350-601 · domain
Security
Practise Cisco DCCOR / CCNP Data Center Core 350-601 Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.
Focused practice
Practice Security questions
Scored sessions drawing only from this domain — pick a length below.
Start 20-question practice test →What this domain covers
What to know about Security
Security questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Watch out for
Common Security exam traps
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.
Question index
All Security questions (50)
Click any question to see the full explanation, or start a practice session above.
A Nexus switch is configured with port security. Which violation action will cause the switch to shut down the interface when a security violation occurs?
Medium2Which Nexus security feature validates ARP packets to prevent ARP spoofing attacks?
Easy3A network engineer is hardening a Nexus switch. Which two security best practices should be applied? (Choose two.)
Medium4A Nexus switch is being hardened. An engineer wants to protect the control plane from CPU-targeted attacks, such as heavy ICMP traffic. Which feature should be configured?
Hard5In UCS Manager, which feature provides role-based access control for managing the fabric interconnects?
Hard6In ACI, a tenant requires that all traffic between two EPGs is denied except for specific HTTP traffic. Which policy elements must be configured?
Hard7An organization requires disk encryption for data at rest in their UCS environment. Which technology should be used?
Medium8A Nexus switch is configured with DHCP snooping. Which switchport mode is required for trusted ports to prevent rogue DHCP server attacks?
Medium9Which technology provides at-rest encryption for disk drives in UCS servers?
Medium10An engineer applies an IPv4 ACL to a Nexus switch interface. The ACL must permit traffic from host 10.1.1.1 to host 10.2.2.2 on TCP port 443 and deny all other traffic. Which configuration is correct?
Medium11Which feature on Nexus switches prevents ARP spoofing attacks by validating ARP packets?
Easy12An organization wants to encrypt data at rest in a storage array. Which two technologies can be used? (Choose two.)
Hard13A network engineer is configuring micro-segmentation in an ACI fabric. Two EPGs, Web and App, must communicate via HTTPS only. Which type of contract should be applied between the EPGs?
Medium14An administrator needs to limit the number of MAC addresses learned on a Nexus access port to prevent MAC flooding attacks. Which feature should be configured?
Medium15A Nexus switch is experiencing high CPU utilization due to control plane traffic. Which feature should be configured to protect the CPU?
Medium16Which authentication protocol is recommended by Cisco for network device administration due to its separation of authentication, authorization, and accounting?
Easy17An engineer is deploying Cisco TrustSec in a data center. Which technology uses Security Group Tags (SGTs) to enforce east-west traffic policies without relying on IP addresses?
Medium18An engineer is configuring 802.1X for network access control. Which AAA protocol should be used for communication between the authenticator (switch) and the authentication server?
Medium19Which encryption technology is used to secure Fibre Channel traffic in flight between storage and switches?
Medium20Which Nexus feature dynamically validates ARP packets to prevent man-in-the-middle attacks?
Medium21A network engineer is hardening a Nexus 9000 switch. Which action is most effective in reducing the attack surface?
Medium22An organization uses Cisco TrustSec to tag traffic. An endpoint is assigned SGT 5 (Developers) and another SGT 10 (Testers). The SGACL on the leaf switch permits traffic from SGT 5 to SGT 10 for HTTP but denies other. Which action is taken by the leaf switch?
Hard23Which feature prevents IP spoofing by ensuring that a client uses only the IP address assigned by DHCP?
Easy24Which TWO features are commonly used together to prevent IP spoofing on a Nexus switch? (Choose two.)
Medium25An engineer needs to protect the control plane of a Nexus 9000 switch from CPU-targeted attacks. Which feature should be configured?
Medium26A data center uses self-encrypting drives (SEDs) in UCS servers. Which type of protection does SED provide?
Hard27Which security feature on a Nexus switch prevents a rogue DHCP server from assigning invalid IP addresses to clients?
Easy28Which AAA protocol is recommended by Cisco for network device administration, as it separates authentication, authorization, and accounting?
Easy29An engineer is configuring micro-segmentation in an ACI fabric. Which object defines the whitelist model for communication between EPGs?
Easy30A data center architect needs to enforce role-based access control for UCS Manager. What is the correct approach?
Hard31Which three features are used on Nexus switches to mitigate Layer 2 attacks? (Choose three.)
Easy32Which feature on a Nexus switch uses DHCP snooping binding information to filter IP traffic on a per-port basis?
Medium33In Cisco TrustSec, which technology is used to enforce east-west traffic policies based on identity without relying on IP addresses?
Hard34A UCS administrator needs to ensure that only the fabric interconnect management plane is accessible from the management network. Which feature should be implemented?
Hard35An organization wants to encrypt Fibre Channel traffic in-flight between storage and servers. Which standard should be used?
Hard36In a UCS environment, which method provides management plane isolation for the fabric interconnects?
Hard37An administrator wants to prevent a rogue DHCP server from assigning IP addresses on a Nexus switch. Which feature should be enabled?
Medium38A Nexus administrator wants to apply an IPv4 ACL to filter traffic on a specific VLAN. Which command is correct?
Medium39Which Nexus security feature validates the source IP address of packets on a per-port basis and drops packets with invalid source IPs?
Medium40A network administrator must enforce security policies for east-west traffic in a Cisco TrustSec-enabled data center without using IP-based ACLs. Which technology should be used?
Hard41An engineer wants to enforce security policies in a data center based on user identity rather than IP addresses. Which Cisco technology enables identity-based tagging and policy enforcement?
Medium42An engineer is deploying data encryption in a SAN environment. Which two methods provide at-rest encryption? (Choose two.)
Hard43A security engineer is deploying IP Source Guard on a Nexus switch. Which two components must be operational for IP Source Guard to function correctly?
Medium44In Cisco TrustSec, what is used to tag traffic based on identity or group membership?
Easy45In a UCS environment, an administrator needs to restrict access to the UCS Manager so that only specific users can configure server policies. Which feature should be used?
Medium46An engineer needs to deny all traffic between two EPGs in ACI while allowing other EPG communications. Which construct should be used?
Medium47An engineer is hardening a Nexus switch. Which THREE actions should be taken? (Choose three.)
Hard48In an ACI fabric, a security policy requires that traffic from EPG1 to EPG2 be denied, but all other inter-EPG traffic is permitted by default. Which type of contract should be used?
Hard49In ACI, which model is used for micro-segmentation to allow traffic between EPGs?
Easy50Which protocol is recommended by Cisco for network device administration AAA due to its separation of authentication, authorization, and accounting?
EasyOther domains
All 350-601 exam domains
Frequently asked questions
- What does the Security domain cover on the 350-601 exam?
- Security questions test whether you can apply the concept in context, not just recognise a definition.
- How many questions are in this domain?
- This page lists all 50 Security questions in the 350-601 question bank. The actual exam draws from this domain proportionally to its weighting in the official exam blueprint.
- What is the best way to practise this domain?
- Start with a short focused session (10 questions) to identify gaps, then work through explanations. Repeat with a longer session once the weak areas feel solid.
- Can I practise only Security questions?
- Yes — the session launcher on this page filters questions to this domain only. Choose any session length for inline explanations and scoring.