's role as the forwarding anchor. Upgrading the secondary peer allows it to reboot and rejoin the vPC domain without disrupting the data plane because the primary peer continues to forward traffic. Once the secondary is stable, the primary is upgraded, ensuring minimal traffic loss.
Q5
mediumFull explanation →

A data center uses Cisco ACI with multiple tenants. The security policy requires that all traffic between EPGs must be explicitly allowed via contracts. However, the operations team reports that communication between two EPGs in the same bridge domain is working even though no contract is applied. What is the most likely reason?

A

The default behavior in ACI allows communication between EPGs in the same bridge domain without a contract

ACI allows intra-BD communication by default; contracts are needed for inter-BD or inter-VRF traffic.

B

The contract is applied but not enforced due to a configuration error

C

The VRF has a default route that bypasses contract enforcement

D

A preferred group contract is applied to the VRF

Why: In Cisco ACI, the default behavior for EPGs within the same bridge domain (BD) is that they can communicate without a contract. This is because EPGs in the same BD share the same Layer 2 domain, and ACI does not enforce contract-based filtering for intra-BD traffic unless a contract is explicitly applied. The security policy requiring contracts applies only to inter-BD or inter-VRF traffic, not to intra-BD communication.
Q6
mediumFull explanation →

Which TWO statements about VXLAN BGP EVPN control plane are true? (Choose two.)

A

The underlay network provides IP connectivity between VTEPs

Underlay routing (e.g., IS-IS, OSPF) enables VTEP-to-VTEP reachability.

B

BGP EVPN advertises MAC addresses and IP addresses as routes

EVPN Type-2 routes carry MAC/IP information.

C

VXLAN encapsulates Ethernet frames in IP packets using MPLS labels

D

VXLAN uses a 32-bit network identifier (VNI)

E

The control plane is responsible for actual data forwarding

Why: Option A is correct because the VXLAN underlay network (typically an IP-based fabric using protocols like OSPF or IS-IS) provides IP connectivity between VTEPs, enabling them to encapsulate and decapsulate VXLAN packets. Without this underlay reachability, VTEPs cannot communicate, making it a foundational requirement for VXLAN operation.

Want more Network practice?

Practice this domain
2

Domain 2: Compute

All Compute questions
Q1
hardFull explanation →

An engineer is deploying a new UCS chassis with two Fabric Interconnects. The design requires that server traffic can fail over to the secondary FI if the primary FI fails, without requiring any changes to the server's network configuration. Which technology must be enabled on the uplink ports of the Fabric Interconnects to the upstream switches to ensure transparent failover of server traffic?

A

Configure a virtual PortChannel (vPC) between the Fabric Interconnects and upstream switches.

B

Apply QoS policies to prioritize failover traffic.

C

Enable pin groups with 'failover' mode on the server ports.

Pin groups with failover mode allow the secondary FI to assume the primary's MAC and IP, enabling transparent failover.

D

Implement Private VLANs on the uplink ports to isolate traffic.

Why: Pin groups with 'failover' mode enable transparent server traffic failover by pinning server vNICs to a specific Fabric Interconnect (FI) and automatically repinning them to the secondary FI upon primary FI failure, without requiring any changes to the server's network configuration. This ensures that the server's MAC and IP addresses remain active on the secondary FI, maintaining connectivity without manual intervention.
Q2
mediumFull explanation →

A UCS administrator notices that a service profile associated with a vNIC template that uses 'fabric failover' is not failing over to the secondary Fabric Interconnect when the primary link goes down. The vNIC template is set to 'fabric failover' enabled, and both Fabric Interconnects are in the same VLAN. What is the most likely cause?

A

The 'Primary Fabric' setting is not defined in the vNIC template.

The primary fabric must be selected in the vNIC template for failover to function correctly.

B

The server is pinned to the primary Fabric Interconnect via a pin group.

C

The MTU size on the secondary Fabric Interconnect is set to 1500 instead of 9000.

