Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security practice sets

350-401 Security • Complete Question Bank

350-401 Security — All Questions With Answers

Complete 350-401 Security question bank — all 0 questions with answers and detailed explanations.

15
Questions
Free
No signup
Certifications/350-401/Practice Test/Security/All Questions
Question 1mediummultiple choice
Read the full Security explanation →

A network engineer is configuring port security on a Cisco switch to prevent unauthorized devices from connecting. The requirement is to allow only the first two MAC addresses learned on an interface, and to disable the interface if a violation occurs. Which configuration achieves this?

Question 2easymultiple choice
Study the full AAA explanation →

An organization wants to implement 802.1X authentication on its wired network using Cisco ISE as the authentication server. The switches are configured with the necessary RADIUS settings. Which additional configuration is required on the switch interfaces to enable 802.1X?

Question 3hardmultiple choice
Study the full ACL explanation →

A security engineer is configuring CoPP (Control Plane Policing) on a Cisco router to protect the control plane from DoS attacks. The policy must rate-limit SSH traffic to 1 Mbps with a burst of 2000 bytes, and drop all other traffic destined to the control plane that exceeds a default rate. Which class-map and policy-map configuration is correct?

Question 4mediummultiple choice
Open the full VLAN trunking answer →

A company has deployed a Cisco ASA firewall in transparent mode. The internal network uses VLAN 10 and the external network uses VLAN 20. The ASA is configured with two bridge groups: BVI 10 for inside and BVI 20 for outside. The security policy must allow HTTPS traffic from inside to outside. Which access-list entry is correct?

Question 5hardmultiple choice
Open the full VLAN trunking answer →

A network administrator is troubleshooting a DHCP snooping issue on a Cisco switch. The switch is configured with DHCP snooping globally and on VLAN 10. The trusted interface is GigabitEthernet0/1 connected to the DHCP server. However, clients on VLAN 10 are not receiving IP addresses from the DHCP server. What is the most likely cause?

Question 6mediummulti select
Open the full VLAN trunking answer →

Which TWO of the following are valid methods to mitigate VLAN hopping attacks?

Question 7hardmulti select
Read the full Security explanation →

Which THREE of the following are characteristics of Cisco TrustSec (CTS) security architecture?

Question 8easymultiple choice
Read the full DHCP explanation →

Refer to the exhibit. A network administrator notices that some DHCP packets are being dropped due to 'MAC Address Mismatch'. What is the most likely cause of this drop?

Exhibit

Refer to the exhibit.

Switch# show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:1A:2B:3C:4D:5E  192.168.1.10     86400       dhcp-snooping   10    GigabitEthernet0/1
00:1A:2B:3C:4D:5F  192.168.1.11     86400       dhcp-snooping   10    GigabitEthernet0/2

Switch# show ip dhcp snooping statistics
Packets Processed by DHCP Snooping   = 100
Packets Dropped Because               = 5
  MAC Address Mismatch                 = 3
  Invalid Server Replies               = 2
Question 9hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. A switch has IP Source Guard (IPSG) and port-security enabled on interface GigabitEthernet0/1. A host with IP 10.1.1.1 and MAC 00:1A:2B:3C:4D:5E is connected and tries to access a web server at 192.168.1.100. What will happen?

Exhibit

Refer to the exhibit.

interface GigabitEthernet0/1
 ip access-group ACL-IN in
 ip verify source port-security
!
ip access-list extended ACL-IN
 permit tcp 10.0.0.0 0.255.255.255 any eq 80
 permit tcp 10.0.0.0 0.255.255.255 any eq 443
 deny ip any any
Question 10mediummultiple choice
Study the full AAA explanation →

A medium-sized enterprise is migrating to a Cisco DNA Center-managed network. The security policy requires that all administrative access to network devices be authenticated via TACACS+ and that authorization for commands be enforced per user role. The network team has configured ISE as the AAA server and integrated it with DNA Center. After configuration, engineers report that they can log in to devices via SSH but are not prompted for a password when entering 'enable' mode; instead, they are granted full privileges immediately. Additionally, while in configuration mode, some engineers can issue 'debug' commands that they should not have access to. The configuration on the devices includes 'aaa new-model', 'aaa authentication login default group tacacs+ local', 'aaa authorization exec default group tacacs+ local', and 'aaa authorization commands 15 default group tacacs+ local'. What is the most likely cause of the privilege escalation and missing authorization?

