350-601 · topic practice

Security practice questions

Practise Cisco DCCOR / CCNP Data Center Core 350-601 Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security

What the exam tests

What to know about Security

Security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full Security explanation →

An engineer is configuring a new data center leaf switch to enforce micro-segmentation using Cisco ACI. The requirement is to permit traffic from web servers to application servers on TCP port 8080, but deny all other traffic. The web servers are in EPG 'web_EPG' and application servers in EPG 'app_EPG'. Which contract configuration should be applied?

Question 2hardmultiple choice
Read the full Security explanation →

A customer is deploying Cisco ACI with a requirement to isolate tenant traffic in a multi-tenant environment. They want to ensure that a tenant admin can only manage their own tenant's objects. Which RBAC configuration should be implemented?

Question 3easymultiple choice
Read the full Security explanation →

An engineer needs to secure the management plane on a Cisco Nexus 9000 switch. Which feature should be configured to restrict access to the switch's management interface based on source IP?

Question 4mediummultiple choice
Open the full VLAN trunking answer →

An organization is deploying Cisco ACI in a brownfield data center. They have existing VLANs that need to be mapped to ACI EPGs. The network team notices that some VLANs are used across multiple tenants. How should the engineer design the VLAN pool to support overlapping VLANs?

Question 5hardmultiple choice
Read the full DHCP explanation →

A network administrator suspects that a rogue DHCP server is active on the data center network. The switches are Cisco Nexus 9000 series running NX-OS. Which configuration should be applied to prevent DHCP spoofing?

Question 6easymultiple choice
Read the full Security explanation →

A data center switch is configured with 802.1X port-based authentication for edge ports. Users report authentication failures. The engineer wants to verify the authentication status of a specific interface. Which command should be used?

Question 7mediummultiple choice
Read the full DNS explanation →

An engineer is configuring Cisco ACI to secure inter-tenant traffic. Tenants 'TenantA' and 'TenantB' need to communicate via a shared service, such as a DNS server in TenantA. How should the contract be configured?

Question 8hardmultiple choice
Read the full Security explanation →

A data center architect is designing security for a Cisco ACI fabric that must comply with PCI DSS. The requirement is to encrypt all traffic between EPGs within the same tenant. Which solution should be used?

Question 9mediummulti select
Read the full Security explanation →

Which TWO of these are best practices for securing the Cisco ACI fabric?

Question 10hardmulti select
Read the full Security explanation →

Which THREE of the following are valid methods to secure the control plane on a Cisco Nexus 9000 switch?

Question 11easymulti select
Read the full Security explanation →

Which TWO of the following are required components for a Cisco ACI contract to allow communication between EPGs?

Question 12hardmultiple choice
Study the full AAA explanation →

A large financial institution has a Cisco ACI fabric with multiple tenants. The security team requires that all management access to the APIC controllers be authenticated via multi-factor authentication (MFA) using a RADIUS server. The RADIUS server is configured to send a One-Time Password (OTP) challenge during authentication. The current configuration uses local authentication. The engineer needs to implement RADIUS authentication with MFA for APIC GUI and CLI access. The RADIUS server is reachable at 10.10.10.10, shared secret 'SecureSecret123'. The APIC is running software version 4.2(3). The engineer must ensure that local authentication is used as fallback if the RADIUS server is unreachable. Which of the following actions should the engineer take?

Question 13mediummultiple choice
Open the full VLAN trunking answer →

A data center engineer is troubleshooting connectivity issues between two EPGs in the same tenant on a Cisco ACI fabric. The first EPG 'web_epg' is in VLAN 100 and the second EPG 'db_epg' is in VLAN 200. The contract 'web_to_db' allows TCP port 3306 from web_epg to db_epg. The EPGs are in the same VRF. The engineer has verified that the physical connectivity is correct and the endpoints are learning their IP addresses. However, traffic from web_epg to db_epg is not reaching the destination. The engineer checks the contract and sees that the subject 'mysql_access' has filter 'mysql' with direction 'both'. The provider is db_epg and consumer is web_epg. The engineer also notices that the default action in the contract is 'deny'. What is the most likely cause of the issue?

Question 14mediummultiple choice
Study the full AAA explanation →

An engineer is configuring AAA on a Cisco Nexus switch to authenticate management access via TACACS+. The switch is reachable, but login attempts repeatedly fail. Which action should the engineer take to isolate the issue?

Question 15easymultiple choice
Read the full Security explanation →

A data center architect is designing access control for a Cisco ACI fabric. The requirement is to allow HTTP traffic from the web tier (EPG web) to the app tier (EPG app), but deny SSH from the management EPG to the web EPG. Which construct should be used?

Question 16hardmultiple choice
Study the full ACL explanation →

A network engineer is troubleshooting CoPP drops on a Cisco Nexus 9000 switch. The 'show control-plane' output indicates that packets are being dropped due to 'CoPP' on the 'default' control-plane class. Which action is most likely to resolve the issue without affecting routing protocol stability?

Question 17mediummultiple choice
Open the full VLAN trunking answer →

An organization is deploying Cisco ISE for 802.1X authentication on Cisco Nexus switches. Some endpoints fail authentication and fall back to the MAB. The security policy requires that endpoints failing both 802.1X and MAB be placed in a restricted VLAN. Which configuration is needed on the switch port?

Question 18hardmulti select
Read the full Security explanation →

Which TWO statements about Cisco TrustSec in a data center are true?

Question 19hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. A server connected to Ethernet1/1 is experiencing intermittent connectivity. The server sends BPDUs, causing the switch to place the port into a blocking state. Which configuration change should be made to prevent this while maintaining rapid convergence?

Exhibit

interface Ethernet1/1
  description Server-01
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30
  spanning-tree port type edge trunk
  no shutdown
Question 20mediummultiple choice
Read the full VRF explanation →

A company runs a multi-tenant data center using Cisco ACI with multiple tenants. Each tenant has its own VRF and EPGs. The security policy requires that tenant A's web servers (EPG web_tenantA) be accessible from tenant B's application servers (EPG app_tenantB) only via HTTPS (TCP 443). The ACI fabric is configured with contracts. The administrator has created a contract with a filter for HTTPS (tcp dstPort 443) and applied it as a provider contract on EPG web_tenantA and as a consumer contract on EPG app_tenantB. However, traffic from tenant B's app servers to tenant A's web servers is being dropped. The administrator has verified that the contracts are applied correctly and the filter is correct. What is the most likely cause of the traffic drop?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security sessions

Start a Security only practice session

Every question in these sessions is drawn from the Security domain — nothing else.

Related practice questions

Related 350-601 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-601 exam test about Security?
Security questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-601 topics?
Use the topic links above to move to related areas, or go back to the 350-601 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-601 exam covers. They are not copied from any real exam or dump site.