300-410 · topic practice

Device Access Control practice questions

Practise Cisco CCNP ENARSI 300-410 Device Access Control practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Device Access Control

What the exam tests

What to know about Device Access Control

Device Access Control questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Device Access Control exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Device Access Control questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting a site-to-site VPN between two Cisco routers. The tunnel is up, but traffic is not passing. On R1, the engineer issues the command 'show crypto map' and sees that the crypto map is applied to the outbound interface. What is the most likely cause of the traffic failure?

Question 2mediummultiple choice
Study the full AAA explanation →

A network administrator is configuring AAA for device access on a Cisco router. After configuring the RADIUS server and AAA authentication login default group radius local, the engineer tests Telnet access and receives 'Access denied' even with correct credentials. The RADIUS server is reachable. What is the most likely cause?

Question 3hardmultiple choice
Review the full routing breakdown →

An engineer configures a Cisco router for SSH access. The router has an IP address on interface GigabitEthernet0/0, and the engineer generates RSA keys using the command 'crypto key generate rsa modulus 2048'. However, SSH connections fail with 'Connection refused'. What is the most likely cause?

A network engineer is troubleshooting a Cisco router that is not responding to SNMP polls from a management station. The router has 'snmp-server community public RO' configured. The management station can ping the router. What is the most likely cause?

Question 5hardmultiple choice
Study the full AAA explanation →

An engineer configures a Cisco router with 'aaa authentication login default local' and 'aaa authorization exec default local'. The engineer then attempts to log in via the console and is prompted for a username and password. The username 'admin' with password 'cisco' is configured locally. The login fails. What is the most likely cause?

Question 6mediummultiple choice
Study the full AAA explanation →

A network engineer is troubleshooting a Cisco router that is configured for RADIUS authentication. The engineer issues 'debug radius authentication' and sees that the RADIUS server is not responding. The router can ping the RADIUS server. What is the most likely cause?

Question 7hardmultiple choice
Review the full routing breakdown →

An engineer configures a Cisco router with 'ip http server' and 'ip http authentication local' for web-based management. The engineer creates a local username 'admin' with privilege level 15. However, when accessing the router via HTTP, the engineer is prompted for credentials but access is denied. What is the most likely cause?

Question 8mediummultiple choice
Study the full AAA explanation →

A network engineer is troubleshooting a Cisco router that is configured for TACACS+ authentication. The engineer issues 'test aaa group tacacs+ admin cisco123 new-code' and receives 'FAILED'. The router can ping the TACACS+ server. What is the most likely cause?

Question 9hardmultiple choice
Study the full AAA explanation →

An engineer configures a Cisco router with 'aaa authentication login default group radius local' and 'aaa authentication enable default group radius enable'. The engineer then attempts to enter enable mode and is prompted for a password. The RADIUS server is reachable, but the enable password is not accepted. What is the most likely cause?

Question 10mediummultiple choice
Study the full EIGRP explanation →

A network engineer runs the following command on Router R1:

R1# show ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.1.2 Gi0/0 13 00:12:34 1 200 0 45 1 10.2.2.2 Gi0/1 12 00:11:20 2 200 0 67 2 10.3.3.2 Gi0/2 10 00:10:15 1 200 0 89

Based on this output, which statement is correct?

Question 11mediummultiple choice
Review the full OSPF breakdown →

A network engineer runs the following command on Router R1:

R1# show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.2     1     FULL/DR        00:00:35    10.1.1.2        GigabitEthernet0/0
192.168.2.2     1     2WAY/DROTHER   00:00:32    10.2.2.2        GigabitEthernet0/1
192.168.3.2     1     FULL/BDR       00:00:38    10.3.3.2        GigabitEthernet0/2

Based on this output, what is a potential issue?

Question 12mediummultiple choice
Open the full BGP breakdown →

A network engineer runs the following command on Router R1:

R1# show bgp ipv4 unicast summary

BGP router identifier 192.168.1.1, local AS number 65001 BGP table version is 10, main routing table version 10

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.1.1.2        4          65002    1200    1200       10    0    0 01:00:00        5
10.2.2.2        4          65003    0       0          0    0    0 never    Active

Based on this output, what is the problem with the neighbor 10.2.2.2?