D

The 'MAC Address' policy is set to 'pool-based' instead of 'static'.

Why: When 'fabric failover' is enabled on a vNIC template, the UCS Manager requires the 'Primary Fabric' setting to be explicitly defined to determine which Fabric Interconnect (FI-A or FI-B) should be the active path. Without this setting, the system cannot properly orchestrate the failover behavior, causing the vNIC to remain pinned to the primary FI even when its link goes down. This is a common misconfiguration because the 'fabric failover' checkbox alone does not imply a primary fabric assignment.
Q3
easyFull explanation →

An engineer is configuring a UCS server profile for a database application that requires low latency. The server will use a Cisco UCS VIC 1340 adapter. Which vNIC placement policy should be selected to minimize latency?

A

Assigned

Assigned placement pins the vNIC to a specific adapter port, reducing latency.

B

Any

C

Default

D

Round-Robin

Why: The Assigned vNIC placement policy binds each vNIC to a specific physical port on the Cisco UCS VIC 1340 adapter, ensuring deterministic traffic flow and predictable latency. For low-latency database applications, this eliminates the variability introduced by dynamic placement, allowing the engineer to align vNICs with the most direct PCIe path to the CPU or memory.
Q4
mediumFull explanation →

Which TWO statements correctly describe the use of Cisco UCS Manager service profiles for server deployment?

A

Service profiles can only be applied to servers of the same model.

B

Service profiles decouple server identity from hardware, enabling rapid provisioning.

Service profiles abstract server identity, allowing quick redeployment.

C

A service profile can be associated with multiple servers simultaneously.

D

Service profiles are stored locally on the server's boot drive.

E

Service profiles include policies for firmware, BIOS, boot order, and network.

Service profiles encapsulate all server identity and policy settings.

Why: Service profiles decouple the logical server identity (UUID, MAC addresses, WWPNs) from the physical hardware. This allows an administrator to rapidly provision or repurpose a server by simply associating the profile with a different blade or rack server, without reconfiguring the OS or SAN/NIC settings. This abstraction is the core value of Cisco UCS Manager for scalable, stateless computing.
Q5
hardFull explanation →

Which THREE components are required to configure a Cisco UCS Direct-attached storage environment using SAS expanders?

A

SAS cables connecting the storage enclosure to the server's storage controller.

Direct SAS cabling is required for connectivity.

B

SAS expanders within the enclosure to connect multiple drives.

SAS expanders allow daisy-chaining of drives.

C

SAS hard drives installed in the storage enclosure.

SAS drives are the storage medium.

D

Fibre Channel over Ethernet (FCoE) uplinks from the storage enclosure to the Fabric Interconnect.

E

Fibre Channel switch for SAN connectivity.

Why: Option A is correct because in a Cisco UCS Direct-attached storage environment using SAS expanders, SAS cables are required to physically connect the storage enclosure to the server's storage controller (typically an LSI-based SAS HBA). This direct cabling enables the SAS protocol to carry SCSI commands and data between the server and the drives without any intervening network fabric.
Q6
mediumFull explanation →

Refer to the exhibit. A UCS administrator has configured vNIC templates as shown. Both Fabric Interconnects have identical uplink configurations. The vNIC templates have 'Failover: Enabled'. However, when Fabric Interconnect A fails, servers using vNIC-A do not fail over to Fabric Interconnect B. What is the most likely cause?

A

A pin group is configured that forces traffic to Fabric Interconnect A.

B

The native VLAN (10) is not allowed on Fabric Interconnect B's trunk.

C

The uplink interfaces are configured with 'spanning-tree port type edge trunk', which blocks failover traffic.

D

The server's service profile does not include a secondary vNIC for Fabric B.

Failover requires a secondary vNIC on the other fabric in the same service profile.

Why: Option D is correct because the server's service profile must include both a primary vNIC (for Fabric Interconnect A) and a secondary vNIC (for Fabric Interconnect B) to enable failover. The 'Failover: Enabled' setting on the vNIC template only allows the vNIC to use the other fabric's uplink if a secondary vNIC is explicitly defined in the service profile; without it, the vNIC is pinned to its original fabric and cannot fail over.

