350-401 · topic practice

Infrastructure Security practice questions

Practise ENCOR 350-401 Infrastructure Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Infrastructure Security

What the exam tests

What to know about Infrastructure Security

Infrastructure Security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Infrastructure Security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Infrastructure Security questions

20 questions · select your answer, then reveal the explanation

A network engineer is configuring port security on a Cisco switch. The requirement is to allow only the first MAC address that appears on the port to be learned and to automatically disable the port if a violation occurs. The engineer configures 'switchport port-security mac-address sticky' but does not specify a maximum number of secure MAC addresses. After connecting a single host, the port works. However, when the host is replaced with a different device, the port is error-disabled. What is the most likely reason?

An enterprise network uses 802.1X for wired access. The authentication server is a Cisco ISE. Recently, some Windows 10 clients fail to authenticate, while others succeed. The engineer checks the switch configuration and finds 'authentication port-control auto' and 'dot1x pae authenticator' are configured. The failing clients show 'EAP failure' in the logs. The engineer suspects a mismatch in EAP method. Which EAP method is most likely causing the issue if the ISE is configured to require EAP-TLS but the Windows clients are configured for PEAP-MSCHAPv2?

Question 3mediummultiple choice
Study the full ACL explanation →

A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The router experiences high CPU utilization due to SSH and SNMP traffic. The engineer creates a class-map to match SSH (TCP/22) and SNMP (UDP/161) and applies a policy-map that polices this traffic to 1 Mbps. After applying the policy, legitimate SSH sessions from the management station start dropping intermittently. What is the most likely cause?

Question 4hardmultiple choice
Open the full VLAN trunking answer →

A network engineer is implementing DHCP snooping on a Cisco switch to prevent rogue DHCP servers. The switch has multiple VLANs, and the DHCP server is connected to interface GigabitEthernet0/1 in VLAN 10. The engineer enables DHCP snooping globally and for VLAN 10, then configures 'ip dhcp snooping trust' on GigabitEthernet0/1. However, clients in VLAN 10 are not receiving IP addresses. The engineer checks the DHCP snooping binding table and sees no entries. What is the most likely cause?

Question 5mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is configuring dynamic ARP inspection (DAI) on a Cisco switch to prevent ARP spoofing. The switch has DHCP snooping enabled and the DHCP server is trusted. The engineer enables DAI on VLAN 10 and configures 'ip arp inspection trust' on the port connected to the DHCP server. After enabling DAI, some legitimate ARP replies from hosts are being dropped. The engineer checks the DAI statistics and sees 'ARP ACL drops' incrementing. What is the most likely reason?

Question 6hardmultiple choice
Study the full IPv6 explanation →

A network engineer is configuring IPv6 First Hop Security on a Cisco switch to mitigate rogue RA attacks. The engineer enables RA guard on the switch and applies a policy that allows only the default gateway to send RAs. After configuration, hosts are unable to obtain IPv6 addresses via SLAAC. The engineer checks the switch and sees that RA guard is dropping all RAs. What is the most likely cause?

Question 7mediummultiple choice
Review the full routing breakdown →

A network engineer is configuring a zone-based firewall (ZBF) on a Cisco router to allow traffic from the inside zone to the outside zone while blocking traffic from outside to inside. The engineer creates zones, assigns interfaces, and configures a policy-map with a class-map that matches all traffic from inside to outside. The engineer applies the policy to the zone-pair inside-to-outside. However, traffic from inside to outside is being dropped. What is the most likely reason?

A network engineer is implementing MACsec on a Cisco switch-to-switch link to provide encryption. Both switches support MACsec and are configured with the same pre-shared key (PSK). The engineer configures 'mka' and 'macsec' on the interfaces. After configuration, the link does not come up, and the engineer sees 'MKA not operational' in the show macsec status. What is the most likely cause?

Question 9easymultiple choice
Read the full NAT/PAT explanation →

A network engineer is configuring uRPF (unicast Reverse Path Forwarding) on a Cisco router to prevent spoofed IP traffic. The engineer enables uRPF in strict mode on the ingress interface connected to the internal network. After enabling uRPF, legitimate traffic from internal hosts is being dropped. The engineer checks the routing table and sees that the routes for the internal subnets are present. What is the most likely cause?

Question 10mediummultiple choice
Review the full OSPF breakdown →

A network engineer runs the following command on Router R1:

R1# show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.2         1   FULL/DR         00:00:38    192.168.1.2     GigabitEthernet0/0
10.0.0.3         1   2WAY/DROTHER   00:00:32    192.168.1.3     GigabitEthernet0/0
10.0.0.4         1   FULL/BDR        00:00:35    192.168.1.4     GigabitEthernet0/0

Based on this output, what can be concluded?

