Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›350-401›Objectives›Infrastructure Security
Objective 505.0

Infrastructure Security

350-401 Practice Questions

Full Practice Test →All Objectives

350-401 Infrastructure Security — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Full question →

A network engineer is configuring port security on a Cisco switch. The requirement is to allow only the first MAC address that appears on the port to be learned and to automatically disable the port if a violation occurs. The engineer configures 'switchport port-security mac-address sticky' but does not specify a maximum number of secure MAC addresses. After connecting a single host, the port works. However, when the host is replaced with a different device, the port is error-disabled. What is the most likely reason?

Question 3hardmultiple choice
Full question →

An enterprise network uses 802.1X for wired access. The authentication server is a Cisco ISE. Recently, some Windows 10 clients fail to authenticate, while others succeed. The engineer checks the switch configuration and finds 'authentication port-control auto' and 'dot1x pae authenticator' are configured. The failing clients show 'EAP failure' in the logs. The engineer suspects a mismatch in EAP method. Which EAP method is most likely causing the issue if the ISE is configured to require EAP-TLS but the Windows clients are configured for PEAP-MSCHAPv2?

Question 4mediummultiple choice
Study the full ACL explanation →

A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The router experiences high CPU utilization due to SSH and SNMP traffic. The engineer creates a class-map to match SSH (TCP/22) and SNMP (UDP/161) and applies a policy-map that polices this traffic to 1 Mbps. After applying the policy, legitimate SSH sessions from the management station start dropping intermittently. What is the most likely cause?

Question 5hardmultiple choice
Open the full VLAN trunking answer →

A network engineer is implementing DHCP snooping on a Cisco switch to prevent rogue DHCP servers. The switch has multiple VLANs, and the DHCP server is connected to interface GigabitEthernet0/1 in VLAN 10. The engineer enables DHCP snooping globally and for VLAN 10, then configures 'ip dhcp snooping trust' on GigabitEthernet0/1. However, clients in VLAN 10 are not receiving IP addresses. The engineer checks the DHCP snooping binding table and sees no entries. What is the most likely cause?

Question 6mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is configuring dynamic ARP inspection (DAI) on a Cisco switch to prevent ARP spoofing. The switch has DHCP snooping enabled and the DHCP server is trusted. The engineer enables DAI on VLAN 10 and configures 'ip arp inspection trust' on the port connected to the DHCP server. After enabling DAI, some legitimate ARP replies from hosts are being dropped. The engineer checks the DAI statistics and sees 'ARP ACL drops' incrementing. What is the most likely reason?

Question 7hardmultiple choice
Study the full IPv6 explanation →

A network engineer is configuring IPv6 First Hop Security on a Cisco switch to mitigate rogue RA attacks. The engineer enables RA guard on the switch and applies a policy that allows only the default gateway to send RAs. After configuration, hosts are unable to obtain IPv6 addresses via SLAAC. The engineer checks the switch and sees that RA guard is dropping all RAs. What is the most likely cause?

Question 8mediummultiple choice
Review the full routing breakdown →

A network engineer is configuring a zone-based firewall (ZBF) on a Cisco router to allow traffic from the inside zone to the outside zone while blocking traffic from outside to inside. The engineer creates zones, assigns interfaces, and configures a policy-map with a class-map that matches all traffic from inside to outside. The engineer applies the policy to the zone-pair inside-to-outside. However, traffic from inside to outside is being dropped. What is the most likely reason?

Question 9hardmultiple choice
Full question →

A network engineer is implementing MACsec on a Cisco switch-to-switch link to provide encryption. Both switches support MACsec and are configured with the same pre-shared key (PSK). The engineer configures 'mka' and 'macsec' on the interfaces. After configuration, the link does not come up, and the engineer sees 'MKA not operational' in the show macsec status. What is the most likely cause?

Question 10easymultiple choice
Read the full NAT/PAT explanation →

A network engineer is configuring uRPF (unicast Reverse Path Forwarding) on a Cisco router to prevent spoofed IP traffic. The engineer enables uRPF in strict mode on the ingress interface connected to the internal network. After enabling uRPF, legitimate traffic from internal hosts is being dropped. The engineer checks the routing table and sees that the routes for the internal subnets are present. What is the most likely cause?

