Bash, the Crucial Exams Chat Bot
AI Bot
Infrastructure Security & Segmentation (350-401 ENCOR) Flashcards
Cisco CCNP Enterprise 350-401-ENCOR Flashcards
Study our Infrastructure Security & Segmentation (350-401 ENCOR) flashcards for the Cisco CCNP Enterprise 350-401-ENCOR exam with 47+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| AAA overview | Authentication Authorization and Accounting for centralized access control and logging |
| ACL ordering principle | ACLs are processed top to bottom first match wins |
| Application visibility and control | Identify applications and apply policy based on application identity not just ports |
| Backup and restore configuration | Regularly back up device configs and verify restore procedures |
| BPDU guard purpose | Protect against rogue switches by disabling ports that receive BPDUs |
| Change control for network security | Document authorize and test changes to prevent accidental exposure |
| Control Plane Policing action | Rate limit or drop unwanted traffic destined to the control plane |
| Control Plane Protection CPPr goal | Protect CPU from excessive traffic by policing management plane packets |
| Crypto map role in IPsec | Maps interesting traffic to IPsec policies on a router or firewall |
| Device hardening best practices | Disable unused services remove default accounts apply least privilege and keep OS patched |
| DHCP snooping function | Prevent unauthorized DHCP servers and build trusted port list |
| Disable unused interfaces | Shut down unused physical and virtual interfaces to reduce attack surface |
| Dynamic ARP Inspection | Validate ARP packets using DHCP snooping binding table to prevent ARP spoofing |
| Enable password encryption | Use service password encryption and secret commands to avoid plaintext passwords |
| Firewall rule best practice | Use explicit deny least privilege and log denied traffic for auditing |
| IKE phases explanation | IKE phase1 establishes secure channel IKE phase2 negotiates IPsec SAs |
| Implicit deny in ACLs | ACLs end with an implicit deny so add explicit permit statements |
| Inter VLAN routing risk mitigation | Use firewalls or ACLs at SVI to control inter VLAN traffic |
| IPsec overview | Provides confidentiality integrity and authentication for site to site and remote access VPNs |
| Logging and monitoring importance | Continuous monitoring and log review detect attacks and misconfigurations early |
| NAT and security | NAT hides internal addresses and can provide an additional layer of obfuscation |
| NTP security recommendations | Use authentication restrict NTP peers and monitor time drift |
| Patch management process | Track test and deploy patches to reduce vulnerabilities and downtime |
| Port security on switches | Limit MAC addresses per port and configure violation actions |
| Private VLANs use case | Provide isolation between hosts within the same primary VLAN |
| RADIUS vs TACACS+ | RADIUS centralizes authentication and authorization TACACS+ separates AAA and supports command accounting |
| Role based access control concept | Assign roles with minimum privileges to enforce least privilege |
| Secure boot and image validation | Use signed images and boot integrity checks to prevent tampered firmware |
| Secure management protocols | Use SSH SNMPv3 and HTTPS for encrypted management access |
| Secure SNMP configuration | Use SNMPv3 with authentication and encryption avoid community strings |
| Security Group Tag SGT purpose | Assign group tags to endpoints to simplify access control irrespective of IP |
| SSH hardening tips | Disable legacy versions limit users and use key based authentication |
| SSL VPN advantage | Clientless access via browser and flexibility for remote users |
| Standard vs Extended ACLs | Standard filter by source IP only Extended filter by source destination and port |
| Stateful vs Stateless firewall difference | Stateful tracks connection state Stateless inspects packets individually |
| Storm control utility | Limit broadcast and multicast traffic to prevent storms |
| SXP brief function | Map SGTs to IP addresses when endpoint identity is not present on all devices |
| Syslog best practices | Send logs to a remote syslog server and use timestamps and severity filtering |
| TCP intercept basic idea | Protect TCP services from SYN floods by proxying and validating connections |
| TrustSec overview | Cisco TrustSec uses Security Group Tags to enforce policy based segmentation |
| Two factor authentication benefit | Adds a second factor to reduce risk of credential compromise |
| Unicast RPF anti spoofing | Verify source reachability to prevent IP spoofing in routed networks |
| Using object groups in ACLs | Simplify rules by grouping IPs and ports for reuse |
| VLAN access control strategies | Use ACLs private VLANs and SGTs for segmentation |
| VLAN trunking basics | Use 8021Q for tagging and restrict native VLAN usage |
| VPN split tunneling tradeoff | Reduce bandwidth cost but increases exposure of remote host to internet threats |
| Zone based firewall concept | Define zones and policy between zones for flexible segmentation |
About the Flashcards
Flashcards for the Cisco CCNP Enterprise exam help students review essential network security terminology, configuration steps, and operational best practices. The deck emphasizes concise definitions and practical guidance for securing devices, hardening management access, and applying least-privilege controls so candidates can quickly recall key concepts during study or on exam day.
The cards cover device hardening and secure management protocols (SSH, SNMPv3, HTTPS), AAA and RBAC fundamentals including RADIUS and TACACS+, switch-level protections and VLAN segmentation (port security, DHCP snooping, DAI, BPDU guard), ACLs and control plane defenses, firewall and VPN basics (IPsec, IKE, SSL VPN), plus logging, NTP security, patching, backups, secure boot, and change control.
Topics covered in this flashcard deck:
- Device hardening
- Secure management protocols
- AAA and RBAC
- VLANs and segmentation
- ACLs and control plane
- Firewalls and VPNs