Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-401Flashcards
Free — No Signup RequiredCisco· Updated 2026

350-401 Flashcards — Free ENCOR 350-401 Study Cards

Reinforce 350-401 concepts with active-recall study cards covering all 39 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.

2015+ study cards39 domains coveredActive recall methodFull explanations included
Start 30-card session50-card shuffle
Exam OverviewPractice TestMock ExamStudy GuideFlashcards

Study Sessions

350-401 Flashcards

Pick a session size:

⚡Quick 10📝20 Cards🎯30 Cards📊50 Cards💪100 Cards
2,015+ cards · All free

Domains

Architecture15%
Enterprise Network Design
SD-Access Architecture
SD-WAN Architecture
QoS Architecture
Virtualization10%

How to use 350-401 flashcards effectively

Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For 350-401 preparation, this means flashcards are one of the highest-return study tools available.

Attempt recall first

Read the 350-401 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.

Review wrong cards again

When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.

Study by domain

Group your 350-401 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real 350-401 exam requires.

Short sessions beat marathon reviews

20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass 350-401.

350-401 flashcard preview

Sample cards from the 350-401 flashcard bank. Read the question, think of the answer, then read the explanation below.

1

A network engineer is designing a campus network with high availability for critical services. Which Cisco technology enables traffic to be forwarded to an alternate next hop in the event of a first-hop router failure, without requiring any configuration changes on the hosts?

Architecture

HSRP

HSRP (Hot Standby Router Protocol) is a Cisco-proprietary FHRP that allows multiple routers to share a virtual IP and MAC address, providing transparent failover. Hosts are configured with the virtual IP as their default gateway, so when the active router fails, the standby router takes over without any host configuration changes. This directly meets the requirement for high availability without host reconfiguration.

2

A company is deploying a wireless network in an office with high client density. Which Cisco architecture is best suited to handle client roaming without requiring a central controller for every roaming event?

Architecture

FlexConnect

FlexConnect (option D) is the correct architecture because it allows client data traffic to be switched locally at the remote site, while the control plane remains centralized. This design eliminates the need for a central controller to process every roaming event, as clients can roam between FlexConnect APs using local switching and 802.11r (Fast Roaming) without requiring a WLC in the data path.

3

A large enterprise is redesigning its campus network to support 5000 users across three buildings. The design must provide high availability and fast convergence in case of a link failure. The network engineer is considering using Spanning Tree Protocol (STP) in the access layer. What is the primary design concern with using STP in this scenario?

Enterprise Network Design

STP will cause slow convergence and inefficient use of redundant links.

STP (802.1D) converges slowly, typically taking 30-50 seconds (listening + learning states) after a topology change. In a large campus network with 5000 users, this delay causes unacceptable downtime. Additionally, STP blocks redundant links to prevent loops, wasting bandwidth that could be used for load balancing. Modern alternatives like Rapid PVST+ (802.1w) or MST (802.1s) offer sub-second convergence, making classic STP a poor choice for high-availability designs.

4

A network engineer is deploying Cisco SD-Access in a large enterprise campus. The design requires that all user traffic be segmented by Virtual Network (VN) and that the fabric edge nodes perform SGT-based enforcement. The engineer notices that traffic between two endpoints in the same IP subnet but different VNs is being forwarded directly at the fabric edge without any SGT inspection. What is the most likely cause?

SD-Access Architecture

The endpoints are in the same IP subnet, so they must be in the same Virtual Network; SGT enforcement only applies to inter-VN traffic.

In Cisco SD-Access, Virtual Networks (VNs) provide Layer 3 segmentation. Traffic between endpoints in the same IP subnet but different VNs is inherently Layer 2 traffic and cannot be routed or inspected by SGT-based enforcement, which only applies to inter-VN (Layer 3) traffic. Since the endpoints are in the same subnet, the fabric edge node forwards the traffic at Layer 2 without SGT inspection, making option B correct.

5

A network engineer is deploying a Cisco SD-WAN solution for a global enterprise with multiple regional hubs. The engineer wants to ensure that traffic from branch offices to the internet is always forwarded directly from the branch, even if the branch has a primary MPLS link and a backup broadband link. The engineer configures the vSmart policy to direct internet-bound traffic to use the local exit at the branch. However, after deployment, the engineer notices that some internet traffic is still being sent to the regional hub before reaching the internet. What is the most likely cause of this behavior?