Want more Compute practice?

Practice this domain
3

Domain 3: Storage Network

All Storage Network questions
Q1
easyFull explanation →

An engineer is configuring a Fibre Channel over Ethernet (FCoE) SAN. Which statement about FCoE Initialization Protocol (FIP) is true?

A

FIP operates only over lossless Ethernet.

B

FIP uses Ethernet MAC addresses for communication.

FIP uses MAC addresses for discovery and login.

C

FIP is used only for FCoE initialization, not for maintenance.

D

FIP requires IP addresses to establish FCoE sessions.

Why: FCoE Initialization Protocol (FIP) uses Ethernet MAC addresses for communication during the discovery, initialization, and maintenance phases of an FCoE session. FIP frames are encapsulated in standard Ethernet frames with a specific EtherType (0x8914), allowing FCoE-capable endpoints to discover each other and establish virtual links without relying on IP addresses.
Q2
mediumFull explanation →

A storage administrator needs to ensure that a Fibre Channel zone configuration is operationally effective without disrupting the current active zone set. Which approach should be used?

A

Create the new zone configuration in the defined configuration, then activate it as a new zone set.

Standard best practice.

B

Delete the active zone set and create a new one.

C

Edit the active zone set directly.

D

Use the 'commit' command to update the zone set.

Why: Option A is correct because in Cisco MDS Fibre Channel SANs, zone configurations are created in the defined configuration and then activated as a new zone set. This approach ensures that the current active zone set remains operational and unaffected during the configuration process, preventing any disruption to existing traffic. Only when the new zone set is explicitly activated does it replace the active set, allowing for a controlled cutover.
Q3
hardFull explanation →

A data center deployment uses NPV mode on a Cisco MDS switch to connect to a core Fibre Channel switch. After configuration, the NPV switch does not register with the core. What is the most likely cause?

A

Fibre Channel ports are in trunk mode.

B

The core switch has NPV mode enabled.

C

NPIV is not enabled on the core switch.

Core must have NPIV enabled for NPV.

D

The NPV switch has an incorrect domain ID.

Why: NPV (N_Port Virtualization) mode requires NPIV (N_Port ID Virtualization) to be enabled on the core Fibre Channel switch. NPIV allows a single physical N_Port to register multiple FCIDs (Fibre Channel IDs) for multiple virtual initiators behind the NPV switch. Without NPIV on the core, the NPV switch cannot complete the FLOGI (Fabric Login) process and will not register with the fabric.
Q4
mediumFull explanation →

An engineer is tuning performance for a storage network. Which two practices improve FC SAN performance?

A

Disabling flow control.

B

Using single-initiator zoning.

Reduces inter-initiator traffic.

C

Ensuring adequate buffer credits.

Prevents frame loss.

D

Enabling broadcast zoning.

E

Setting fabric login timeout to the maximum.

Why: Single-initiator zoning (Option B) reduces inter-switch link (ISL) traffic and prevents fabric-wide disruptions by ensuring that only one initiator can communicate with a specific set of target ports. This minimizes the number of Registered State Change Notifications (RSCNs) and simplifies troubleshooting, directly improving FC SAN performance by reducing control-plane overhead.
Q5
easyFull explanation →

Which FCoE component is responsible for encapsulating Fibre Channel frames into Ethernet frames?

A

FCoE module on the switch or adapter

The FCoE module performs encapsulation/decapsulation.

B

FCoE Forwarder (FCF)

C

Virtual Fibre Channel interface (VFC)

D

VN interface

Why: The FCoE module on the switch or adapter is the component that performs the encapsulation of native Fibre Channel frames into Ethernet frames. This module handles the conversion by adding an Ethernet header, including the EtherType 0x8906 for FCoE, and managing the mapping of Fibre Channel constructs (e.g., VSANs) to VLANs. Without this module, Fibre Channel traffic cannot traverse an Ethernet network.
Q6
mediumFull explanation →

A SAN administrator notices intermittent connectivity issues between an initiator and target. The Fibre Channel link shows CRC errors. What is the most likely cause?

