350-401 · topic practice

Security practice questions

Use this page to practise Security questions for this certification. Focus on how the exam tests security in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
15 questionsDomain: Security

What the exam tests

What to know about Security

Security questions on this certification test your ability to deploy and manage security concepts in scenario-based situations.

Core Security concepts and how they apply in real-world cloud scenarios.

How to deploy security correctly and verify the outcome.

Troubleshooting security issues by interpreting error output and system state.

Cloud best practices and Security design trade-offs tested by this certification.

Watch out for

Common Security exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Security questions

15 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full Security explanation →

A network engineer is configuring port security on a Cisco switch to prevent unauthorized devices from connecting. The requirement is to allow only the first two MAC addresses learned on an interface, and to disable the interface if a violation occurs. Which configuration achieves this?

Question 2easymultiple choice
Study the full AAA explanation →

An organization wants to implement 802.1X authentication on its wired network using Cisco ISE as the authentication server. The switches are configured with the necessary RADIUS settings. Which additional configuration is required on the switch interfaces to enable 802.1X?

Question 3hardmultiple choice
Study the full ACL explanation →

A security engineer is configuring CoPP (Control Plane Policing) on a Cisco router to protect the control plane from DoS attacks. The policy must rate-limit SSH traffic to 1 Mbps with a burst of 2000 bytes, and drop all other traffic destined to the control plane that exceeds a default rate. Which class-map and policy-map configuration is correct?

Question 4mediummultiple choice
Open the full VLAN trunking answer →

A company has deployed a Cisco ASA firewall in transparent mode. The internal network uses VLAN 10 and the external network uses VLAN 20. The ASA is configured with two bridge groups: BVI 10 for inside and BVI 20 for outside. The security policy must allow HTTPS traffic from inside to outside. Which access-list entry is correct?

Question 5hardmultiple choice
Open the full VLAN trunking answer →

A network administrator is troubleshooting a DHCP snooping issue on a Cisco switch. The switch is configured with DHCP snooping globally and on VLAN 10. The trusted interface is GigabitEthernet0/1 connected to the DHCP server. However, clients on VLAN 10 are not receiving IP addresses from the DHCP server. What is the most likely cause?

Question 6mediummulti select
Open the full VLAN trunking answer →

Which TWO of the following are valid methods to mitigate VLAN hopping attacks?

Question 7hardmulti select
Read the full Security explanation →

Which THREE of the following are characteristics of Cisco TrustSec (CTS) security architecture?

Question 8easymultiple choice
Read the full DHCP explanation →

Refer to the exhibit. A network administrator notices that some DHCP packets are being dropped due to 'MAC Address Mismatch'. What is the most likely cause of this drop?

Exhibit

Refer to the exhibit.

Switch# show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:1A:2B:3C:4D:5E  192.168.1.10     86400       dhcp-snooping   10    GigabitEthernet0/1
00:1A:2B:3C:4D:5F  192.168.1.11     86400       dhcp-snooping   10    GigabitEthernet0/2

Switch# show ip dhcp snooping statistics
Packets Processed by DHCP Snooping   = 100
Packets Dropped Because               = 5
  MAC Address Mismatch                 = 3
  Invalid Server Replies               = 2
Question 9hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. A switch has IP Source Guard (IPSG) and port-security enabled on interface GigabitEthernet0/1. A host with IP 10.1.1.1 and MAC 00:1A:2B:3C:4D:5E is connected and tries to access a web server at 192.168.1.100. What will happen?

Exhibit

Refer to the exhibit.

interface GigabitEthernet0/1
 ip access-group ACL-IN in
 ip verify source port-security
!
ip access-list extended ACL-IN
 permit tcp 10.0.0.0 0.255.255.255 any eq 80
 permit tcp 10.0.0.0 0.255.255.255 any eq 443
 deny ip any any
Question 10mediummultiple choice
Study the full AAA explanation →

A medium-sized enterprise is migrating to a Cisco DNA Center-managed network. The security policy requires that all administrative access to network devices be authenticated via TACACS+ and that authorization for commands be enforced per user role. The network team has configured ISE as the AAA server and integrated it with DNA Center. After configuration, engineers report that they can log in to devices via SSH but are not prompted for a password when entering 'enable' mode; instead, they are granted full privileges immediately. Additionally, while in configuration mode, some engineers can issue 'debug' commands that they should not have access to. The configuration on the devices includes 'aaa new-model', 'aaa authentication login default group tacacs+ local', 'aaa authorization exec default group tacacs+ local', and 'aaa authorization commands 15 default group tacacs+ local'. What is the most likely cause of the privilege escalation and missing authorization?

Question 11easymulti select
Read the full Security explanation →

Which TWO features are part of Cisco TrustSec for providing role-based access control?

Question 12mediummultiple choice
Open the full BGP breakdown →

A network engineer applies the above CoPP policy on a router. The router has BGP peers, SSH management, and SNMP monitoring. After applying this policy, which traffic will be affected?

Network Topology
Access-list for CoPP!Class-mapPolicy-mapApply to control-planeRefer to the exhibit.ip access-list extended COPP_ACLclass-map match-all COPP_CLASSmatch access-group name COPP_ACLpolicy-map COPP_POLICYclass COPP_CLASSpolice cir 8000 bc 1500conform-action transmitexceed-action dropcontrol-planeservice-policy input COPP_POLICY
Question 13hardmultiple choice
Open the full VLAN trunking answer →

Your company has deployed a Cisco Catalyst 9300 switch stack as the distribution layer for a campus network. The network uses VLANs 10 (data), 20 (voice), and 30 (management). The switch stack is configured with DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard (IPSG) on access ports. Recently, users in VLAN 10 report intermittent connectivity issues. You notice that some users receive duplicate IP addresses from the DHCP server. The DHCP server is connected to a trunk port on the switch stack. After reviewing logs, you see that DHCPACK messages are being dropped on the trunk port. The DHCP snooping binding table shows entries for legitimate clients, but also some entries with MAC addresses from a different vendor. Which action should you take to resolve the issue?

Question 14mediumdrag order
Read the full Security explanation →

Drag and drop the steps to configure port security on a Cisco switch in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediummatching
Open the full STP breakdown →

Match each Spanning Tree Protocol (STP) variant to its key characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Original standard, slow convergence

Fast convergence, backward compatible

Multiple spanning trees per VLAN group

Cisco proprietary, per-VLAN STP

Cisco proprietary, per-VLAN RSTP

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security sessions

Start a Security only practice session

Every question in these sessions is drawn from the Security domain — nothing else.

Related practice questions

Related 350-401 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-401 exam test about Security?
Security questions on this certification test your ability to deploy and manage security concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-401 topics?
Use the topic links above to move to related areas, or go back to the 350-401 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-401 exam covers. They are not copied from any real exam or dump site.