Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security practice sets

350-601 Security • Complete Question Bank

350-601 Security — All Questions With Answers

Complete 350-601 Security question bank — all 0 questions with answers and detailed explanations.

95
Questions
Free
No signup
Certifications/350-601/Practice Test/Security/All Questions
Question 1mediummultiple choice
Read the full Security explanation →

An engineer is configuring a new data center leaf switch to enforce micro-segmentation using Cisco ACI. The requirement is to permit traffic from web servers to application servers on TCP port 8080, but deny all other traffic. The web servers are in EPG 'web_EPG' and application servers in EPG 'app_EPG'. Which contract configuration should be applied?

Question 2hardmultiple choice
Read the full Security explanation →

A customer is deploying Cisco ACI with a requirement to isolate tenant traffic in a multi-tenant environment. They want to ensure that a tenant admin can only manage their own tenant's objects. Which RBAC configuration should be implemented?

Question 3easymultiple choice
Read the full Security explanation →

An engineer needs to secure the management plane on a Cisco Nexus 9000 switch. Which feature should be configured to restrict access to the switch's management interface based on source IP?

Question 4mediummultiple choice
Open the full VLAN trunking answer →

An organization is deploying Cisco ACI in a brownfield data center. They have existing VLANs that need to be mapped to ACI EPGs. The network team notices that some VLANs are used across multiple tenants. How should the engineer design the VLAN pool to support overlapping VLANs?

Question 5hardmultiple choice
Read the full DHCP explanation →

A network administrator suspects that a rogue DHCP server is active on the data center network. The switches are Cisco Nexus 9000 series running NX-OS. Which configuration should be applied to prevent DHCP spoofing?

Question 6easymultiple choice
Read the full Security explanation →

A data center switch is configured with 802.1X port-based authentication for edge ports. Users report authentication failures. The engineer wants to verify the authentication status of a specific interface. Which command should be used?

Question 7mediummultiple choice
Read the full DNS explanation →

An engineer is configuring Cisco ACI to secure inter-tenant traffic. Tenants 'TenantA' and 'TenantB' need to communicate via a shared service, such as a DNS server in TenantA. How should the contract be configured?

Question 8hardmultiple choice
Read the full Security explanation →

A data center architect is designing security for a Cisco ACI fabric that must comply with PCI DSS. The requirement is to encrypt all traffic between EPGs within the same tenant. Which solution should be used?

Question 9mediummulti select
Read the full Security explanation →

Which TWO of these are best practices for securing the Cisco ACI fabric?

Question 10hardmulti select
Read the full Security explanation →

Which THREE of the following are valid methods to secure the control plane on a Cisco Nexus 9000 switch?

Question 11easymulti select
Read the full Security explanation →

Which TWO of the following are required components for a Cisco ACI contract to allow communication between EPGs?

Question 12hardmultiple choice
Study the full AAA explanation →

A large financial institution has a Cisco ACI fabric with multiple tenants. The security team requires that all management access to the APIC controllers be authenticated via multi-factor authentication (MFA) using a RADIUS server. The RADIUS server is configured to send a One-Time Password (OTP) challenge during authentication. The current configuration uses local authentication. The engineer needs to implement RADIUS authentication with MFA for APIC GUI and CLI access. The RADIUS server is reachable at 10.10.10.10, shared secret 'SecureSecret123'. The APIC is running software version 4.2(3). The engineer must ensure that local authentication is used as fallback if the RADIUS server is unreachable. Which of the following actions should the engineer take?

Question 13mediummultiple choice
Open the full VLAN trunking answer →

A data center engineer is troubleshooting connectivity issues between two EPGs in the same tenant on a Cisco ACI fabric. The first EPG 'web_epg' is in VLAN 100 and the second EPG 'db_epg' is in VLAN 200. The contract 'web_to_db' allows TCP port 3306 from web_epg to db_epg. The EPGs are in the same VRF. The engineer has verified that the physical connectivity is correct and the endpoints are learning their IP addresses. However, traffic from web_epg to db_epg is not reaching the destination. The engineer checks the contract and sees that the subject 'mysql_access' has filter 'mysql' with direction 'both'. The provider is db_epg and consumer is web_epg. The engineer also notices that the default action in the contract is 'deny'. What is the most likely cause of the issue?