SD-WAN Architecture

The engineer configured the data policy under VPN 0 instead of the service VPN (e.g., VPN 10).

Option A is correct because in Cisco SD-WAN, data policies that control traffic forwarding (such as forcing local internet exit) must be applied to the service VPN (e.g., VPN 10) where the branch’s LAN and internet-bound traffic resides. Configuring the policy under VPN 0 (the transport VPN) only affects overlay tunnel traffic and control-plane packets, not user traffic. Since the engineer applied the policy to VPN 0, the policy did not match internet-bound traffic in the service VPN, causing it to follow the default route toward the regional hub.

6

A network engineer is configuring QoS on a Cisco Catalyst 9300 switch to prioritize voice traffic. The switch has multiple access ports connected to IP phones and PCs. The engineer applies a policy-map that matches DSCP EF and sets the CoS to 5. However, after testing, the voice packets are not being marked correctly. What is the most likely cause?

QoS Architecture

The interface is missing the 'mls qos trust cos' or 'mls qos trust dscp' command.

On Cisco Catalyst switches like the 9300, QoS marking policies applied via a policy-map only re-mark packets if the interface port is configured to trust a specific marking. Without the 'mls qos trust dscp' command, the switch defaults to an untrusted state and may ignore or overwrite the DSCP-to-CoS mapping set by the policy-map. Option C is correct because the missing trust command prevents the policy-map from correctly applying the CoS 5 marking to voice packets.

7

A network engineer is troubleshooting a Cisco IOS-XE router that hosts multiple virtual routing and forwarding (VRF) instances. Users in VRF-A report they cannot reach a server in VRF-B. The engineer verifies that both VRFs have the correct routes and that the router has a route leaking configuration using route-target import/export. However, connectivity still fails. What is the most likely cause?

Virtualization

The import map is missing in VRF-B.

Option D is correct because route leaking between VRFs using route-target import/export requires both an export configuration on the source VRF and an import configuration on the destination VRF. If VRF-B lacks an import map (or the route-target import statement), it will not accept the routes exported from VRF-A, even if VRF-A has the correct export configuration. This is a common misconfiguration in MPLS L3VPN or VRF-lite route leaking scenarios.

8

A company is migrating its legacy firewall services to a virtualized environment using Cisco NFV. The network engineer deploys a virtual firewall (vFW) on an NFVIS-enabled UCS platform. After the deployment, traffic through the vFW is intermittent and performance monitoring shows high CPU usage on the host. Which action should the engineer take to improve performance?

Network Function Virtualization

Enable SR-IOV on the physical NICs and assign VFs to the vFW.

SR-IOV (Single Root I/O Virtualization) allows a physical NIC to present multiple virtual functions (VFs) directly to a VM, bypassing the hypervisor's virtual switch and reducing CPU overhead for packet processing. In an NFVIS environment, high host CPU usage with intermittent traffic indicates that the vFW is consuming excessive CPU cycles due to software-based I/O. Assigning VFs to the vFW offloads packet handling to the NIC hardware, lowering host CPU utilization and stabilizing traffic.

9

A network engineer is deploying a new virtualized application on a VMware vSphere cluster. The application requires dedicated CPU cores to meet licensing requirements, and the engineer must ensure that no other virtual machine can use those cores. The cluster uses VMware ESXi 7.0. Which configuration should the engineer apply to the virtual machine?

Virtual Machines and Hypervisors

Configure CPU affinity to pin the VM to specific physical cores.

CPU affinity (option A) is the correct configuration because it explicitly binds a virtual machine's vCPUs to specific physical cores, ensuring that no other VM can use those cores. This meets the licensing requirement for dedicated CPU cores by preventing co-scheduling or sharing of those physical cores with other workloads, which CPU reservation alone does not guarantee.

10

A network engineer is configuring MPLS L3VPN on a Cisco IOS-XE PE router. The engineer creates a VRF named CUSTOMER_A with route-target import and export 100:1. After configuring the VRF on the interface connected to the CE router, the CE router can ping the PE's VRF interface IP, but cannot reach any remote VPNv4 routes. The BGP session between PE and route reflector is up. What is the most likely cause?

VRF and Path Isolation

The VRF is not activated under BGP using the address-family ipv4 vrf CUSTOMER_A command.

