Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications300-410TopicsDevice Access Control
Free · No Signup RequiredCisco · 300-410

300-410 Device Access Control Practice Questions

20+ practice questions focused on Device Access Control — one of the most tested topics on the Cisco CCNP ENARSI 300-410 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Device Access Control Practice

Exam Domains

Layer 3 TechnologiesEIGRP TroubleshootingOSPF Troubleshooting (v2/v3)BGP TroubleshootingRoute RedistributionPolicy-Based Routing (PBR)VRF-LiteAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Device Access Control Questions

Practice all 20+ →
1.

A network engineer is troubleshooting a site-to-site VPN between two Cisco routers. The tunnel is up, but traffic is not passing. On R1, the engineer issues the command 'show crypto map' and sees that the crypto map is applied to the outbound interface. What is the most likely cause of the traffic failure?

A.The crypto map is applied to the wrong interface.
B.The access-list in the crypto map does not permit the traffic.
C.The ISAKMP policy is misconfigured.
D.The transform set is incorrect.

Explanation: The crypto map must be applied to the interface through which VPN traffic exits. If it is applied to the wrong interface (e.g., a loopback or a LAN interface instead of the WAN-facing interface), the router will not encrypt outbound traffic or decrypt inbound traffic for the VPN, even though the tunnel (ISAKMP/IPsec SA) may be established. The show crypto map output confirming the map is on the outbound interface indicates a misapplication, as the correct interface is the one facing the remote peer.

2.

A network administrator is configuring AAA for device access on a Cisco router. After configuring the RADIUS server and AAA authentication login default group radius local, the engineer tests Telnet access and receives 'Access denied' even with correct credentials. The RADIUS server is reachable. What is the most likely cause?

A.The VTY lines are not configured with 'login authentication default'.
B.The RADIUS server shared key is incorrect.
C.The enable password is not set.
D.The 'aaa new-model' command is missing.

Explanation: The 'login authentication default' command must be applied to the VTY lines to use the AAA authentication method set globally with 'aaa authentication login default group radius local'. Without this, the VTY lines default to using the local enable password for authentication, ignoring the AAA configuration. Since the RADIUS server is reachable and credentials are correct, the missing VTY line configuration is the most likely cause of the 'Access denied' error.

3.

An engineer configures a Cisco router for SSH access. The router has an IP address on interface GigabitEthernet0/0, and the engineer generates RSA keys using the command 'crypto key generate rsa modulus 2048'. However, SSH connections fail with 'Connection refused'. What is the most likely cause?

A.The hostname and domain name are not configured.
B.The VTY lines are not configured with 'transport input ssh'.
C.The RSA key modulus is too small.
D.The IP address on GigabitEthernet0/0 is not in the same subnet as the client.

Explanation: SSH requires a fully qualified domain name (FQDN) to generate RSA keys. Without a configured hostname and domain name, the 'crypto key generate rsa' command may appear to succeed but actually generates default keys that are not bound to the router's identity, causing SSH to refuse connections. The 'ip domain-name' and 'hostname' commands are prerequisites for proper RSA key generation and SSH operation.

4.

A network engineer is troubleshooting a Cisco router that is not responding to SNMP polls from a management station. The router has 'snmp-server community public RO' configured. The management station can ping the router. What is the most likely cause?

A.The SNMP community string is not associated with an ACL that permits the management station.
B.The SNMP version is not configured.
C.The router's SNMP agent is disabled.
D.The management station is using the wrong SNMP port.

Explanation: The 'snmp-server community public RO' command configures an SNMP community string but does not restrict access by default. If no access control list (ACL) is associated with the community string, the router will respond to SNMP polls from any source. However, if an ACL is implicitly or explicitly applied that does not permit the management station's IP address, the router will silently drop the SNMP requests. Since the management station can ping the router, Layer 3 connectivity is confirmed, isolating the issue to SNMP-specific access control.

5.

An engineer configures a Cisco router with 'aaa authentication login default local' and 'aaa authorization exec default local'. The engineer then attempts to log in via the console and is prompted for a username and password. The username 'admin' with password 'cisco' is configured locally. The login fails. What is the most likely cause?

A.The console line is not configured with 'login authentication default'.
B.The username 'admin' is not in the local database.
C.The password 'cisco' is incorrect.
D.The 'aaa new-model' command is missing.

Explanation: Option A is correct because, by default, the console line does not inherit the AAA authentication methods defined under 'aaa authentication login default local'. The 'login authentication default' command must be explicitly applied to the console line under line configuration to use the global AAA authentication method. Without it, the console line falls back to its default behavior, which does not use AAA, causing the login to fail despite the local user being configured.

+15 more Device Access Control questions available

Practice all Device Access Control questions

How to master Device Access Control for 300-410

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Device Access Control. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Device Access Control questions on the 300-410 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many 300-410 Device Access Control questions are on the real exam?

The exact number varies per candidate. Device Access Control is tested as part of the Cisco CCNP ENARSI 300-410 blueprint. Practicing with targeted Device Access Control questions ensures you can handle any format or difficulty that appears.

Are these 300-410 Device Access Control practice questions free?

Yes. Courseiva provides free 300-410 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Device Access Control one of the harder 300-410 topics?

Difficulty is subjective, but Device Access Control is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Device Access Control practice session with instant scoring and detailed explanations.

Start Device Access Control Practice →

Topic Info

Topic

Device Access Control

Exam

300-410

Questions available

20+