Question 13mediummultiple choice
Review the full routing breakdown →

A network engineer runs the following command on Router R1:

R1# show route-map TEST

route-map TEST, permit, sequence 10 Match clauses:

ip address (access-lists): 100

Set clauses: metric 50 Policy routing matches: 0 packets, 0 bytes route-map TEST, deny, sequence 20 Match clauses:

ip address (access-lists): 101

Set clauses: Policy routing matches: 0 packets, 0 bytes

Based on this output, which statement is correct?

Question 14mediummultiple choice
Read the full MPLS explanation →

A network engineer runs the following command on Router R1:

R1# show mpls ldp neighbor

Peer LDP Ident: 192.168.2.2:0, Local LDP Ident: 192.168.1.1:0 TCP connection: 10.1.1.2.646 - 10.1.1.1.646 State: Oper; Msgs sent/rcvd: 100/100; Downstream Up time: 00:45:00 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.1.1.2 Addresses bound to peer LDP Ident:

10.1.1.2     192.168.2.2

Based on this output, what is the state of the LDP session?

Question 15mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show dmvpn
Interface: Tunnel0, IPv4 NHRP Details

Type:Hub, NHRP Peers:2,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- ----------------- --------------- ----- -------- ----- 1 10.0.0.2 10.1.1.2 UP 00:10:00 D 2 10.0.0.3 10.1.1.3 UP 00:05:00 D

Based on this output, what is the role of Router R1 in the DMVPN network?

Question 16mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show policy-map control-plane

Control Plane

Service-policy input: CoPP class-map: MANAGEMENT (match-all) 100 packets, 10000 bytes 5 minute offered rate 0 bps police: cir 8000 bps, bc 1500 bytes conformed 100 packets, 10000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps

Based on this output, which statement is correct?

Question 17mediummultiple choice
Read the full VRF explanation →

A network engineer runs the following command on Router R1:

R1# show ip vrf CUSTOMER

Name Default RD Interfaces CUSTOMER 65001:100 Gi0/0.100 Gi0/1.100

Based on this output, which statement is correct?

Question 18mediummultiple choice
Review the full routing breakdown →

A network engineer runs the following command on Router R1:

R1# show ip sla statistics

IPSLAs Latest Operation Statistics

IPSLA operation id: 1 Type of operation: icmp-echo Latest RTT: 20 milliseconds Latest operation start time: 12:00:00 UTC Mon Mar 1 2021 Latest operation return code: OK Number of successes: 100 Number of failures: 0

Based on this output, which statement is correct?

Question 19mediummultiple choice
Review the full routing breakdown →

Examine the following partial configuration on a Cisco IOS-XE router:

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip access-group MY_ACL in

!

access-list 100 permit tcp any host 192.168.1.1 eq 22
access-list 
100 deny ip any any

!

line vty 0 4

transport input ssh login local !

username admin privilege 15 secret cisco

What is the effect of this configuration?

Question 20mediummultiple choice
Review the full routing breakdown →

Consider the following partial configuration on a Cisco router:

ip access-list extended BLOCK_TELNET
 deny tcp any any eq 23
 permit ip any any

!

interface Serial0/0/0
 ip access-group BLOCK_TELNET out

!

line vty 0 4

transport input telnet password cisco login

What is the effect of this configuration?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Device Access Control sessions

Start a Device Access Control only practice session

Every question in these sessions is drawn from the Device Access Control domain — nothing else.

Related practice questions

Related 300-410 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 300-410 exam test about Device Access Control?
Device Access Control questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Device Access Control questions in a focused session?
Yes — the session launcher on this page draws every question from the Device Access Control domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 300-410 topics?
Use the topic links above to move to related areas, or go back to the 300-410 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 300-410 exam covers. They are not copied from any real exam or dump site.