The CE router can ping the PE's VRF interface IP, confirming Layer 2 and VRF interface configuration are correct. However, the CE cannot reach remote VPNv4 routes, which indicates that the PE is not advertising or installing those routes into the VRF. The most likely cause is that the VRF CUSTOMER_A has not been activated under BGP using the 'address-family ipv4 vrf CUSTOMER_A' command, which is required to exchange IPv4 routes between the PE and CE within the VRF context and to redistribute them into MP-BGP for VPNv4 propagation.

11

A network engineer is troubleshooting an EIGRP adjacency issue between two routers. The engineer verifies that both routers have the same K-values and autonomous system number. However, the adjacency does not form. Which configuration issue is most likely the cause?

Infrastructure

Authentication is configured on one router but not on the other.

In EIGRP, authentication (MD5 or SHA) must be configured identically on both peers. If one router has authentication enabled and the other does not, the routers will reject each other's hello packets, preventing adjacency formation even if K-values and AS numbers match. This is a common misconfiguration that breaks neighbor relationships silently.

12

A company is implementing QoS in a campus network. Voice traffic must be prioritized over data traffic, and all traffic should be marked at Layer 2 and Layer 3. Which combination of marking values should be used on access ports to achieve this?

Infrastructure

CoS 5, DSCP EF

Option C is correct because voice traffic requires strict priority queuing, which is achieved by marking with CoS 5 at Layer 2 and DSCP EF (46) at Layer 3. CoS 5 maps to the priority queue in Cisco switches, and DSCP EF is the standard per-hop behavior for Expedited Forwarding (RFC 3246), ensuring low latency and jitter for voice. Access ports must trust these markings to prioritize voice over data traffic.

13

An engineer needs to configure a switchport to carry traffic for multiple VLANs to a router using a single physical link. Which configuration should be applied on the switchport?

Infrastructure

Configure the port as a trunk port.

Option B is correct because a trunk port is specifically designed to carry traffic for multiple VLANs over a single physical link using IEEE 802.1Q encapsulation. This allows the switch to tag frames with VLAN IDs, enabling the router (often configured as a router-on-a-stick) to route between VLANs.

14

A network engineer is deploying a new WLAN and needs to ensure that client traffic is encrypted using AES with a pre-shared key. Which security configuration should be applied to the wireless SSID?

Infrastructure

WPA2-PSK with AES

WPA2-PSK with AES is the correct choice because the requirement specifies AES encryption with a pre-shared key. WPA2-PSK (Wi-Fi Protected Access 2 – Pre-Shared Key) mandates AES-CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) as the encryption protocol, providing strong, standards-compliant security for client traffic. This configuration directly satisfies the need for both AES encryption and PSK authentication.

15

A network administrator is troubleshooting an issue where OSPF routes are not being learned from a neighbor. The administrator checks the OSPF configuration and sees that both routers are in the same area. The neighbor state is stuck in EXSTART. What is the most likely cause?

Infrastructure

The interface MTU does not match.

When OSPF neighbors are stuck in the EXSTART state, it typically indicates a problem with the Database Description (DBD) packet exchange process. The most common cause is an MTU mismatch between the interfaces, because OSPF will not proceed to the Exchange state if the DBD packet is larger than the interface MTU and gets silently dropped. This prevents the routers from agreeing on the master/slave relationship and exchanging link-state information.

16

A network engineer is troubleshooting OSPF adjacency issues between two routers connected via a Gigabit Ethernet link. The engineer notices that the routers are stuck in the EXSTART state. Both routers have the same MTU of 1500 bytes. What is the most likely cause of this issue?

OSPF

One router has a lower IP MTU configured on the interface, causing the DBD packet to be dropped.

When OSPF routers are stuck in the EXSTART state, it typically indicates a problem with the Database Description (DBD) packet exchange. Even though both routers have the same configured MTU of 1500 bytes, one router may have a lower IP MTU on its interface (e.g., due to a different interface MTU or encapsulation overhead), causing the DBD packet to be fragmented or dropped. Since OSPF DBD packets are not fragmented, a mismatch in the actual IP MTU prevents the adjacency from progressing beyond EXSTART.

