350-601 · domain

Security

Practise Cisco DCCOR / CCNP Data Center Core 350-601 Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

50 questions11 easy24 medium15 hard

Focused practice

Practice Security questions

Scored sessions drawing only from this domain — pick a length below.

Start 20-question practice test →

What this domain covers

What to know about Security

Security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Question index

All Security questions (50)

Click any question to see the full explanation, or start a practice session above.

1

A Nexus switch is configured with port security. Which violation action will cause the switch to shut down the interface when a security violation occurs?

Medium
2

Which Nexus security feature validates ARP packets to prevent ARP spoofing attacks?

Easy
3

A network engineer is hardening a Nexus switch. Which two security best practices should be applied? (Choose two.)

Medium
4

A Nexus switch is being hardened. An engineer wants to protect the control plane from CPU-targeted attacks, such as heavy ICMP traffic. Which feature should be configured?

Hard
5

In UCS Manager, which feature provides role-based access control for managing the fabric interconnects?

Hard
6

In ACI, a tenant requires that all traffic between two EPGs is denied except for specific HTTP traffic. Which policy elements must be configured?

Hard
7

An organization requires disk encryption for data at rest in their UCS environment. Which technology should be used?

Medium
8

A Nexus switch is configured with DHCP snooping. Which switchport mode is required for trusted ports to prevent rogue DHCP server attacks?

Medium
9

Which technology provides at-rest encryption for disk drives in UCS servers?

Medium
10

An engineer applies an IPv4 ACL to a Nexus switch interface. The ACL must permit traffic from host 10.1.1.1 to host 10.2.2.2 on TCP port 443 and deny all other traffic. Which configuration is correct?

Medium
11

Which feature on Nexus switches prevents ARP spoofing attacks by validating ARP packets?

Easy
12

An organization wants to encrypt data at rest in a storage array. Which two technologies can be used? (Choose two.)

Hard
13

A network engineer is configuring micro-segmentation in an ACI fabric. Two EPGs, Web and App, must communicate via HTTPS only. Which type of contract should be applied between the EPGs?

Medium
14

An administrator needs to limit the number of MAC addresses learned on a Nexus access port to prevent MAC flooding attacks. Which feature should be configured?

Medium
15

A Nexus switch is experiencing high CPU utilization due to control plane traffic. Which feature should be configured to protect the CPU?

Medium
16

Which authentication protocol is recommended by Cisco for network device administration due to its separation of authentication, authorization, and accounting?

Easy
17

An engineer is deploying Cisco TrustSec in a data center. Which technology uses Security Group Tags (SGTs) to enforce east-west traffic policies without relying on IP addresses?

Medium
18

An engineer is configuring 802.1X for network access control. Which AAA protocol should be used for communication between the authenticator (switch) and the authentication server?

Medium
19

Which encryption technology is used to secure Fibre Channel traffic in flight between storage and switches?

Medium
20

Which Nexus feature dynamically validates ARP packets to prevent man-in-the-middle attacks?

Medium
21

A network engineer is hardening a Nexus 9000 switch. Which action is most effective in reducing the attack surface?

Medium
22

An organization uses Cisco TrustSec to tag traffic. An endpoint is assigned SGT 5 (Developers) and another SGT 10 (Testers). The SGACL on the leaf switch permits traffic from SGT 5 to SGT 10 for HTTP but denies other. Which action is taken by the leaf switch?

Hard
23

Which feature prevents IP spoofing by ensuring that a client uses only the IP address assigned by DHCP?

Easy
24

Which TWO features are commonly used together to prevent IP spoofing on a Nexus switch? (Choose two.)

Medium
25

An engineer needs to protect the control plane of a Nexus 9000 switch from CPU-targeted attacks. Which feature should be configured?

Medium
26

A data center uses self-encrypting drives (SEDs) in UCS servers. Which type of protection does SED provide?

Hard
27

Which security feature on a Nexus switch prevents a rogue DHCP server from assigning invalid IP addresses to clients?

Easy
28

Which AAA protocol is recommended by Cisco for network device administration, as it separates authentication, authorization, and accounting?

Easy
29

An engineer is configuring micro-segmentation in an ACI fabric. Which object defines the whitelist model for communication between EPGs?

Easy
30

A data center architect needs to enforce role-based access control for UCS Manager. What is the correct approach?

Hard
31

Which three features are used on Nexus switches to mitigate Layer 2 attacks? (Choose three.)

Easy
32

Which feature on a Nexus switch uses DHCP snooping binding information to filter IP traffic on a per-port basis?

Medium
33

In Cisco TrustSec, which technology is used to enforce east-west traffic policies based on identity without relying on IP addresses?

Hard
34

A UCS administrator needs to ensure that only the fabric interconnect management plane is accessible from the management network. Which feature should be implemented?

Hard
35

An organization wants to encrypt Fibre Channel traffic in-flight between storage and servers. Which standard should be used?

Hard
36

In a UCS environment, which method provides management plane isolation for the fabric interconnects?

Hard
37

An administrator wants to prevent a rogue DHCP server from assigning IP addresses on a Nexus switch. Which feature should be enabled?

Medium
38

A Nexus administrator wants to apply an IPv4 ACL to filter traffic on a specific VLAN. Which command is correct?

Medium
39

Which Nexus security feature validates the source IP address of packets on a per-port basis and drops packets with invalid source IPs?

Medium
40

A network administrator must enforce security policies for east-west traffic in a Cisco TrustSec-enabled data center without using IP-based ACLs. Which technology should be used?

Hard
41

An engineer wants to enforce security policies in a data center based on user identity rather than IP addresses. Which Cisco technology enables identity-based tagging and policy enforcement?

Medium
42

An engineer is deploying data encryption in a SAN environment. Which two methods provide at-rest encryption? (Choose two.)

Hard
43

A security engineer is deploying IP Source Guard on a Nexus switch. Which two components must be operational for IP Source Guard to function correctly?

Medium
44

In Cisco TrustSec, what is used to tag traffic based on identity or group membership?

Easy
45

In a UCS environment, an administrator needs to restrict access to the UCS Manager so that only specific users can configure server policies. Which feature should be used?

Medium
46

An engineer needs to deny all traffic between two EPGs in ACI while allowing other EPG communications. Which construct should be used?

Medium
47

An engineer is hardening a Nexus switch. Which THREE actions should be taken? (Choose three.)

Hard
48

In an ACI fabric, a security policy requires that traffic from EPG1 to EPG2 be denied, but all other inter-EPG traffic is permitted by default. Which type of contract should be used?

Hard
49

In ACI, which model is used for micro-segmentation to allow traffic between EPGs?

Easy
50

Which protocol is recommended by Cisco for network device administration AAA due to its separation of authentication, authorization, and accounting?

Easy

Frequently asked questions

What does the Security domain cover on the 350-601 exam?
Security questions test whether you can apply the concept in context, not just recognise a definition.
How many questions are in this domain?
This page lists all 50 Security questions in the 350-601 question bank. The actual exam draws from this domain proportionally to its weighting in the official exam blueprint.
What is the best way to practise this domain?
Start with a short focused session (10 questions) to identify gaps, then work through explanations. Repeat with a longer session once the weak areas feel solid.
Can I practise only Security questions?
Yes — the session launcher on this page filters questions to this domain only. Choose any session length for inline explanations and scoring.
Cisco DCCOR / CCNP Data Center Core 350-601 Security Practice Questions