Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-401ScenariosHard Difficulty Questions
Scenario PracticeCisco · 350-401

350-401 Hard Difficulty Questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Start Scenario Practice

Other Scenarios

Refer to the ExhibitSW1 and SW2 VLAN TrunkingRouter R1 Cannot Reach R3Show IP Route OutputWhich Command Should the Administrator UseDrag and Drop Ordering QuestionsDrag and Drop Matching QuestionsSelect Two (Multi-Select) QuestionsPerformance-Based Questions (PBQs)Troubleshooting Scenario QuestionsShow Command Output QuestionsOSPF Troubleshooting ScenariosVLAN and Inter-VLAN Routing ScenariosSpanning Tree Protocol ScenariosNAT and PAT Configuration ScenariosAccess Control List (ACL) ScenariosDHCP Troubleshooting ScenariosEtherChannel and LACP ScenariosWireless LAN and WLC ScenariosIPv6 Configuration Scenarios

Study Tools

Practice TestTopic PracticeMock Exam

Common Traps on Hard Difficulty Questions

  • ·Over-thinking — the correct answer usually directly addresses the symptom described.
  • ·Dismissing an option because it 'sounds too simple' — sometimes the simple answer is exactly right.
  • ·Confusing similar protocol terms: EIGRP uses 'successor/feasible successor', OSPF uses 'DR/BDR'.
  • ·Not reading the full stem — hard questions often embed the constraint that eliminates the obvious answer.

Sample Questions

Practice all 20 →
1.

Refer to the exhibit. A network engineer is troubleshooting a routing issue. The route for 10.0.0.0/8 is learned via EIGRP with metric 2560512. Which change would most likely cause the metric to increase?

A.Increase the bandwidth on GigabitEthernet0/0.
B.Add a redistribute static command under EIGRP.
C.Change the administrative distance to 90.
D.Increase the delay on GigabitEthernet0/0.

Explanation: The EIGRP metric is calculated using the formula: metric = (K1 * bandwidth + (K2 * bandwidth) / (256 - load) + K3 * delay) * 256, with default K values (K1=1, K3=1, others=0). Increasing the delay on the outgoing interface (GigabitEthernet0/0) directly increases the delay component in the composite metric, causing the overall metric to increase. Option D is correct because delay is a key variable in the EIGRP metric calculation.

2.

Refer to the exhibit. R1 has two equal-cost OSPF E2 routes to 10.1.1.0/24 via two different next hops. However, when tracing to 10.1.1.1, all traffic uses the path through 10.0.1.2. What is the most likely reason?

A.One route has a higher administrative distance.
B.A default route is overriding the specific route.
C.The route via 10.0.2.2 is an E1 route.
D.OSPF E2 routes do not factor interface cost; but the router uses the interface cost as a tie-breaker for equal-cost routes.

Explanation: OSPF E2 routes do not include the internal cost to the ASBR; the cost shown in the routing table is the external metric only. When two E2 routes have the same external metric, Cisco IOS uses the interface cost as a tie-breaker to select the best next hop. In this scenario, the interface to 10.0.1.2 has a lower cost than the interface to 10.0.2.2, so all traffic is forwarded via 10.0.1.2.

3.

Your company has deployed a Cisco Catalyst 9300 switch stack as the distribution layer for a campus network. The network uses VLANs 10 (data), 20 (voice), and 30 (management). The switch stack is configured with DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard (IPSG) on access ports. Recently, users in VLAN 10 report intermittent connectivity issues. You notice that some users receive duplicate IP addresses from the DHCP server. The DHCP server is connected to a trunk port on the switch stack. After reviewing logs, you see that DHCPACK messages are being dropped on the trunk port. The DHCP snooping binding table shows entries for legitimate clients, but also some entries with MAC addresses from a different vendor. Which action should you take to resolve the issue?

A.Manually shut down the access ports that have unknown MAC addresses in the binding table.
B.Disable Dynamic ARP Inspection on VLAN 10.
C.Configure the trunk port connecting to the DHCP server as a trusted port for DHCP snooping.
D.Disable IP Source Guard on all access ports in VLAN 10.

Explanation: The DHCP snooping feature treats all ports as untrusted by default, which means DHCP server messages (DHCPOFFER, DHCPACK, DHCPNAK) are dropped on untrusted ports. Since the DHCP server is connected to a trunk port and DHCPACK messages are being dropped, that trunk port must be explicitly configured as a trusted port for DHCP snooping using the 'ip dhcp snooping trust' interface command. This allows legitimate DHCP server responses to reach clients, resolving the duplicate IP address issue caused by clients not receiving their assigned addresses.

4.

Which TWO statements are true about RESTCONF and NETCONF in a Cisco IOS XE environment? (Choose two.)

A.RESTCONF uses HTTP methods (GET, POST, PUT, DELETE) and supports JSON and XML encoding.
B.RESTCONF supports the candidate datastore for editing configurations.
C.NETCONF uses HTTP as its transport protocol.
D.RESTCONF and NETCONF both support JSON and XML encoding.

Explanation: Option A is correct because RESTCONF is designed to use standard HTTP methods (GET, POST, PUT, DELETE, PATCH) for CRUD operations on YANG-defined data, and it supports both JSON and XML encoding formats. This aligns with its goal of providing a simpler, web-friendly interface compared to NETCONF.

5.

An organization is migrating from a traditional three-tier architecture to a leaf-spine fabric using VXLAN EVPN. The design requires that virtual machines can move between racks without IP address changes. Which technology must be enabled at the leaf switches to support this mobility?

A.Overlay Transport Virtualization (OTV).
B.VXLAN with EVPN control plane.
C.VRF-Lite with route redistribution.
D.MPLS L3VPN with BGP.

Explanation: VXLAN with EVPN control plane (B) is correct because it provides a Layer 2 overlay network that extends VLANs across the leaf-spine fabric, enabling virtual machine mobility without IP address changes. EVPN uses BGP to distribute MAC and IP address information, allowing the leaf switches to learn and forward traffic to VMs regardless of their physical location, which is essential for seamless VM migration between racks.

+15 more scenario questions available

Practice all Hard Difficulty Questions

Related Topics

advanced questionsexpert-level practicedifficult scenarios

Frequently asked questions

How do "Hard Difficulty Questions" appear on the real 350-401?

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam. These appear throughout the 350-401 and require you to apply your knowledge, not just recall facts.

How many scenario questions are on the 350-401 exam?

Cisco doesn't publish an exact breakdown, but scenario-based questions (especially exhibit and command-output formats) make up a significant portion of the 350-401. Practicing each scenario type ensures you're ready for any format.

Are these 350-401 scenario practice questions free?

Yes. Courseiva provides free 350-401 scenario practice across all official exam domains. The platform includes scenario-based questions, command-output interpretation, topic-based practice, mock exams, and readiness tracking — no account required.

Ready to practice this scenario type?

Launch a full Hard Difficulty Questions session with instant scoring and detailed explanations.

Start Scenario Practice →

Scenario Info

Type

Scenario Practice

Exam

350-401

Questions

20+