Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-401TopicsInfrastructure Security
Free · No Signup RequiredCisco · 350-401

350-401 Infrastructure Security Practice Questions

20+ practice questions focused on Infrastructure Security — one of the most tested topics on the ENCOR 350-401 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Infrastructure Security Practice

Exam Domains

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Infrastructure Security Questions

Practice all 20+ →
1.

A network engineer is configuring port security on a Cisco switch. The requirement is to allow only the first MAC address that appears on the port to be learned and to automatically disable the port if a violation occurs. The engineer configures 'switchport port-security mac-address sticky' but does not specify a maximum number of secure MAC addresses. After connecting a single host, the port works. However, when the host is replaced with a different device, the port is error-disabled. What is the most likely reason?

A.The default maximum number of secure MAC addresses is 1, so the second MAC address triggers a violation.
B.The sticky keyword requires the engineer to first manually configure a maximum number of MAC addresses.
C.The violation mode is set to 'restrict' by default, which causes the port to error-disable after one violation.
D.The port security aging type is set to 'absolute' by default, causing the sticky address to expire immediately.

Explanation: The sticky command learns MAC addresses dynamically and stores them in the running configuration. By default, the maximum number of secure MAC addresses is 1. When a new device is connected, its MAC address is different, causing a violation. The default violation mode is 'shutdown', which error-disables the port. Option A is correct because the sticky feature does not change the default maximum count. Option B is incorrect because sticky does not require a specific maximum; it uses the default. Option C is incorrect because the violation mode is shutdown by default, not restrict. Option D is incorrect because aging is not configured and does not cause this behavior.

2.

An enterprise network uses 802.1X for wired access. The authentication server is a Cisco ISE. Recently, some Windows 10 clients fail to authenticate, while others succeed. The engineer checks the switch configuration and finds 'authentication port-control auto' and 'dot1x pae authenticator' are configured. The failing clients show 'EAP failure' in the logs. The engineer suspects a mismatch in EAP method. Which EAP method is most likely causing the issue if the ISE is configured to require EAP-TLS but the Windows clients are configured for PEAP-MSCHAPv2?

A.EAP-TLS requires a client certificate, which the Windows clients do not have.
B.EAP-FAST requires a PAC file that the Windows clients do not have.
C.LEAP uses a shared secret that is not configured on the clients.
D.EAP-MD5 does not support mutual authentication, causing the failure.

Explanation: EAP-TLS requires a client certificate, while PEAP-MSCHAPv2 uses a username/password inside a TLS tunnel. If ISE is configured to only accept EAP-TLS, clients attempting PEAP will receive an EAP failure. Option A is correct because EAP-TLS is certificate-based and different from PEAP. Option B is incorrect because EAP-FAST uses a PAC, not certificates. Option C is incorrect because LEAP is deprecated and uses MS-CHAPv2, but it is not the same as PEAP. Option D is incorrect because EAP-MD5 is a simple challenge-response and not typically used in enterprise 802.1X.

3.

A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The router experiences high CPU utilization due to SSH and SNMP traffic. The engineer creates a class-map to match SSH (TCP/22) and SNMP (UDP/161) and applies a policy-map that polices this traffic to 1 Mbps. After applying the policy, legitimate SSH sessions from the management station start dropping intermittently. What is the most likely cause?

A.The police rate of 1 Mbps is too low for the combined SSH and SNMP traffic from the management station.
B.The CoPP policy is applied to the wrong interface, affecting transit traffic instead of control plane traffic.
C.The class-map should match on DSCP values instead of port numbers to be effective.
D.The policy-map should use the 'drop' action instead of 'police' to protect the control plane.

Explanation: CoPP polices traffic destined to the control plane. If the police rate is too low, even legitimate traffic can be dropped. The engineer set a 1 Mbps limit for both SSH and SNMP combined. If the management station generates bursts above this rate, packets are dropped. Option A is correct because the aggregate police rate may be insufficient. Option B is incorrect because CoPP does not affect transit traffic. Option C is incorrect because the policy is applied to the control plane, not an interface. Option D is incorrect because the class-map matches both protocols, but the issue is the police rate.

4.

A network engineer is implementing DHCP snooping on a Cisco switch to prevent rogue DHCP servers. The switch has multiple VLANs, and the DHCP server is connected to interface GigabitEthernet0/1 in VLAN 10. The engineer enables DHCP snooping globally and for VLAN 10, then configures 'ip dhcp snooping trust' on GigabitEthernet0/1. However, clients in VLAN 10 are not receiving IP addresses. The engineer checks the DHCP snooping binding table and sees no entries. What is the most likely cause?

A.The switch does not have an 'ip helper-address' configured to forward DHCP requests to the server.
B.The interface GigabitEthernet0/1 should be configured as an untrusted port for DHCP snooping.
C.The switch has DHCP snooping rate limiting enabled, which is dropping all DHCP packets.
D.The DHCP server is connected to a port in a different VLAN, and DHCP snooping only works within the same VLAN.

Explanation: DHCP snooping requires the DHCP server port to be trusted. If the server is on a different VLAN than the clients, the switch must also have IP routing enabled or use a DHCP relay. However, the scenario does not mention a relay. The most likely cause is that the DHCP server is not on the same subnet as the clients, and no IP helper address is configured. Option A is correct because without a helper address, DHCP broadcasts are not forwarded to the server. Option B is incorrect because the trust configuration is correct. Option C is incorrect because rate limiting is not configured. Option D is incorrect because DHCP snooping does not require a specific VLAN for the server port.

5.

A network engineer is configuring dynamic ARP inspection (DAI) on a Cisco switch to prevent ARP spoofing. The switch has DHCP snooping enabled and the DHCP server is trusted. The engineer enables DAI on VLAN 10 and configures 'ip arp inspection trust' on the port connected to the DHCP server. After enabling DAI, some legitimate ARP replies from hosts are being dropped. The engineer checks the DAI statistics and sees 'ARP ACL drops' incrementing. What is the most likely reason?

A.The hosts have static IP addresses, so their MAC-IP bindings are not in the DHCP snooping database.
B.The port connected to the DHCP server should be untrusted for DAI to work correctly.
C.The DHCP server is in a different VLAN, and DAI cannot validate cross-VLAN ARP.
D.DAI is checking the destination MAC address, which does not match the expected value.

Explanation: DAI validates ARP packets against the DHCP snooping binding table. If a host has a static IP address, its MAC-IP binding is not in the DHCP snooping database, so DAI drops the ARP replies unless an ARP ACL is configured to permit them. Option A is correct because static hosts need an ARP ACL. Option B is incorrect because the DHCP server port is trusted, but that does not affect host ARP replies. Option C is incorrect because DAI does not require the DHCP server to be in the same VLAN. Option D is incorrect because DAI validates source MAC and IP, not destination.

+15 more Infrastructure Security questions available

Practice all Infrastructure Security questions

How to master Infrastructure Security for 350-401

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Infrastructure Security. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Infrastructure Security questions on the 350-401 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many 350-401 Infrastructure Security questions are on the real exam?

The exact number varies per candidate. Infrastructure Security is tested as part of the ENCOR 350-401 blueprint. Practicing with targeted Infrastructure Security questions ensures you can handle any format or difficulty that appears.

Are these 350-401 Infrastructure Security practice questions free?

Yes. Courseiva provides free 350-401 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Infrastructure Security one of the harder 350-401 topics?

Difficulty is subjective, but Infrastructure Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Infrastructure Security practice session with instant scoring and detailed explanations.

Start Infrastructure Security Practice →

Topic Info

Topic

Infrastructure Security

Exam

350-401

Questions available

20+