Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-501DomainsSecurity and Services
350-501Free — No Signup

Security and Services

Practice 350-501 Security and Services questions with full explanations on every answer.

75questions

Start practicing

Security and Services — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

350-501 Domains

MPLS and Segment RoutingAutomation and Quality of ServicesArchitectureNetworkingSecurity and ServicesAutomation and Quality of ServiceServicesAutomation and Assurance

Practice Security and Services questions

10Q20Q30Q50Q

All 350-501 Security and Services questions (75)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A service provider wants to protect its routers from CPU overload caused by excessive traffic to the control plane. Which mechanism should be configured on IOS XR routers to classify and rate-limit management traffic?

2

An engineer is configuring management plane hardening on an IOS XR router. The requirement is to authenticate users against a central server and provide granular command authorization. Which protocol and feature should be used?

3

A service provider is deploying uRPF on customer-facing interfaces to prevent IP spoofing. The network has asymmetric routing due to multiple upstream connections. Which uRPF mode should be used?

4

During a DDoS attack, an SP uses Cisco Peakflow for detection and wants to drop attack traffic at the edge routers. They decide to use S/RTBH. Which action must be performed on the edge routers to trigger the black hole?

5

An SP wants to filter BGP prefixes received from a customer to prevent hijacking. Which two tools can be used together on the provider edge router to implement inbound prefix filtering?

6

An SP is implementing RPKI to validate BGP route origins. They have set up an RPKI cache and configured routers with the RPKI-to-Router (RTR) protocol. During validation, a route is received with an AS that does not match any ROA. What is the validation state?

7

A network engineer needs to perform maintenance on a BGP router without causing traffic loss. They plan to use BGP Graceful Shutdown (GSHUT). What does GSHUT do?

8

To prevent MPLS label spoofing in a Layer 3 VPN, which configuration should be applied on the PE-CE link?

9

A service provider is deploying a BNG for subscriber management. Which protocol is used to authenticate subscribers and assign IP addresses via the BNG?

10

An SP is implementing CGNAT to conserve IPv4 addresses. For legal compliance, they must log all NAT translations with timestamps and source/destination information. Which CGNAT feature should be enabled?

11

An SP uses DPI to classify traffic. What is the primary purpose of DPI in a service provider network?

12

An engineer is configuring NTP authentication on IOS XR routers to ensure secure time synchronization. What is required for NTP authentication to work?

13

An SP wants to secure management access to IOS XR routers. Which two measures should be implemented? (Choose two.)

14

An SP is implementing DDoS mitigation using BGP FlowSpec. Which three types of actions can be specified in a FlowSpec rule? (Choose three.)

15

An SP is deploying BGP security features. Which three mechanisms can be used to prevent BGP route hijacking? (Choose three.)

16

A service provider wants to protect its core routers from CPU exhaustion caused by excessive ICMP traffic. Which control plane protection mechanism on IOS XR would be most appropriate to rate-limit ICMP packets destined to the router?

17

An SP engineers want to restrict management access to their IOS XR routers. Which combination provides the most secure management plane hardening?

18

A service provider deploys uRPF on customer-facing interfaces to prevent IP spoofing. They have a multihomed customer with asymmetric routing. Which uRPF mode should be used to avoid dropping legitimate traffic?

19

During a DDoS attack, an SP wants to drop traffic destined to the victim IP at the network edge without affecting other traffic. Which technique should be used to achieve this by propagating a black-hole route from a trigger router to all edge routers?

20

A service provider uses BGP to exchange routes with customers. To prevent the customer from announcing prefixes they do not own (BGP hijacking), which tool should the provider apply on the customer-facing BGP session?

21

An SP is implementing RPKI to validate BGP origin AS. After configuring RPKI-to-Router (RTR) and setting BGP origin validation, a route is marked as 'invalid'. What action does BGP default take for invalid routes?

22

A service provider wants to gracefully shut down a BGP session to a customer for maintenance without causing traffic loss. Which BGP feature should be used to signal the peer to reroute traffic before the session is brought down?

23

In an MPLS L3VPN, how can a service provider prevent a CE device from learning the MPLS label stack and potentially spoofing labels?

24

A service provider is deploying a BNG for subscriber management. Which protocol is typically used to authenticate subscribers and assign IP addresses in a PPPoE-based broadband network?