Question 11mediummultiple choice
Open the full VLAN trunking answer →

A network engineer runs the following command on Switch SW1:

SW1# show spanning-tree vlan 10

VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address 0011.2233.4455 Cost 19 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0011.2233.4466 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec

Interface           Role Sts Cost      Prio.Nbr Type

------------------- ---- --- --------- -------- -------------------------------- Gi0/1 Root FWD 19 128.1 P2p Gi0/2 Altn BLK 19 128.2 P2p Gi0/3 Desg FWD 19 128.3 P2p

Based on this output, what can be concluded?

Question 12easymultiple choice
Review the full routing breakdown →

A network engineer runs the following command on Router R1:

R1# show ip access-lists 101

Extended IP access list 101

10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (100 matches)
    
20 deny tcp any any eq 23 (50 matches)
    
30 permit ip any any (200 matches)

Based on this output, what can be concluded?

Question 13mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 203.0.113.10 192.168.1.10 --- --- --- 203.0.113.11 192.168.1.11 --- --- tcp 203.0.113.10:1024 192.168.1.10:1024 198.51.100.5:80 198.51.100.5:80

Based on this output, what can be concluded?

Question 14hardmultiple choice
Study the full QoS explanation →

A network engineer runs the following command on Router R1:

R1# show policy-map interface GigabitEthernet0/0

GigabitEthernet0/0

Service-policy input: QOS_POLICY

Class-map: VOICE (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef (46) Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 police cir 1000000 bc 31250 be 31250 conformed 0 bytes; actions: transmit exceeded 0 bytes; actions: drop violated 0 bytes; actions: drop

Class-map: class-default (match-any) 100 packets, 12000 bytes 5 minute offered rate 8000 bps, drop rate 0 bps Match: any Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 100/12000

Based on this output, what can be concluded?

Question 15mediummultiple choice
Study the full AAA explanation →

A network engineer runs the following command on Router R1:

R1# show aaa sessions

Total sessions since last reset: 10

Session Id: 5 Unique Id: 5 User Name: admin

IP Address: 192.168.1.100

Idle Time: 0:00:05 Timeout: 0:10:00 Type: SSH Method: local

Session Id: 6 Unique Id: 6 User Name: neteng

IP Address: 10.0.0.2

Idle Time: 0:02:30 Timeout: 0:10:00 Type: SSH Method: tacacs+

Based on this output, what can be concluded?

Question 16easymultiple choice
Read the full VRF explanation →

A network engineer runs the following command on Router R1:

R1# show vrf brief

Name Default RD Protocols Interfaces CUSTOMER_A 65000:100 ipv4 Gi0/0.100 CUSTOMER_B 65000:200 ipv4 Gi0/0.200 MANAGEMENT 65000:999 ipv4 Gi0/1

Based on this output, what can be concluded?

Question 17hardmultiple choice
Open the full BGP breakdown →

A network engineer runs the following command on Router R1:

R1# show ip bgp summary

BGP router identifier 10.0.0.1, local AS number 65001 BGP table version is 10, main routing table version 10

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.2     4        65002    1024    1020       10    0    0 02:30:15       5
192.168.1.3     4        65003     500     498       10    0    0 00:15:20       3
10.0.0.2        4        65004       0       0        0    0    0 never    Active

Based on this output, what can be concluded?

Question 18mediummultiple choice
Read the full MPLS explanation →

A network engineer runs the following command on Router R1:

R1# show mpls ldp neighbor

Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.49231 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 01:23:45 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 192.168.1.2 Addresses bound to peer LDP Ident:

10.0.0.2        192.168.1.2

Based on this output, what can be concluded?

Examine the following interface configuration on a Cisco IOS-XE switch: ```

interface GigabitEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security violation restrict
 switchport port-security mac-address sticky

``` What is the effect of this configuration?

Question 20mediummultiple choice
Review the full routing breakdown →

Consider the following configuration on a Cisco IOS-XE router: ```

ip access-list extended BLOCK_SSH
 deny tcp any any eq 22
 permit ip any any

!

line vty 0 4

access-class BLOCK_SSH in ``` Which statement is true about this configuration?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Infrastructure Security sessions

Start a Infrastructure Security only practice session

Every question in these sessions is drawn from the Infrastructure Security domain — nothing else.

Related practice questions

Related 350-401 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-401 exam test about Infrastructure Security?
Infrastructure Security questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Infrastructure Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Infrastructure Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-401 topics?
Use the topic links above to move to related areas, or go back to the 350-401 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-401 exam covers. They are not copied from any real exam or dump site.