A

Incorrect domain ID.

B

Faulty SFP or fiber optic cable.

Physical layer issues cause CRC errors.

C

Buffer credit starvation.

D

Incorrect zone configuration.

Why: CRC errors on a Fibre Channel link indicate physical-layer issues such as signal degradation, dirty connectors, or faulty hardware. The most common cause is a faulty SFP module or damaged fiber optic cable, which introduces bit errors that the CRC check detects. This is the first component to verify when troubleshooting intermittent connectivity with CRC errors.

Want more Storage Network practice?

Practice this domain
4

Domain 4: Automation

All Automation questions
Q1
easyFull explanation →

A network engineer wants to automate the deployment of a new VLAN across all Cisco Nexus switches in a data center using Python scripts. Which tool is most appropriate for this task?

A

Cisco NX-API with Python requests

NX-API provides RESTful API for direct configuration via Python.

B

SSH CLI commands via Paramiko

C

Ansible playbook

D

SNMP SET commands

Why: Cisco NX-API provides a RESTful API interface on Nexus switches, allowing direct HTTP/HTTPS calls to configure VLANs programmatically. Using Python's requests library, you can send structured JSON payloads to the API endpoint, making it the most direct and efficient method for script-driven automation without requiring intermediate tools or protocols.
Q2
mediumFull explanation →

A data center team is troubleshooting an automation script that uses REST API to configure a Cisco Nexus 9000 switch. The script fails with a '401 Unauthorized' error. What is the most likely cause?

A

API rate limiting has been exceeded

B

Network connectivity issue between the script and the switch

C

The user account does not have admin privileges

D

Invalid or expired authentication token

401 Unauthorized indicates authentication failure.

Why: A 401 Unauthorized error in REST API communication indicates that the request lacks valid authentication credentials. For Cisco Nexus 9000 switches, REST API access typically requires a token-based authentication (e.g., using HTTP Basic Auth to obtain a session token or cookie). If the token is invalid or expired, the API server rejects the request with a 401 status code, as the script cannot prove its identity.
Q3
hardFull explanation →

An engineer is designing an automation solution for a large data center with multiple Cisco UCS Manager domains. Which approach best ensures idempotent configuration operations?

A

Writing imperative Python scripts that execute CLI commands

B

Using a declarative automation tool like Ansible with idempotent modules

Declarative tools ensure the desired state is achieved regardless of current state.

C

Directly calling UCS Manager XML API using POST requests

D

Using SNMP to set configuration parameters

Why: Option B is correct because Ansible's declarative modules for Cisco UCS Manager (e.g., `ucs_*` modules) are designed to be idempotent: they compare the current state of the configuration against the desired state defined in the playbook and only apply changes when necessary. This ensures that running the same playbook multiple times yields the same result without unintended side effects, which is critical for large-scale automation across multiple UCS domains.
Q4
mediumFull explanation →

A DevOps team uses Ansible to automate the configuration of Cisco Nexus switches. After running a playbook, some switches have the correct configuration but others do not. The playbook uses the 'nxos_config' module. Which action should be taken to ensure consistent configuration?

A

Set 'ignore_errors' to true in the playbook

B

Use the 'backup' option to save the running config before changes

Backup provides a restore point for rollback.

C

Use 'serial' directive to run the playbook on one switch at a time

D

Enable check mode to verify changes before applying

Why: The 'nxos_config' module's 'backup' option saves the running configuration to a file before applying changes. This ensures that if a switch fails to apply the configuration correctly, the original configuration is preserved for rollback, enabling consistent recovery across all switches. Without this, some switches may have partial or incorrect configurations that cannot be easily reverted.
Q5
hardFull explanation →

A network engineer is implementing automated configuration management using Cisco NSO (Network Services Orchestrator). The team wants to ensure that any configuration changes made directly on the devices (out-of-band) are detected and reconciled. Which NSO feature should be used?