Question 11mediummultiple choice
Review the full OSPF breakdown →

A network engineer runs the following command on Router R1:

R1# show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.2         1   FULL/DR         00:00:38    192.168.1.2     GigabitEthernet0/0
10.0.0.3         1   2WAY/DROTHER   00:00:32    192.168.1.3     GigabitEthernet0/0
10.0.0.4         1   FULL/BDR        00:00:35    192.168.1.4     GigabitEthernet0/0

Based on this output, what can be concluded?

Question 12mediummultiple choice
Open the full VLAN trunking answer →

A network engineer runs the following command on Switch SW1:

SW1# show spanning-tree vlan 10

VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address 0011.2233.4455 Cost 19 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0011.2233.4466 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec

Interface           Role Sts Cost      Prio.Nbr Type

------------------- ---- --- --------- -------- -------------------------------- Gi0/1 Root FWD 19 128.1 P2p Gi0/2 Altn BLK 19 128.2 P2p Gi0/3 Desg FWD 19 128.3 P2p

Based on this output, what can be concluded?

Question 13easymultiple choice
Review the full routing breakdown →

A network engineer runs the following command on Router R1:

R1# show ip access-lists 101

Extended IP access list 101

10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (100 matches)
    
20 deny tcp any any eq 23 (50 matches)
    
30 permit ip any any (200 matches)

Based on this output, what can be concluded?

Question 14mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 203.0.113.10 192.168.1.10 --- --- --- 203.0.113.11 192.168.1.11 --- --- tcp 203.0.113.10:1024 192.168.1.10:1024 198.51.100.5:80 198.51.100.5:80

Based on this output, what can be concluded?

Question 15hardmultiple choice
Study the full QoS explanation →

A network engineer runs the following command on Router R1:

R1# show policy-map interface GigabitEthernet0/0

GigabitEthernet0/0

Service-policy input: QOS_POLICY

Class-map: VOICE (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef (46) Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 police cir 1000000 bc 31250 be 31250 conformed 0 bytes; actions: transmit exceeded 0 bytes; actions: drop violated 0 bytes; actions: drop

Class-map: class-default (match-any) 100 packets, 12000 bytes 5 minute offered rate 8000 bps, drop rate 0 bps Match: any Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 100/12000

Based on this output, what can be concluded?

Question 16mediummultiple choice
Study the full AAA explanation →

A network engineer runs the following command on Router R1:

R1# show aaa sessions

Total sessions since last reset: 10

Session Id: 5 Unique Id: 5 User Name: admin

IP Address: 192.168.1.100

Idle Time: 0:00:05 Timeout: 0:10:00 Type: SSH Method: local

Session Id: 6 Unique Id: 6 User Name: neteng

IP Address: 10.0.0.2

Idle Time: 0:02:30 Timeout: 0:10:00 Type: SSH Method: tacacs+

Based on this output, what can be concluded?

Question 17easymultiple choice
Read the full VRF explanation →

A network engineer runs the following command on Router R1:

R1# show vrf brief

Name Default RD Protocols Interfaces CUSTOMER_A 65000:100 ipv4 Gi0/0.100 CUSTOMER_B 65000:200 ipv4 Gi0/0.200 MANAGEMENT 65000:999 ipv4 Gi0/1

Based on this output, what can be concluded?

Question 18hardmultiple choice
Open the full BGP breakdown →

A network engineer runs the following command on Router R1:

R1# show ip bgp summary

BGP router identifier 10.0.0.1, local AS number 65001 BGP table version is 10, main routing table version 10

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.2     4        65002    1024    1020       10    0    0 02:30:15       5
192.168.1.3     4        65003     500     498       10    0    0 00:15:20       3
10.0.0.2        4        65004       0       0        0    0    0 never    Active

Based on this output, what can be concluded?

Question 19mediummultiple choice
Read the full MPLS explanation →

A network engineer runs the following command on Router R1:

R1# show mpls ldp neighbor

Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.49231 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 01:23:45 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 192.168.1.2 Addresses bound to peer LDP Ident:

10.0.0.2        192.168.1.2

Based on this output, what can be concluded?