25

An SP implements Carrier-Grade NAT (CGNAT) to conserve IPv4 addresses. For legal compliance, what additional function must be enabled to log subscriber IP-port mappings?

26

A service provider uses BGP FlowSpec (RFC 8955) to mitigate DDoS attacks. Which component in the network is responsible for originating the FlowSpec rules and distributing them to routers?

27

To secure NTP in a service provider network, which feature should be enabled on IOS XR routers to prevent time synchronization with unauthorized NTP servers?

28

A service provider is deploying uRPF on peering edges with multiple upstream providers and asymmetric routing. Which two statements are true about uRPF operation in this scenario? (Choose two.)

29

A service provider is implementing BGP security using RPKI. Which three components are required for RPKI-based BGP origin validation? (Choose three.)

30

A service provider wants to protect its core routers from control plane attacks. Which two mechanisms are effective in mitigating such attacks on IOS XR? (Choose two.)

31

A service provider is implementing control plane protection (CoPP) on an IOS XR router. Which protocol should be classified and rate-limited to prevent excessive control plane load due to routing updates?

32

An engineer is hardening the management plane of an IOS XR router. Which combination is the most secure for remote administration?

33

A service provider wants to prevent IP spoofing at the customer edge by verifying that the source IP address of incoming packets is reachable via the interface they arrive on. Which uRPF mode should be used?

34

During a DDoS attack, a service provider uses Cisco Peakflow to detect anomalous traffic and then triggers S/RTBH. What must be configured on the router to black hole attack traffic using a /32 null route?

35

A network operator wants to distribute traffic filtering rules to multiple routers dynamically during a DDoS attack. Which technology should be used?

36

Which feature is used to validate that a BGP route origin is authorized by the prefix owner?

37

A service provider is preparing for maintenance on a BGP-speaking router. To minimize packet loss, they want to signal to neighbors that the session is being shut down gracefully. Which BGP feature should be used?

38

In an MPLS L3VPN network, which security measure should be taken on PE-CE links to prevent MPLS label spoofing?

39

Which protocol is used by a BNG to authenticate and authorize subscribers?

40

A service provider implements CGNAT to conserve IPv4 addresses. Which feature is required to ensure that application-level protocols such as SIP or FTP function correctly?

41

Which IOS XR feature allows an administrator to grant specific commands to a user based on their role, using task groups?

42

What is the purpose of NTP authentication in a service provider network?

43

A service provider wants to deploy DDoS mitigation using BGP FlowSpec. Which two actions can FlowSpec rules specify? (Choose two.)

44

When implementing RPKI for BGP origin validation, which three states can a route be marked as? (Choose three.)

45

A service provider is implementing security for BGP peering. Which two methods help prevent BGP route hijacking? (Choose two.)

46

A service provider is configuring Control Plane Policing (CoPP) on IOS XR routers to protect the control plane. The engineer wants to rate-limit ICMP traffic destined to the router to 1 Mbps, while allowing BGP and OSPF traffic with higher limits. Which type of CoPP classification should be used for the ICMP traffic?

47

An SP engineer is hardening management plane access on IOS XR routers. They want to enforce role-based access control using task groups. Which AAA protocol is required to support attribute-based authorization on IOS XR?

48

An engineer is implementing Unicast Reverse Path Forwarding (uRPF) on a provider edge (PE) router to mitigate IP spoofing. The customer-facing interface has a single static default route. Which uRPF mode should be used to provide anti-spoofing without causing false drops?

49

A service provider wants to mitigate DDoS attacks by blackholing traffic destined to a victim IP address. They plan to use Remotely Triggered Black Hole (RTBH) filtering. What BGP community is commonly used to trigger the blackhole route?

50

An SP is deploying BGP FlowSpec (RFC 8955) to distribute traffic filtering rules. Which component is responsible for disseminating FlowSpec rules to routers in the network?

51

A service provider wants to prevent BGP hijacking by validating the origin AS of received routes. They deploy RPKI with Route Origin Authorizations (ROAs). When a router receives a prefix with an origin AS that matches the ROA, what is the BGP Origin Validation state?

52

An engineer is configuring BGP Graceful Shutdown (GSHUT) for maintenance on a router. Which BGP attribute is set to trigger the graceful shutdown behavior?

