What does the CCNA Security Fundamentals domain cover?

CCNA Security Fundamentals covers security concepts, device hardening, AAA, ACLs, port security, DHCP snooping, dynamic ARP inspection, VPN basics, and wireless security for the CCNA exam. Expect scenario-based multiple-choice and drag-and-drop questions covering Security Concepts, Device Hardening, AAA (RADIUS/TACACS+), Access Control Lists (ACLs), Port Security, VPN & Wireless Security.

How many Security Fundamentals practice questions are on this page?

This free practice set includes 10 CCNA Security Fundamentals questions with detailed explanations. Premium members get unlimited access to the full CCNA question bank with 1,000+ questions across all 6 official 200-301 domains.

What weight does Security Fundamentals have on the Cisco CCNA exam?

Security Fundamentals accounts for approximately 15% of the Cisco CCNA 200-301 exam content.

Is this CCNA Security Fundamentals practice test free?

Yes. The practice test is completely free with no signup required. You get instant scoring and detailed explanations for every question.

Free CCNA Security Fundamentals Practice Test 2026 — Cisco 200-301 Questions

This free Cisco CCNA Security Fundamentals practice test covers security concepts, device hardening, AAA, ACLs, port security, DHCP snooping, dynamic ARP inspection, VPN basics, and wireless security for the CCNA exam. Each question includes a detailed explanation — perfect for Cisco CCNA 200-301 exam prep.

Key Topics in CCNA Security Fundamentals

Security Concepts
Device Hardening
AAA (RADIUS/TACACS+)
Access Control Lists (ACLs)
Port Security
VPN & Wireless Security

6 Free CCNA Security Fundamentals Practice Questions with Answers

Sample Question 1 — Security Fundamentals

What type of attack involves sending packets with a spoofed source IP address that matches the destination IP address?

A. Man-in-the-middle
B. Land attack (Correct answer)
C. Smurf attack
D. SYN flood

Correct answer: B

Explanation: A Land attack involves sending packets where the source and destination IP addresses are the same as the target host. This can cause the target system to reply to itself, potentially causing a denial of service.

Sample Question 2 — Security Fundamentals

Which command enables SSH version 2 on a Cisco router?

A. ip ssh version 2 (Correct answer)
B. ssh version 2
C. ip ssh v2
D. enable ssh v2

Correct answer: A

Explanation: The command "ip ssh version 2" enables SSH version 2 on Cisco devices. SSHv2 is more secure than SSHv1 and is the recommended version for secure remote access.

Sample Question 3 — Security Fundamentals

A network administrator notices unauthorized access attempts from a specific IP address to the company's web server. Which security mechanism would be MOST effective in preventing future attempts from this IP address?

A. Implementing port security on the web server.
B. Configuring an access control list (ACL) to deny traffic from the IP address. (Correct answer)
C. Enabling SNMP traps on the web server.
D. Using DHCP snooping to monitor the IP address.

Correct answer: B

Explanation: An ACL is the most effective solution. It allows granular control over network traffic based on source and destination IP addresses, ports, and other criteria. It directly blocks the malicious IP address from accessing the web server. Port security is useful for limiting the number of MAC addresses allowed on a port, but doesn't address the specific IP address. SNMP traps are for monitoring, not prevention. DHCP snooping prevents rogue DHCP servers, not malicious IP addresses.

Sample Question 4 — Security Fundamentals

A company wants to secure remote access to its network for its employees. Which solution offers the STRONGEST security posture?

A. Telnet
B. SSH (Correct answer)
C. HTTP
D. FTP

Correct answer: B

Explanation: SSH (Secure Shell) provides encrypted communication, protecting usernames, passwords, and data in transit. Telnet transmits data in plain text, making it highly vulnerable. HTTP and FTP are not designed for secure remote access.

Sample Question 5 — Security Fundamentals

What is the primary purpose of 802.1X authentication in a network security context?

A. To encrypt network traffic.
B. To control access to network resources based on user identity. (Correct answer)
C. To prevent DHCP server spoofing.
D. To manage network devices remotely.

Correct answer: B

Explanation: 802.1X is a port-based network access control protocol. It authenticates users before granting network access, ensuring only authorized devices and users can connect to the network.

Sample Question 6 — Security Fundamentals

A network administrator needs to restrict access to a specific server only from a predefined set of IP addresses. Which security mechanism is BEST suited for this?

A. RADIUS
B. TACACS+
C. Access Control List (ACL) (Correct answer)
D. Port Security

Correct answer: C

Explanation: ACLs allow granular control of network traffic based on source and destination IP addresses. They are ideal for restricting access to a server from specific IP addresses. RADIUS and TACACS+ are authentication and authorization protocols, while Port Security limits the number of MAC addresses on a port.

About the Cisco CCNA 200-301 Exam

Questions: 100–120
Time: 120 minutes
Passing score: 825 / 1000
Cost: $300 USD
Domains: 6 (this is ~15% of the exam)
Validity: 3 years

Other CCNA Domains

Start the free CCNA Security Fundamentals practice test now | 10-question quick start | All CCNA domains | CCNA cheat sheet