Question 20mediummultiple choice
Full question →

Examine the following interface configuration on a Cisco IOS-XE switch: ```

interface GigabitEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security violation restrict
 switchport port-security mac-address sticky

``` What is the effect of this configuration?

Question 21mediummultiple choice
Review the full routing breakdown →

Consider the following configuration on a Cisco IOS-XE router: ```

ip access-list extended BLOCK_SSH
 deny tcp any any eq 22
 permit ip any any

!

line vty 0 4

access-class BLOCK_SSH in ``` Which statement is true about this configuration?

Question 22mediummultiple choice
Study the full ACL explanation →

Examine the following CoPP configuration on a Cisco IOS-XE router: ``` class-map match-all CONTROL-PLANE match access-group name COPP-ACL ! policy-map COPP-POLICY

class CONTROL-PLANE

police 1000000 200000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP-POLICY ``` What is the effect of this configuration?

Question 23mediummultiple choice
Open the full VLAN trunking answer →

Consider the following DHCP snooping configuration on a Cisco IOS-XE switch: ```

ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/1
 ip dhcp snooping trust

!

interface GigabitEthernet0/2
 ip dhcp snooping limit rate 10

``` Which statement is true?

Question 24mediummultiple choice
Open the full BGP breakdown →

Examine the following BGP configuration on a Cisco IOS-XE router: ```

router bgp 65000

bgp default local-preference 150

neighbor 10.1.1.1 remote-as 65001
 neighbor 10.1.1.1 password cisco123
 neighbor 10.1.1.1 route-map SET-MED out

! route-map SET-MED permit 10 set metric 50 ``` What is the effect of the route-map on outbound updates to 10.1.1.1?

Question 25mediummultiple choice
Study the full IPv6 explanation →

Consider the following IPv6 access-list on a Cisco IOS-XE router: ``` ipv6 access-list PERMIT_ICMP

permit icmp any any echo-request
 permit icmp any any echo-reply
 deny ipv6 any any

!

interface GigabitEthernet0/0

ipv6 traffic-filter PERMIT_ICMP in ``` What is the effect of this configuration?

Question 26easymultiple choice
Review the full OSPF breakdown →

What is the default OSPF hello interval on an Ethernet link in a Cisco router?

Question 27mediummultiple choice
Open the full BGP breakdown →

Which BGP attribute is used as the first tie-breaker when multiple paths are available and the weight is equal?

Question 28easymultiple choice
Study the full EIGRP explanation →

What is the maximum hop count for EIGRP?

Question 29mediumdrag order
Full question →

Drag and drop the steps of Cisco IBNS 2.0 policy configuration into the correct order, from first to last.

Question 30mediumdrag order
Full question →

Drag and drop the steps of configuring a Cisco IOS Zone-Based Firewall (ZBFW) into the correct order, from first to last.

Question 31mediumdrag order
Study the full ACL explanation →

Drag and drop the steps of configuring Control Plane Policing (CoPP) on a Cisco IOS router into the correct order, from first to last.

More Infrastructure Security questions available in the full practice test.

Continue Practising →
←

Previous objective

VPN Technologies

Next objective

Automation

→

All 350-401 Objectives

  • 100.Architecture15%
  • 101.Enterprise Network Design
  • 102.SD-Access Architecture
  • 103.SD-WAN Architecture
  • 104.QoS Architecture
  • 200.Virtualization10%
  • 201.Network Function Virtualization
  • 202.Virtual Machines and Hypervisors
  • 203.VRF and Path Isolation
  • 300.Infrastructure30%
  • 301.OSPF
  • 302.BGP
  • 303.EIGRP
  • 304.VLANs and Trunking
  • 305.Spanning Tree Protocol
  • 306.EtherChannel
  • 307.Wireless Infrastructure
  • 308.MPLS
  • 309.WAN Technologies
  • 310.NAT and DHCP
  • 311.IP Multicast
  • 312.QoS
  • 400.Network Assurance10%
  • 401.SNMP and Syslog
  • 402.NetFlow and Telemetry
  • 403.SPAN and RSPAN
  • 404.IP SLA
  • 500.Security20%
  • 501.AAA, RADIUS, and TACACS+
  • 502.ACLs and CoPP
  • 503.802.1X and TrustSec
  • 504.VPN Technologies
  • 505.Infrastructure Security
  • 600.Automation15%
  • 601.Python for Network Automation
  • 602.Ansible Automation
  • 603.REST APIs and Data Models
  • 604.Cisco DNA Center
  • 605.Model-Driven Telemetry