A

Configuration Database (CDB) snapshots

B

Fast-map synchronization

Fast-map syncs device configurations with NSO and detects drift.

C

Service model templates

D

Rollback and recovery mechanism

Why: Fast-map synchronization is the correct NSO feature because it is specifically designed to detect and reconcile configuration changes made directly on managed devices (out-of-band changes). It compares the device's running configuration against NSO's CDB and generates the necessary NETCONF or CLI operations to bring the device back into sync with NSO's desired state, ensuring consistency without manual intervention.
Q6
mediumFull explanation →

Which TWO statements about Cisco NX-API are correct? (Choose two.)

A

NX-API uses SSH for transport.

B

NX-API only supports GET requests.

C

NX-API uses HTTP/HTTPS as the transport protocol.

NX-API is a RESTful API over HTTP/HTTPS.

D

NX-API is only available on Nexus 3000 series switches.

E

NX-API can output data in XML and JSON formats.

NX-API supports both XML and JSON.

Why: Cisco NX-API is a programmatic interface that uses HTTP/HTTPS as the transport protocol, allowing RESTful API calls to configure and monitor Nexus switches. It supports both XML and JSON output formats, enabling flexible data parsing in automation scripts. This makes options C and E correct.

Want more Automation practice?

Practice this domain
5

Domain 5: Security

All Security questions
Q1
mediumFull explanation →

An engineer is configuring a new data center leaf switch to enforce micro-segmentation using Cisco ACI. The requirement is to permit traffic from web servers to application servers on TCP port 8080, but deny all other traffic. The web servers are in EPG 'web_EPG' and application servers in EPG 'app_EPG'. Which contract configuration should be applied?

A

Create a contract with subject 'web_to_app' and apply filter 'tcp_8080'. Use vzAny for both EPGs.

B

Create a contract with subject 'web_to_app' and apply filter 'tcp_8080'. Assign web_EPG as provider and app_EPG as consumer.

C

Create a contract with subject 'web_to_app' and apply filter 'tcp_8080' with direction 'both'. Assign web_EPG as provider and app_EPG as consumer.

Correct: provider sends traffic to consumer; filter permits TCP 8080; direction both allows response.

D

Create a contract with subject 'web_to_app' and apply filter 'ip'. Assign web_EPG as provider and app_EPG as consumer.

Why: Option C is correct because in Cisco ACI, contracts define the rules for communication between EPGs. The provider EPG offers a service, and the consumer EPG accesses it. By setting the filter direction to 'both', the contract enforces bidirectional traffic on TCP port 8080, which is necessary for web-to-application communication (e.g., HTTP responses). This configuration ensures that only traffic matching the filter is permitted, while all other traffic is implicitly denied by ACI's default deny behavior.
Q2
hardFull explanation →

A customer is deploying Cisco ACI with a requirement to isolate tenant traffic in a multi-tenant environment. They want to ensure that a tenant admin can only manage their own tenant's objects. Which RBAC configuration should be implemented?

A

Assign the 'read-only' role to the user within the tenant.

B

Create a separate VRF for each tenant and assign admin to that VRF.

C

Create a security domain for each tenant and assign the 'tenant-admin' role to the user within that domain.

Security domains limit the scope of roles to specific tenants.

D

Assign the 'tenant-admin' role to the user globally.

Why: Option C is correct because Cisco ACI uses security domains to enforce Role-Based Access Control (RBAC) boundaries. By creating a security domain for each tenant and assigning the 'tenant-admin' role to a user within that domain, the tenant admin is restricted to managing only the objects (e.g., EPGs, contracts, policies) that belong to that specific tenant. This ensures isolation of tenant traffic management in a multi-tenant environment without granting global or cross-tenant privileges.
Q3
easyFull explanation →

An engineer needs to secure the management plane on a Cisco Nexus 9000 switch. Which feature should be configured to restrict access to the switch's management interface based on source IP?