Question 14mediummultiple choice
Study the full AAA explanation →

An engineer is configuring AAA on a Cisco Nexus switch to authenticate management access via TACACS+. The switch is reachable, but login attempts repeatedly fail. Which action should the engineer take to isolate the issue?

Question 15easymultiple choice
Read the full Security explanation →

A data center architect is designing access control for a Cisco ACI fabric. The requirement is to allow HTTP traffic from the web tier (EPG web) to the app tier (EPG app), but deny SSH from the management EPG to the web EPG. Which construct should be used?

Question 16hardmultiple choice
Study the full ACL explanation →

A network engineer is troubleshooting CoPP drops on a Cisco Nexus 9000 switch. The 'show control-plane' output indicates that packets are being dropped due to 'CoPP' on the 'default' control-plane class. Which action is most likely to resolve the issue without affecting routing protocol stability?

Question 17mediummultiple choice
Open the full VLAN trunking answer →

An organization is deploying Cisco ISE for 802.1X authentication on Cisco Nexus switches. Some endpoints fail authentication and fall back to the MAB. The security policy requires that endpoints failing both 802.1X and MAB be placed in a restricted VLAN. Which configuration is needed on the switch port?

Question 18hardmulti select
Read the full Security explanation →

Which TWO statements about Cisco TrustSec in a data center are true?

Question 19hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. A server connected to Ethernet1/1 is experiencing intermittent connectivity. The server sends BPDUs, causing the switch to place the port into a blocking state. Which configuration change should be made to prevent this while maintaining rapid convergence?

Exhibit

interface Ethernet1/1
  description Server-01
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30
  spanning-tree port type edge trunk
  no shutdown
Question 20mediummultiple choice
Read the full VRF explanation →

A company runs a multi-tenant data center using Cisco ACI with multiple tenants. Each tenant has its own VRF and EPGs. The security policy requires that tenant A's web servers (EPG web_tenantA) be accessible from tenant B's application servers (EPG app_tenantB) only via HTTPS (TCP 443). The ACI fabric is configured with contracts. The administrator has created a contract with a filter for HTTPS (tcp dstPort 443) and applied it as a provider contract on EPG web_tenantA and as a consumer contract on EPG app_tenantB. However, traffic from tenant B's app servers to tenant A's web servers is being dropped. The administrator has verified that the contracts are applied correctly and the filter is correct. What is the most likely cause of the traffic drop?

Question 21mediumdrag order
Read the full Security explanation →

Order the steps to upgrade the software on a Cisco Nexus switch using ISSU.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 22mediummatching
Read the full Security explanation →

Match each Cisco data center security feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Packet filtering based on IP/port criteria

Limits MAC addresses per switchport

Prevents rogue DHCP server attacks

Validates ARP packets to prevent spoofing

Filters traffic based on IP/MAC binding

Question 23easymultiple choice
Read the full Security explanation →

A network engineer is configuring device access control for Cisco NX-OS switches. The requirement is to use a protocol that separates authentication, authorization, and accounting, and encrypts all communication except the header. Which solution meets this requirement?

Question 24easymultiple choice
Read the full DHCP explanation →

A data center switch has DHCP snooping enabled globally. Which of the following is a best practice to ensure DHCP server legitimacy?

Question 25easymultiple choice
Study the full AAA explanation →

An engineer notices that AAA authentication using RADIUS is failing, and the RADIUS server logs show no incoming authentication requests. Which of the following is the most likely cause?

Question 26mediummultiple choice
Open the full BGP breakdown →

A data center switch is experiencing high CPU due to excessive BGP updates. Which action can mitigate this without affecting legitimate BGP traffic?

Question 27mediummultiple choice
Read the full VPN explanation →

An organization uses VXLAN EVPN for network segmentation. Which component provides per-tenant isolation of control plane traffic?