17

An enterprise network has two routers, R1 and R2, both running BGP. R1 is an eBGP speaker with ISP1, and R2 is an eBGP speaker with ISP2. Both routers are in the same AS 65000. The engineer wants to ensure that traffic from the enterprise to the Internet prefers the path through ISP1 when both links are up. R1 learns a default route from ISP1, and R2 learns a default route from ISP2. Which BGP attribute should the engineer modify on R1 to influence outbound traffic selection?

BGP

Set a higher local preference on R1 for the default route learned from ISP1.

Local preference is the BGP attribute used to influence outbound traffic from an AS. It is propagated within the AS and a higher value is preferred. By setting a higher local preference on R1 for the default route learned from ISP1, R1 will prefer that route over the default route from ISP2, ensuring traffic from the enterprise to the Internet exits via ISP1.

18

A network engineer is troubleshooting an EIGRP issue in a large enterprise network. Two routers, R1 and R2, are connected via a T1 link. R1 is learning a route to 10.0.0.0/8 from R2 with a metric of 28160, but the same route is also learned from another neighbor with a metric of 26880. The engineer notices that the route from R2 is not being installed in the routing table. What is the most likely cause?

EIGRP

The route with metric 28160 is not installed because EIGRP selects the route with the lowest metric.

C is correct because EIGRP installs only the route with the best (lowest) metric into the routing table. The route from R2 has a metric of 28160, while the other neighbor advertises the same route with a metric of 26880. Since 26880 is lower, R1 selects that route as the successor and does not install the higher-metric route from R2.

Study all 2015+ 350-401 cards

350-401 flashcards by domain

The 350-401 flashcard bank covers all 39 official blueprint domains published by Cisco. Cards are distributed proportionally, so domains with higher exam weight have more cards.

Domain Coverage

Architecture

~302 cards
15%

Enterprise Network Design

~1 cards

SD-Access Architecture

~1 cards

SD-WAN Architecture

~1 cards

QoS Architecture

~1 cards

Virtualization

~202 cards
10%

Network Function Virtualization

~1 cards

Virtual Machines and Hypervisors

~1 cards

VRF and Path Isolation

~1 cards

Infrastructure

~605 cards
30%

OSPF

~1 cards

BGP

~1 cards

EIGRP

~1 cards

VLANs and Trunking

~1 cards

Spanning Tree Protocol

~1 cards

EtherChannel

~1 cards

Wireless Infrastructure

~1 cards

MPLS

~1 cards

WAN Technologies

~1 cards

NAT and DHCP

~1 cards

IP Multicast

~1 cards

QoS

~1 cards

Network Assurance

~202 cards
10%

SNMP and Syslog

~1 cards

NetFlow and Telemetry

~1 cards

SPAN and RSPAN

~1 cards

IP SLA

~1 cards

Security

~403 cards
20%

AAA, RADIUS, and TACACS+

~1 cards

ACLs and CoPP

~1 cards

802.1X and TrustSec

~1 cards

VPN Technologies

~1 cards

Infrastructure Security

~1 cards

Automation

~302 cards
15%

Python for Network Automation

~1 cards

Ansible Automation

~1 cards

REST APIs and Data Models

~1 cards

Cisco DNA Center

~1 cards

Model-Driven Telemetry

~1 cards

Flashcards vs practice tests: which is better for 350-401?

Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:

Flashcards — concept retention

Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that 350-401 questions assume you know.

Best in: weeks 1–3

Practice tests — application

Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.350-401 questions test scenario reasoning — not just recall — so practice tests are essential.

Best in: weeks 3–6

The most effective 350-401 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.

350-401 flashcards — frequently asked questions

Are the 350-401 flashcards free?

Yes. Courseiva provides free 350-401 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.

How many 350-401 flashcards are on Courseiva?

Courseiva has 2015+ original 350-401 flashcards across all 39 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Cisco exam objectives.

How are Courseiva flashcards different from Anki or Quizlet?

Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official 350-401 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.

Can I use 350-401 flashcards offline?

Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.

Free forever · No credit card required

Track your 350-401 flashcard progress

Save your results, see which domains need more work, and get spaced repetition recommendations — all free.

Sign Up Free

Free forever · Every certification included

Start Studying

⚡Quick 10 cards📝20-card session🎯30-card session📊50-card shuffle💪100-card marathon

Also Study With

Practice TestMock ExamStudy GuideExam Domains