A

Enable DHCP snooping on the management VLAN.

B

Enable port security on the management interface.

C

Configure AAA to require two-factor authentication.

D

Configure a management CoPP policy to rate-limit and permit only specific source IPs.

CoPP can filter management traffic to the switch.

Why: Option D is correct because a management Control Plane Policing (CoPP) policy on a Cisco Nexus 9000 switch allows the engineer to explicitly permit or deny traffic destined to the management interface based on source IP addresses. CoPP applies QoS policies to control plane traffic, effectively restricting management plane access by rate-limiting or dropping packets from unauthorized sources before they reach the CPU.
Q4
mediumFull explanation →

An organization is deploying Cisco ACI in a brownfield data center. They have existing VLANs that need to be mapped to ACI EPGs. The network team notices that some VLANs are used across multiple tenants. How should the engineer design the VLAN pool to support overlapping VLANs?

A

Configure the VLANs as part of the EPG static binding without a pool.

B

Create separate VLAN pools per tenant, each containing the required VLANs.

Each tenant gets its own VLAN pool, allowing reuse.

C

Create one VLAN pool per physical domain and assign tenants to that domain.

D

Create a global VLAN pool with all VLANs and assign it to all tenants.

Why: Option B is correct because in Cisco ACI, VLAN pools are scoped to a physical domain, and overlapping VLANs across tenants require separate VLAN pools per tenant. Each tenant's EPG is statically bound to its own VLAN pool, ensuring isolation and preventing VLAN conflicts. This design aligns with ACI's multi-tenant architecture where VLAN IDs must be unique within a domain but can be reused across different domains.
Q5
hardFull explanation →

A network administrator suspects that a rogue DHCP server is active on the data center network. The switches are Cisco Nexus 9000 series running NX-OS. Which configuration should be applied to prevent DHCP spoofing?

A

Enable dynamic ARP inspection on all VLANs.

B

Enable IP source guard on all access ports.

C

Enable DHCP snooping globally and configure uplink ports as trusted.

DHCP snooping filters DHCP offers from untrusted ports.

D

Enable MAC port security on all access ports.

Why: DHCP snooping is the correct defense against rogue DHCP servers because it filters DHCP messages on untrusted ports and allows only DHCP replies from trusted uplink ports. By enabling DHCP snooping globally and configuring uplink ports as trusted, the switch will drop DHCPOFFER and DHCPACK messages received on access ports, preventing a rogue server from handing out malicious IP configurations.
Q6
easyFull explanation →

A data center switch is configured with 802.1X port-based authentication for edge ports. Users report authentication failures. The engineer wants to verify the authentication status of a specific interface. Which command should be used?

A

show aaa authentication

B

show dot1x

C

show authentication interface ethernet 1/1

Displays 802.1X and MAC authentication status.

D

show port-security interface ethernet 1/1

Why: Option C is correct because the 'show authentication interface ethernet 1/1' command displays the 802.1X authentication status, including the state machine, authorized status, and method list for a specific interface. This command is part of the Identity-Based Networking Services (IBNS) framework and provides a comprehensive view of all authentication methods (802.1X, MAB, WebAuth) configured on the port, which is essential for troubleshooting authentication failures on edge ports.

Want more Security practice?

Practice this domain

Frequently asked questions

How many questions are on the 350-601 exam?

The 350-601 exam has 90 questions and must be completed in 120 minutes. Cisco passing scores vary by exam version and are not always publicly listed. Check the official Cisco exam page before booking.

What types of questions appear on the 350-601 exam?

CLI output interpretation, network topology analysis, routing behaviour, switching concepts, troubleshooting, and configuration questions.

How are 350-601 questions organised by domain?

The exam covers 5 domains: Network, Compute, Storage Network, Automation, Security. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual 350-601 exam questions?

No. These are original exam-style practice questions written against the official Cisco 350-601 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 90 350-601 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all 350-601 questionsTake a timed practice test