Question 11easymulti select
Read the full Security explanation →

Which TWO features are part of Cisco TrustSec for providing role-based access control?

Question 12mediummultiple choice
Open the full BGP breakdown →

A network engineer applies the above CoPP policy on a router. The router has BGP peers, SSH management, and SNMP monitoring. After applying this policy, which traffic will be affected?

Network Topology
Access-list for CoPP!Class-mapPolicy-mapApply to control-planeRefer to the exhibit.ip access-list extended COPP_ACLclass-map match-all COPP_CLASSmatch access-group name COPP_ACLpolicy-map COPP_POLICYclass COPP_CLASSpolice cir 8000 bc 1500conform-action transmitexceed-action dropcontrol-planeservice-policy input COPP_POLICY
Question 13hardmultiple choice
Open the full VLAN trunking answer →

Your company has deployed a Cisco Catalyst 9300 switch stack as the distribution layer for a campus network. The network uses VLANs 10 (data), 20 (voice), and 30 (management). The switch stack is configured with DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard (IPSG) on access ports. Recently, users in VLAN 10 report intermittent connectivity issues. You notice that some users receive duplicate IP addresses from the DHCP server. The DHCP server is connected to a trunk port on the switch stack. After reviewing logs, you see that DHCPACK messages are being dropped on the trunk port. The DHCP snooping binding table shows entries for legitimate clients, but also some entries with MAC addresses from a different vendor. Which action should you take to resolve the issue?

Question 14mediumdrag order
Read the full Security explanation →

Drag and drop the steps to configure port security on a Cisco switch in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediummatching
Open the full STP breakdown →

Match each Spanning Tree Protocol (STP) variant to its key characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Original standard, slow convergence

Fast convergence, backward compatible

Multiple spanning trees per VLAN group

Cisco proprietary, per-VLAN STP

Cisco proprietary, per-VLAN RSTP

Practice tests

Scored 10-question sessions with instant feedback and explanations.

350-401 Practice Test 1 — 10 Questions→350-401 Practice Test 2 — 10 Questions→350-401 Practice Test 3 — 10 Questions→350-401 Practice Test 4 — 10 Questions→350-401 Practice Test 5 — 10 Questions→350-401 Practice Exam 1 — 20 Questions→350-401 Practice Exam 2 — 20 Questions→350-401 Practice Exam 3 — 20 Questions→350-401 Practice Exam 4 — 20 Questions→Free 350-401 Practice Test 1 — 30 Questions→Free 350-401 Practice Test 2 — 30 Questions→Free 350-401 Practice Test 3 — 30 Questions→350-401 Practice Questions 1 — 50 Questions→350-401 Practice Questions 2 — 50 Questions→350-401 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationVirtual Machines and HypervisorsVRF and Path IsolationInfrastructureOSPFBGPEIGRPVLANs and TrunkingSpanning Tree ProtocolEtherChannelWireless InfrastructureMPLSWAN TechnologiesNAT and DHCPIP MulticastQoSNetwork AssuranceSNMP and SyslogNetFlow and TelemetrySPAN and RSPANIP SLASecurityAAA, RADIUS, and TACACS+ACLs and CoPP802.1X and TrustSecVPN TechnologiesInfrastructure SecurityAutomationPython for Network AutomationAnsible AutomationREST APIs and Data ModelsCisco DNA CenterModel-Driven Telemetry

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security setsAll Security questions350-401 Practice Hub