Question 28mediummultiple choice
Read the full Security explanation →

A server team reports that after connecting a new server to a switchport, the server can receive traffic but cannot send traffic. The port is configured with port security. What is the most likely cause?

Question 29hardmultiple choice
Read the full Security explanation →

A company uses Cisco ISE for 802.1X authentication on data center edge switches. After a recent upgrade, some endpoints that previously authenticated successfully now fail. The ISE logs show the endpoint is in the wrong authorization profile. What is the most likely cause?

Question 30hardmultiple choice
Read the full DHCP explanation →

An attacker attempts to spoof a legitimate client's IP address to intercept traffic. DHCP snooping is enabled. Which feature prevents this spoofing by validating source IP in data packets?

Question 31hardmultiple choice
Read the full Security explanation →

Two data center switches are connected via a fiber link. They need to encrypt all traffic at Layer 2. Which configuration is required on both switches to establish MACsec?

Question 32easymulti select
Read the full Security explanation →

Which two statements are true about Cisco TrustSec? (Choose two.)

Question 33mediummulti select
Read the full Security explanation →

Which two mechanisms are used by Dynamic ARP Inspection to prevent ARP spoofing? (Choose two.)

Question 34hardmulti select
Read the full Security explanation →

Which three actions can be taken when a port security violation occurs? (Choose three.)

Question 35easymultiple choice
Open the full VLAN trunking answer →

Refer to the exhibit. A DHCP server is connected to Ethernet1/1 and a client in VLAN 10 is connected to Ethernet1/2. The client obtains an IP address. Which statement is best supported?

Exhibit

```
ip dhcp snooping
ip dhcp snooping vlan 10,20
interface Ethernet1/1
  ip dhcp snooping trust
interface Ethernet1/2
  ip dhcp snooping verify mac-address
```
Question 36mediummultiple choice
Read the full Security explanation →

Refer to the exhibit. An administrator connects a new server to Ethernet1/1 and the port immediately goes into errdisable state. The previous device was connected to that port. What is the most likely cause?

Exhibit

```
switch# show port-security interface ethernet 1/1
Port Security              : Enabled
Port status                : Secured
Violation mode             : Shutdown
Maximum MAC Addresses      : 1
Sticky MAC Addresses       : 1
Last violation time        : 00:00:15
Last violation MAC address : 000c.291a.2b3c
```
Question 37hardmultiple choice
Open the full VLAN trunking answer →

Refer to the exhibit. A web server in VLAN 10 with IP 10.0.0.5 is experiencing connectivity issues. Clients from subnet 10.0.0.0/24 can access the server, but clients from other subnets cannot. What is the most likely cause?

Exhibit

```
ip access-list extended ACL_IN
  permit tcp 10.0.0.0 0.0.0.255 any eq 80
interface Ethernet1/1
  switchport mode access
  switchport access vlan 10
  ip access-group ACL_IN in
```
Question 38mediummultiple choice
Read the full DHCP explanation →

A network administrator configures DHCP snooping on a Nexus 9000 switch. The legitimate DHCP server is connected to Ethernet 1/1. An unauthorized DHCP server is detected on Ethernet 1/2. Which action should be taken to prevent the unauthorized server from offering IP addresses?

Question 39hardmultiple choice
Review the full OSPF breakdown →

A Nexus switch experiences high CPU utilization due to excessive ICMP traffic. An engineer applies a CoPP policy that includes a class matching ICMP with a drop action. After applying, legitimate OSPF hello packets are also being dropped. What is the most likely cause?

Question 40easymultiple choice
Read the full network assurance explanation →

An engineer wants to prevent unauthorized devices from connecting to access ports. Which port security violation mode will disable the port and generate a syslog message?

Question 41mediummultiple choice
Open the full VLAN trunking answer →

A VACL is configured to capture traffic between hosts in the same VLAN. The capture port is configured and the VACL is applied to the VLAN. However, no traffic is being captured. What is a likely reason?

Question 42hardmultiple choice
Read the full Security explanation →

Two Nexus switches are configured for MACsec using MKA. The link between them is up, but MKA does not establish. Which issue is most likely?

