Cisco Certified Network Associate (CCNA) · Domain 5 · 15% of exam

Security Fundamentals

Drill 15 practice questions focused entirely on Security Fundamentals for the Cisco 200-301 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer15 questions
Question 1 of 15

A network administrator needs to maintain a record of every configuration command that engineers enter on the core routers, including the username, timestamp, and the exact command issued, so that changes can be audited after an outage. The company already uses a TACACS+ server for AAA. Which AAA component should the administrator configure to meet this requirement?

Reviewed for accuracy · Report an issue
Question 2 of 15

A network administrator has deployed a TACACS+ server to control access to the company's routers. After a junior technician successfully logs in to a router, the administrator wants to ensure that the technician is only permitted to run a limited set of show commands and cannot enter configuration mode. Which AAA component enforces this restriction?

Reviewed for accuracy · Report an issue
Question 3 of 15

A network administrator enables DHCP snooping on an access switch to prevent rogue DHCP servers. The legitimate DHCP server is reached through uplink port GigabitEthernet0/1, while end-user devices connect to ports Gi0/2 through Gi0/24. After enabling DHCP snooping, users report they can no longer obtain IP addresses. What must the administrator configure to restore proper DHCP operation?

Reviewed for accuracy · Report an issue
Question 4 of 15

A network administrator discovers that an attacker on the LAN is sending forged ARP replies to associate the attacker's MAC address with the default gateway's IP, allowing the attacker to intercept traffic. DHCP snooping is already enabled on the switch. Which additional Layer 2 security feature should be configured to mitigate this specific attack?

Reviewed for accuracy · Report an issue
Question 5 of 15

A junior administrator is hardening a Cisco router. During a configuration review, you notice the running configuration contains the line 'enable password Cisco123' in clear text. The security policy requires that the password protecting privileged EXEC mode be stored using a strong, non-reversible hash. Which command should you use to meet this requirement?

Reviewed for accuracy · Report an issue
Question 6 of 15

A network administrator must configure an extended ACL on router R1's Gigabit interface. The policy requires that hosts on the 192.168.20.0/24 network be blocked from sending ping (echo) traffic to the server at 10.1.1.50, but those same hosts must still be allowed to reach the server's web service on TCP port 80. Which ordered set of ACL statements accomplishes this requirement?

Reviewed for accuracy · Report an issue
Question 7 of 15

A network administrator must restrict traffic on router R1's interface GigabitEthernet0/1 (inbound). Only the host 192.168.10.25 should be permitted to reach the web server at 172.16.5.10 on TCP port 443; all other traffic from the 192.168.10.0/24 subnet to that server must be denied, while normal traffic elsewhere continues. Which access control list entry correctly permits the required HTTPS traffic?

Reviewed for accuracy · Report an issue
Question 8 of 15

A company has 200 remote employees who work from home using company-issued laptops. Management wants each employee to establish a secure, encrypted connection to the corporate network on demand, without requiring dedicated hardware at each home office. Which VPN solution best meets this requirement?

Reviewed for accuracy · Report an issue
Question 9 of 15

A company needs to securely connect its headquarters router to a branch office router over the public internet. All traffic between the two sites' internal subnets must be encrypted automatically without requiring any user interaction, and the tunnel should remain established at all times. Which solution best meets these requirements?

Reviewed for accuracy · Report an issue
Question 10 of 15

A network technician configured port security on an access switchport with the default violation mode. A user connects a small unmanaged hub to the port and attaches two laptops, causing the port to stop forwarding traffic. The technician checks the interface and sees the status is 'err-disabled'. What must the technician do to restore the port to normal operation after removing the extra device?

Reviewed for accuracy · Report an issue
Question 11 of 15

A network administrator wants an access switch port to dynamically learn the MAC address of the currently connected workstation, add it to the running configuration so it survives a reboot after the config is saved, and then reject any other device. Which command achieves this dynamic-yet-persistent behavior?

Reviewed for accuracy · Report an issue
Question 12 of 15

A network administrator configures port security on interface FastEthernet0/5 with a maximum of two MAC addresses and the violation mode set to 'restrict'. A third host is then connected through a small unmanaged hub on that port and begins sending traffic. What happens to the switch port and the traffic?

Reviewed for accuracy · Report an issue
Question 13 of 15

A company's employees have started receiving convincing emails that appear to come from the IT department, asking them to click a link and re-enter their network credentials on a lookalike login page. Several users have already submitted their passwords. Which mitigation technique most directly addresses the root cause of this type of attack?

Reviewed for accuracy · Report an issue
Question 14 of 15

A network administrator needs to prevent hosts on the 192.168.10.0/24 subnet from reaching the server 172.16.5.10, while allowing all other traffic. The administrator decides to use a standard access control list. On which router interface and in which direction should the standard ACL be applied for best practice?

Reviewed for accuracy · Report an issue
Question 15 of 15

A security team is upgrading the wireless network for a corporate office. They want the strongest protection against offline dictionary attacks on the pre-shared key, even if employees choose relatively weak passphrases. Which wireless security standard should they deploy to best meet this requirement?

Reviewed for accuracy · Report an issue

More 200-301 practice

Keep going with the other Cisco Certified Network Associate (CCNA) domains, or take a full timed mock exam.

← Back to 200-301 overview