350-601 Security • Complete Question Bank
Complete 350-601 Security question bank — all 0 questions with answers and detailed explanations.
interface Ethernet1/1 description Server-01 switchport mode trunk switchport trunk allowed vlan 10,20,30 spanning-tree port type edge trunk no shutdown
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Packet filtering based on IP/port criteria
Limits MAC addresses per switchport
Prevents rogue DHCP server attacks
Validates ARP packets to prevent spoofing
Filters traffic based on IP/MAC binding
``` ip dhcp snooping ip dhcp snooping vlan 10,20 interface Ethernet1/1 ip dhcp snooping trust interface Ethernet1/2 ip dhcp snooping verify mac-address ```
``` switch# show port-security interface ethernet 1/1 Port Security : Enabled Port status : Secured Violation mode : Shutdown Maximum MAC Addresses : 1 Sticky MAC Addresses : 1 Last violation time : 00:00:15 Last violation MAC address : 000c.291a.2b3c ```
``` ip access-list extended ACL_IN permit tcp 10.0.0.0 0.0.0.255 any eq 80 interface Ethernet1/1 switchport mode access switchport access vlan 10 ip access-group ACL_IN in ```
Switch# show running-config | section interface interface Ethernet1/1 description DHCP Server switchport mode access ! interface Ethernet1/2 description Client switchport mode access ip verify source ! ip dhcp snooping ip dhcp snooping vlan 10 ip dhcp snooping information option
policy-map type control-plane COPP class ICMP police cir 1000 bps bc 1000 bytes conform transmit exceed drop class OSPF police cir 5000 bps bc 5000 bytes conform transmit exceed transmit class class-default police cir 20000 bps bc 20000 bytes conform transmit exceed transmit
crypto macsec policy MACSEC security-policy must-secure cipher-suite GCM-AES-128 ! interface Ethernet1/1 macsec connect ckn 1234567890 cak 1234567890
Refer to the exhibit. ! Output from show running-config | section security ! feature tacacs+ tacacs-server host 10.1.1.1 key ciscosecret tacacs-server directed-request aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ local aaa authorization commands default group tacacs+ local aaa accounting commands default group tacacs+
Refer to the exhibit. ! Output from show port-security interface ethernet 1/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Maximum MAC Addresses : 2 Sticky MAC Addresses : 2 Last Violation : 00:00:15 ago Security Violation Count : 5 ! Current sticky MACs: 0011.2233.4455, 0011.2233.4466
Refer to the exhibit. ! Output from show running-config | section vlan 100 vlan 100 name TEST private-vlan community no ip redirects ! interface vlan 100 ip address 10.0.0.1/24 private-vlan mapping 101 ! interface ethernet 1/1 switchport mode private-vlan promiscuous switchport private-vlan association trunk 100
Refer to the exhibit.
! Nexus 9000 ACL configuration
ip access-list BLOCK_MGMT
10 permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22
20 deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255
30 permit ip any any
interface Ethernet1/1
ip access-group BLOCK_MGMT in
description Management access to servers
! Output of 'show ip access-list BLOCK_MGMT'
IP access list BLOCK_MGMT
statistics per-entry
10 permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22 (0 matches)
20 deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255 (0 matches)
30 permit ip any any (0 matches)Refer to the exhibit.
! Nexus 7000 CoPP policy
class-map type control-plane match-all COPP-CLASS-ARP
match protocol arp
!
policy-map type control-plane COPP-POLICY
class COPP-CLASS-ARP
police cir 1000 bc 1000
conform-action transmit
exceed-action drop
!
control-plane
service-policy input COPP-POLICY
! Output of 'show policy-map interface control-plane'
Control Plane
service-policy input: COPP-POLICY
class-map COPP-CLASS-ARP (match-all)
462 packets, 462 bytes
5 minute offered rate 2000 pps
conform: 231 packets, 231 bytes
exceed: 231 packets, 231 bytesA network engineer is troubleshooting inter-VLAN routing on a Cisco Nexus 9000 switch. The switch is configured with VLAN 10 and VLAN 20. Hosts in VLAN 10 cannot ping hosts in VLAN 20. The engineer checks the VLAN ACL (VACL) applied to VLAN 10 and finds the following configuration:
ip access-list VACL-FILTER 10 permit ip any any
...
vlan access-map VACL-MAP 10
match ip address VACL-FILTER action forward
vlan filter VACL-MAP vlan-list 10
What is the most likely reason for the connectivity failure?
Two Cisco Nexus 9000 switches are connected via Ethernet interface 1/1. The engineer wishes to secure the link using MACsec (IEEE 802.1ae) with a pre-shared key for connectivity association key (CAK) protection. Both switches have the same hardware and software version supporting MACsec. The engineer configures the following on both switches:
feature macsec macsec policy MACSEC_POLICY cipher-suite gcm-aes-128 security-mode no-encrypt mka sak-rekey-time 30
interface ethernet 1/1
macsec policy MACSEC_POLICY
However, the link comes up without MACsec encryption (the port counter shows MACsec frames dropped). The engineer checks that the pre-shared key is configured correctly via 'macsec key-chain' but notices it was not explicitly applied. What is the most likely reason for MACsec failing to establish?
A network engineer is implementing port security on a Cisco Nexus 9000 switch to limit the number of MAC addresses learned on a single access port. The switchport is configured as follows:
interface Ethernet 1/2 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky
After connecting two authorized devices, a third unauthorized device is connected, causing the port to enter the err-disabled state. The engineer needs to restore connectivity for the two authorized devices as quickly as possible, while maintaining the security posture. What is the best practice to recover the port automatically in the future?
ip access-list extended BLOCK_TELNET permit tcp any any eq telnet ! vlan access-map SECURITY 10 match ip address BLOCK_TELNET action drop ! vlan access-map SECURITY 20 action forward ! vlan filter SECURITY vlan-list 10