Question 43easymultiple choice
Study the full AAA explanation →

An administrator configures 'aaa authentication login default group tacacs+ local'. What happens if the TACACS+ server is unreachable?

Question 44mediummultiple choice
Open the full VLAN trunking answer →

In a private VLAN configuration, a host in a community VLAN needs to communicate with a host in the primary VLAN. What configuration is required on the switch?

Question 45hardmultiple choice
Read the full Security explanation →

In an ACI fabric, an EPG is configured with a contract that allows HTTP traffic to an external network. The external network is reachable via a Layer 3 Outside. However, HTTP traffic from the EPG fails. What is the most likely cause?

Question 46easymultiple choice
Read the full Security explanation →

A data center switch port is configured for 802.1X with MAB as fallback. A device that does not support 802.1X is connected. Which method will allow the device to authenticate?

Question 47mediummulti select
Read the full DHCP explanation →

Which TWO security features rely on the DHCP snooping binding table? (Select exactly 2)

Question 48hardmulti select
Read the full Security explanation →

Which THREE are characteristics of Cisco TrustSec? (Select exactly 3)

Question 49easymulti select
Read the full Security explanation →

Which TWO features are used to validate ARP packets and prevent ARP spoofing attacks? (Select exactly 2)

Question 50mediummultiple choice
Read the full DHCP explanation →

Refer to the exhibit. A client connected to Ethernet1/2 cannot obtain an IP address via DHCP. What is the most likely cause?

Exhibit

Switch# show running-config | section interface
interface Ethernet1/1
 description DHCP Server
 switchport mode access
!
interface Ethernet1/2
 description Client
 switchport mode access
 ip verify source
!
ip dhcp snooping
ip dhcp snooping vlan 10
ip dhcp snooping information option
Question 51hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. The CoPP policy above is applied. Which traffic is most likely to be dropped?

Exhibit

policy-map type control-plane COPP
 class ICMP
  police cir 1000 bps bc 1000 bytes
   conform transmit
   exceed drop
 class OSPF
  police cir 5000 bps bc 5000 bytes
   conform transmit
   exceed transmit
 class class-default
  police cir 20000 bps bc 20000 bytes
   conform transmit
   exceed transmit
Question 52easymultiple choice
Read the full Security explanation →

Refer to the exhibit. Two Nexus switches are connected via Ethernet1/1. MKA does not initiate. What is the issue?

Exhibit

crypto macsec policy MACSEC
 security-policy must-secure
 cipher-suite GCM-AES-128
!
interface Ethernet1/1
 macsec connect ckn 1234567890 cak 1234567890
Question 53easymultiple choice
Open the full VLAN trunking answer →

A network engineer is configuring VLAN ACLs on a Cisco Nexus 9000 switch to enforce traffic filtering between VLANs. Which configuration step is required to apply a VACL to a VLAN?

Question 54mediummultiple choice
Read the full Security explanation →

A data center administrator is implementing Cisco TrustSec on a Nexus 7000 switch to enforce role-based access control. After configuring a security group tag (SGT) classification policy, users report that traffic between two servers is not being tagged. What is the most likely cause?

Question 55hardmultiple choice
Open the full VLAN trunking answer →

During a security audit, you discover that a Cisco Nexus 9000 switch is allowing traffic between two ports in the same VLAN despite having a VLAN ACL that should deny it. The VACL is applied correctly, and the ACL entries are properly configured. What is the most likely reason for this behavior?

Question 56easymultiple choice
Read the full Security explanation →

An engineer needs to implement port security on a Cisco Nexus 1000v virtual switch to prevent MAC flooding attacks. The requirement is to allow only the first MAC address learned on the port. Which command sequence accomplishes this?

Question 57mediummultiple choice
Read the full Security explanation →

A Cisco ACI fabric administrator wants to implement microsegmentation using Cisco Group-Based Policy (GBP) in a network that hosts virtual machines and bare-metal servers. Which component must be used to enforce microsegmentation policies for bare-metal servers?

