Networking

CCNA 200-301 Domain 5 Practice Test: Security Fundamentals

Josphat Mutai Updated Jun 23, 2026 · 3 min read

Security Fundamentals covers more separate skills than any other part of the Cisco CCNA 200-301 exam. It is a 15 percent block, but it spreads across threat concepts, device passwords, VPNs, access lists, three different Layer 2 protections, AAA, and wireless security. Because the topics are so varied, the questions jump from one to the next with no warning, and a weak spot in any single area quietly costs points. This practice test mirrors that spread, mixing every Domain 5 subject into one drill so you find the gaps while there is still time to close them.

Original content from computingforgeeks.com - post 169532

The questions are the same validated items from the per-topic quizzes across this series. Every command was reproduced in a GNS3 lab on Cisco IOS 15.2 or checked against Cisco documentation, every answer carries a written explanation, and the test draws a fresh thirty-question mix from an eighty-four-question bank each time you retake it.

Current as of June 2026, matched to the live CCNA 200-301 (v1.1) Security Fundamentals exam topics.

How to use this practice test

Take the whole set without notes, then read the explanation on every question, including the ones you guessed right. A practice test only pays off when it sends you back to the topics you are shaky on. When a question exposes a gap, open the matching guide in the list below, work the lab in it, then retake the test for a new draw.

Domain 5 is forgiving in one way and punishing in another. The concepts are smaller and more self-contained than the routing material, so each one is quick to learn. But there are a lot of them, and the configuration topics (ACLs, port security, DHCP snooping, dynamic ARP inspection) hide exam-favourite details: the implicit deny at the bottom of every ACL, the sticky MAC that survives a reboot once you save the config, the trusted port that DHCP snooping needs, the binding table that dynamic ARP inspection leans on. Misses usually cluster in those four, so watch where your score leaks.

Take the Domain 5 practice test

Thirty questions, drawn at random from the full eighty-four-question Security Fundamentals bank and re-sampled on every retake:

Loading quiz...

Clear this consistently and Security Fundamentals stops being a grab-bag of loosely related facts. Use the topic list below to shore up anything that tripped you.

What Domain 5 covers

Every sub-topic in this practice test has a full guide with real Cisco output or a tested topology. Work through any that the test flagged as weak:

Concepts and device hardening: start with the core security concepts (threats, vulnerabilities, exploits, and how the CIA triad frames mitigation), then lock down the box itself with device access control and password types, from enable secret to the console and VTY lines.

Centralised access and remote access: move credentials off every device with AAA using RADIUS and TACACS+, and connect sites or roaming users securely with remote-access and site-to-site VPNs built on IPsec.

Filtering traffic: the deepest configuration topic here is the access control list, where wildcard masks, placement, and the implicit deny decide whether a packet lives or dies.

Layer 2 protections: these three travel together. Pin a port to known MACs with port security, block a rogue DHCP server with DHCP snooping, and stop ARP spoofing with dynamic ARP inspection, which leans on the snooping binding table to do its job.

Wireless security: the encryption side of Wi-Fi sits in wireless networking fundamentals, which walks the WEP to WPA2 to WPA3 chain, PSK versus Enterprise with 802.1X, and the SAE handshake that makes WPA3 resistant to offline attacks.

Turn Domain 5 into reliable points

Because every Security Fundamentals topic is small, this is one of the most efficient domains to bank points in: a focused evening on each weak area moves your score fast, far faster than the same hours spent on routing. Treat this set as a diagnostic you return to until the four configuration topics are reflex and the concept questions are automatic. When Domain 5 is solid, the CCNA 200-301 study roadmap shows where it sits against the rest of the blueprint and what to drill next, from IP Services to network automation.

Josphat Mutai

Founder of Computingforgeeks. Senior Systems Engineer with over a decade of hands-on experience building and managing production infrastructure. Core expertise in Linux/UNIX administration, cloud platforms (AWS, GCP, Azure), and Kubernetes ecosystems (EKS, GKE, OpenShift). Deep experience with virtualization (KVM, Proxmox, OpenStack), infrastructure as code (Terraform, Terragrunt, Ansible, Crossplane), GitOps workflows (ArgoCD, FluxCD), Nix/NixOS, and container orchestration at scale. Currently focused on integrating AI and LLMs into DevOps and platform engineering workflows. Every guide on this site is tested on real systems before publishing.

Keep reading

Configure Samba File Share on Debian 13 / 12 Debian Configure Samba File Share on Debian 13 / 12 Setup WireGuard VPN on Ubuntu 24.04 / Debian 13 / Rocky Linux 10 Debian Setup WireGuard VPN on Ubuntu 24.04 / Debian 13 / Rocky Linux 10 Use NetworkManager nmcli on Ubuntu and Debian Debian Use NetworkManager nmcli on Ubuntu and Debian Configure NAT and PAT on a Cisco Router Networking Configure NAT and PAT on a Cisco Router Remote Access vs Site-to-Site VPN Explained Networking Remote Access vs Site-to-Site VPN Explained Configure Windows Client to Obtain IP from DHCP Server Networking Configure Windows Client to Obtain IP from DHCP Server

Leave a Comment

Press ESC to close