Question 58hardmultiple choice
Study the full ACL explanation →

A network administrator is configuring copp (Control Plane Policing) on a Cisco Nexus 9300 to protect the control plane from high-rate traffic. After applying the policy, the switch becomes unresponsive to SSH sessions, but ICMP still works. What is the most likely misconfiguration?

Question 59easymultiple choice
Read the full Security explanation →

A data center engineer is configuring 802.1X authentication on Cisco Nexus switches for wired endpoints. The requirement is to allow traffic on the port even if no EAPOL packet is received from the endpoint (e.g., a printer). Which authentication method should be used?

Question 60mediummultiple choice
Read the full Security explanation →

A Cisco ACI fabric has contracts configured to allow traffic between two EPGs. After deployment, traffic between endpoints in these EPGs is being dropped, but contract statistics show no packets have been permitted. The administrator checks the contract configuration and it looks correct. What is the most likely cause?

Question 61hardmultiple choice
Open the full VLAN trunking answer →

An organization is deploying Cisco Nexus 9000 switches with NX-OS and needs to prevent ARP spoofing attacks. The network engineer enables Dynamic ARP Inspection (DAI) on all VLANs. However, some legitimate hosts are unable to obtain IP addresses via DHCP. What is the most likely reason?

Question 62easymulti select
Read the full Security explanation →

Which TWO of the following are valid methods to enforce security on a Cisco Nexus switch? (Choose two.)

Question 63mediummulti select
Read the full Security explanation →

Which TWO security features are used to prevent MAC address flooding attacks on a Cisco Nexus switch? (Choose two.)

Question 64hardmulti select
Read the full Security explanation →

Which THREE of the following must be enabled to implement 802.1X authentication with MAB fallback on a Cisco Nexus switch for a mixed environment of 802.1X-capable and non-802.1X endpoints? (Choose three.)

Question 65easymultiple choice
Study the full AAA explanation →

Refer to the exhibit. The TACACS+ server at 10.1.1.1 is unreachable. What will happen when a user tries to authenticate to the switch using SSH?

Exhibit

Refer to the exhibit.

! Output from show running-config | section security
!
feature tacacs+
tacacs-server host 10.1.1.1 key ciscosecret
tacacs-server directed-request
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ local
aaa authorization commands default group tacacs+ local
aaa accounting commands default group tacacs+
Question 66mediummultiple choice
Read the full Security explanation →

Refer to the exhibit. The interface showed a security violation 15 seconds ago and has a violation count of 5. What would happen if a frame with source MAC 0011.2233.4477 arrived now?

Exhibit

Refer to the exhibit.

! Output from show port-security interface ethernet 1/1
Port Security               : Enabled
Port Status                 : Secure-up
Violation Mode              : Shutdown
Maximum MAC Addresses       : 2
Sticky MAC Addresses        : 2
Last Violation              : 00:00:15 ago
Security Violation Count    : 5
! Current sticky MACs: 0011.2233.4455, 0011.2233.4466
Question 67hardmultiple choice
Open the full VLAN trunking answer →

Refer to the exhibit. The configuration is intended to provide Layer 2 isolation within VLAN 100 while allowing the promiscuous port (Ethernet 1/1) to communicate with all ports in the community VLAN. However, hosts in VLAN 100 cannot communicate with each other. What is the most likely misconfiguration?

Exhibit

Refer to the exhibit.

! Output from show running-config | section vlan 100
vlan 100
  name TEST
  private-vlan community
  no ip redirects
!
interface vlan 100
  ip address 10.0.0.1/24
  private-vlan mapping 101
!
interface ethernet 1/1
  switchport mode private-vlan promiscuous
  switchport private-vlan association trunk 100
Question 68mediummultiple choice
Study the full ACL explanation →

A data center engineer configures an ACL on a Nexus 9000 switch to block all traffic from the management network (10.10.0.0/16) to the production servers (192.168.1.0/24) except for SSH access from a specific jump host (10.10.1.100). The ACL is applied inbound on the management interface. Which ACL entry is correctly ordered to achieve this requirement?

Question 69easymultiple choice
Read the full Security explanation →

An engineer needs to ensure that only authorized servers can connect to a specific switch port in a data center. The port connects to a critical database server with fixed MAC address 00:1a:2b:3c:4d:5e. Which configuration is most appropriate?

Question 70hardmultiple choice
Study the full ACL explanation →

A Nexus 7000 switch is experiencing high CPU utilization due to control plane traffic. The engineer notices that many packets are being punted to the CPU from the data plane, particularly ARP packets. After examining the CoPP configuration, the engineer sees that the 'arp' class-map is matched in a policy-map with a police rate of 1000 pps and a conform-action of 'transmit'. The current ARP rate is 2000 pps. What is the immediate impact?

Question 71mediummultiple choice
Open the full VLAN trunking answer →

A company uses Cisco TrustSec in its data center to enforce segmentation. Servers in VLAN 10 (Finance) should only communicate with servers in VLAN 20 (ERP) via an application gateway. Which TrustSec component is used to assign a Security Group Tag (SGT) to traffic from the Finance servers?

Question 72easymultiple choice
Read the full Security explanation →

A data center network engineer wants to encrypt all traffic between two top-of-rack (ToR) switches that are connected via a direct link. The encryption should be transparent to upper-layer protocols and operate at Layer 2. Which technology should be used?

Question 73hardmultiple choice
Open the full VLAN trunking answer →

An engineer is troubleshooting a DHCP issue in a data center VLAN. Clients are unable to obtain IP addresses from the DHCP server. The switch has DHCP snooping enabled on the VLAN, and the DHCP server is connected to a trusted port. The clients are on untrusted ports. Which additional security feature is most likely causing the problem if the DHCP server is on a different subnet and the switch is not configured as a DHCP relay?

Question 74mediummultiple choice
Read the full Security explanation →

A network administrator wants to prevent IP spoofing attacks on a data center access switch. The switch has IP Source Guard enabled on the client-facing ports. Which condition must be met for IP Source Guard to work properly?

Question 75easymultiple choice
Open the full BGP breakdown →

Which control plane protection mechanism should be configured to limit the rate of BGP updates destined to the CPU of a Nexus 9000 switch to prevent CPU overload?

Question 76hardmultiple choice
Read the full VRF explanation →

An ACI fabric administrator wants to enable microsegmentation for workloads in a Virtual Routing and Forwarding (VRF) instance. The security policy must allow communication between two endpoints based on their EPG (Endpoint Group) membership, regardless of IP address. Which construct must be used?

Question 77hardmulti select
Read the full Security explanation →

Which TWO statements about Cisco TrustSec in a data center environment are true? (Choose two.)

Question 78mediummulti select
Read the full DHCP explanation →

Which THREE security features are commonly used on Cisco Nexus switches to prevent DHCP-based attacks? (Choose three.)

Question 79easymulti select
Read the full Security explanation →

Which THREE are best practices for securing a data center network? (Choose three.)

Question 80mediummultiple choice
Study the full ACL explanation →

A network administrator implements the ACL shown. After verifying the ACL statistics, all counters show 0 matches. What is the most likely cause?

Exhibit

Refer to the exhibit.

! Nexus 9000 ACL configuration
ip access-list BLOCK_MGMT
  10 permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22
  20 deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255
  30 permit ip any any

interface Ethernet1/1
  ip access-group BLOCK_MGMT in
  description Management access to servers

! Output of 'show ip access-list BLOCK_MGMT'
IP access list BLOCK_MGMT
    statistics per-entry
    10 permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22 (0 matches)
    20 deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255 (0 matches)
    30 permit ip any any (0 matches)
Question 81hardmultiple choice
Read the full Security explanation →

An engineer observes that ARP packets are being dropped. Based on the exhibit, what is the drop rate percentage for ARP packets?

Exhibit

Refer to the exhibit.

! Nexus 7000 CoPP policy
class-map type control-plane match-all COPP-CLASS-ARP
  match protocol arp
!
policy-map type control-plane COPP-POLICY
  class COPP-CLASS-ARP
    police cir 1000 bc 1000
      conform-action transmit
      exceed-action drop
!
control-plane
  service-policy input COPP-POLICY

! Output of 'show policy-map interface control-plane'
Control Plane
  service-policy input: COPP-POLICY

  class-map COPP-CLASS-ARP (match-all)
    462 packets, 462 bytes
    5 minute offered rate 2000 pps
    conform: 231 packets, 231 bytes
    exceed: 231 packets, 231 bytes
Question 82hardmultiple choice
Read the full VRF explanation →

A large enterprise data center uses Cisco ACI with a spine-leaf architecture. The security team requires that all traffic between the Web and App tiers be inspected by a firewall, but traffic within the same tier should be allowed directly. The Web EPG is in VRF PROD with Bridge Domain WEB-BD, and App EPG is in VRF PROD with Bridge Domain APP-BD. The firewall is connected as a service graph device in a different VRF (FW-VRF). The administrator configures a contract between Web and App EPGs that redirects traffic through the firewall. However, after implementation, traffic from Web to App is not passing through the firewall; instead, it is forwarded directly. The contract is applied correctly. What is the most likely cause?

Question 83mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting inter-VLAN routing on a Cisco Nexus 9000 switch. The switch is configured with VLAN 10 and VLAN 20. Hosts in VLAN 10 cannot ping hosts in VLAN 20. The engineer checks the VLAN ACL (VACL) applied to VLAN 10 and finds the following configuration:

ip access-list VACL-FILTER
  10 permit ip any any

...

vlan access-map VACL-MAP 10

match ip address VACL-FILTER action forward

vlan filter VACL-MAP vlan-list 10

What is the most likely reason for the connectivity failure?

Question 84easymultiple choice
Study the full AAA explanation →

An engineer is configuring AAA authentication on a Cisco MDS 9000 series switch. The goal is to authenticate users via RADIUS first, then local as a fallback. Which command sequence should be used?

Question 85mediummulti select
Read the full Security explanation →

Which THREE methods can be used to propagate Cisco TrustSec Security Group Tags (SGTs) across a network? (Choose three.)

Question 86hardmulti select
Study the full ACL explanation →

Which TWO statements are true about Control Plane Policing (CoPP) on a Cisco Nexus 9000 switch? (Choose two.)

Question 87hardmultiple choice
Open the full BGP breakdown →

A data center network uses Cisco Nexus 9000 switches running NX-OS. The operations team notices that the CPU utilization on the supervisor module spikes intermittently, causing BGP session flaps. Analysis shows that the CPU spikes coincide with traceroute probes from external networks, which generate ICMP TTL exceeded messages that are process-switched. The engineer must implement a solution to protect the control plane without affecting normal ICMP functionality. The goal is to rate-limit ICMP traffic to a maximum of 1000 packets per second with a burst of 200 bytes, while allowing other control plane traffic without restriction. Which configuration should be applied?

Question 88mediummultiple choice
Read the full Security explanation →

A Cisco MDS 9000 switch is used in a storage network. The security policy requires that a junior administrator named 'user1' can view zone configurations but cannot make any changes. Currently, 'user1' is assigned the default 'network-operator' role, which allows read-only access to most configuration, but the engineer wants to ensure that zone modification is explicitly denied. The engineer creates a custom role named 'zone-viewer' and assigns it to 'user1'. The role should permit viewing of the running configuration related to zones but deny any command that modifies zone or zoneset configurations. Which configuration best achieves this objective?

Question 89easymultiple choice
Open the full VLAN trunking answer →

A network engineer is configuring DHCP snooping on a Cisco Nexus 9000 switch to prevent rogue DHCP server attacks. The switch connects to the legitimate DHCP server on Ethernet 1/1. Clients are connected to ports Ethernet 1/2 through 1/24. The engineer enables DHCP snooping globally and on VLAN 10, but clients are unable to obtain IP addresses from the DHCP server. Other connectivity between clients and the server works (e.g., static IPs). What is the most likely cause and solution?

Question 90hardmultiple choice
Read the full VRF explanation →

In a Cisco Application Centric Infrastructure (ACI) fabric, a tenant has two EPGs: Web and App. A contract is created between Web (consumer) and App (provider) with a filter that permits TCP port 8080 (the only port used by the application). However, traffic from App to Web is failing. The application requires bidirectional communication: Web initiates requests to App on TCP 8080, and App responds on the same connection (stateful). The engineer verifies that the filter is correctly applied and that both EPGs are in the same VRF. The contract is applied in the direction Web -> App. What is the most efficient way to resolve this issue without compromising security?

Question 91mediummultiple choice
Read the full Security explanation →

Two Cisco Nexus 9000 switches are connected via Ethernet interface 1/1. The engineer wishes to secure the link using MACsec (IEEE 802.1ae) with a pre-shared key for connectivity association key (CAK) protection. Both switches have the same hardware and software version supporting MACsec. The engineer configures the following on both switches:

feature macsec macsec policy MACSEC_POLICY cipher-suite gcm-aes-128 security-mode no-encrypt mka sak-rekey-time 30

interface ethernet 1/1

macsec policy MACSEC_POLICY

However, the link comes up without MACsec encryption (the port counter shows MACsec frames dropped). The engineer checks that the pre-shared key is configured correctly via 'macsec key-chain' but notices it was not explicitly applied. What is the most likely reason for MACsec failing to establish?

Question 92easymultiple choice
Read the full Security explanation →

A network engineer is implementing port security on a Cisco Nexus 9000 switch to limit the number of MAC addresses learned on a single access port. The switchport is configured as follows:

interface Ethernet 1/2
  switchport mode access
  switchport port-security
  switchport port-security maximum 2
  switchport port-security violation shutdown
  switchport port-security mac-address sticky

After connecting two authorized devices, a third unauthorized device is connected, causing the port to enter the err-disabled state. The engineer needs to restore connectivity for the two authorized devices as quickly as possible, while maintaining the security posture. What is the best practice to recover the port automatically in the future?

Question 93easymulti select
Read the full Security explanation →

Which TWO methods are used to secure management plane access on Cisco Nexus 9000 series switches?

Question 94mediummultiple choice
Open the full VLAN trunking answer →

Refer to the exhibit. What is the effect of this configuration on traffic in VLAN 10?

Exhibit

ip access-list extended BLOCK_TELNET
 permit tcp any any eq telnet
!
vlan access-map SECURITY 10
 match ip address BLOCK_TELNET
 action drop
!
vlan access-map SECURITY 20
 action forward
!
vlan filter SECURITY vlan-list 10
Question 95hardmultiple choice
Study the full ACL explanation →

A data center engineer is troubleshooting high CPU utilization on a Cisco Nexus 9000 switch. The engineer suspects a distributed denial-of-service (DDoS) attack targeting the switch. To mitigate the attack, the engineer configures a Control Plane Policing (CoPP) policy that drops all ICMP packets destined to the switch. The policy is applied to the control-plane using the 'service-policy input COPP' command. After applying the policy, the switch CPU utilization remains high, and ICMP traffic is still reaching the switch. The engineer verifies that the CoPP policy is applied and that the class-map matches ICMP. The policy-map has the correct police and drop actions. No other CoPP policies are applied. What is the most likely cause of the issue?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

350-601 Practice Test 1 — 10 Questions→350-601 Practice Test 2 — 10 Questions→350-601 Practice Test 3 — 10 Questions→350-601 Practice Test 4 — 10 Questions→350-601 Practice Test 5 — 10 Questions→350-601 Practice Exam 1 — 20 Questions→350-601 Practice Exam 2 — 20 Questions→350-601 Practice Exam 3 — 20 Questions→350-601 Practice Exam 4 — 20 Questions→Free 350-601 Practice Test 1 — 30 Questions→Free 350-601 Practice Test 2 — 30 Questions→Free 350-601 Practice Test 3 — 30 Questions→350-601 Practice Questions 1 — 50 Questions→350-601 Practice Questions 2 — 50 Questions→350-601 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

NetworkComputeStorage NetworkAutomationSecurity

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security setsAll Security questions350-601 Practice Hub