53

An MPLS L3VPN service provider wants to prevent label spoofing attacks where a customer could inject MPLS labels to bypass ACLs. Which configuration practice should be implemented on PE-CE links?

54

A service provider is deploying a Broadband Network Gateway (BNG) for subscriber management. Which protocol is used by the BNG to authenticate subscribers via a RADIUS server?

55

An SP is implementing Carrier-Grade NAT (CGNAT) to conserve IPv4 addresses. Which feature must be enabled to support applications that embed IP addresses in the payload, such as SIP or FTP?

56

An engineer is configuring BGP prefix filtering on a provider edge router to prevent BGP hijacking. They want to allow only customer prefixes that are registered in the RIR database. What is the most effective method to automate this filtering?

57

An SP is deploying Deep Packet Inspection (DPI) to classify traffic for QoS and security. Which DPI technique is used to identify applications regardless of port numbers?

58

An engineer wants to secure NTP on IOS XR routers. Which configuration is required to prevent unauthorized time synchronization?

59

A service provider is using Cisco Peakflow for DDoS detection. Peakflow identifies anomalies based on network traffic telemetry. Which data collection method does Peakflow primarily use?

60

An SP is implementing BGP FlowSpec to mitigate DDoS. The FlowSpec rule should match traffic with destination port 80 and DSCP value 0. Which FlowSpec component is used to specify the destination port?

61

A service provider is hardening management plane access on IOS XR routers. Which TWO measures should be implemented to secure management access? (Choose two)

62

Which TWO protocols are supported by a BNG (Broadband Network Gateway) for subscriber session establishment? (Choose two)

63

A service provider is implementing RPKI to validate BGP routes. Which THREE components are necessary for a complete RPKI deployment on routers? (Choose three)

64

A service provider router running IOS XR is configured with Control Plane Policing (CoPP) to protect the route processor. Which type of traffic is most commonly rate-limited using CoPP in the control plane?

65

An SP network engineer is hardening management plane access on IOS XR routers. They require authentication, authorization, and accounting (AAA) with per-command authorization and role-based access control. Which combination should be used?

66

A service provider wants to prevent IP spoofing attacks from customer edge devices connected to a PE router. The customer prefixes are known and asymmetric routing is not present. Which uRPF mode should be configured on the PE-CE interface?

67

An SP detects a volumetric DDoS attack targeting a customer network. The SP uses Cisco's S/RTBH technique to drop attack traffic. Which action is performed by the edge routers upon receiving a BGP route with a specific community?

68

A service provider wants to prevent BGP hijacking of its customer prefixes. The SP implements RPKI with BGP Origin Validation. When a route is received with an origin AS that does not match any ROA, what is the validation state?

69

An SP engineer is configuring BGP Graceful Shutdown (GSHUT) for maintenance on a router. What does the GSHUT community do to the BGP best path selection process?

70

Which MPLS security best practice helps prevent label spoofing attacks where an attacker injects MPLS packets with a forged label stack to bypass ACLs?

71

A BNG (Broadband Network Gateway) is used for subscriber management. Which protocol is typically used between the BNG and the subscriber's modem (CPE) for authentication and IP address assignment in a PPPoE environment?

72

A network engineer is configuring management plane security on IOS XR. Which TWO of the following are recommended practices? (Choose two.)

73

A service provider is implementing BGP security measures to prevent route hijacking. Which TWO mechanisms directly validate the origin AS of BGP prefixes? (Choose two.)

74

An SP is deploying DDoS mitigation using BGP FlowSpec. Which THREE types of actions can be encoded in a FlowSpec rule? (Choose three.)

75

An SP engineer is configuring NTP authentication on IOS XR routers in the management plane. Which TWO statements about NTP authentication are correct? (Choose two.)

Practice all 75 Security and Services questions

Other 350-501 exam domains

MPLS and Segment RoutingAutomation and Quality of ServicesArchitectureNetworkingAutomation and Quality of ServiceServicesAutomation and Assurance

Frequently asked questions

What does the Security and Services domain cover on the 350-501 exam?

The Security and Services domain covers the key concepts tested in this area of the 350-501 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-501 domains — no account required.

How many Security and Services questions are in the 350-501 question bank?

The Courseiva 350-501 question bank contains 75 questions in the Security and Services domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security and Services for 350-501?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security and Services questions for 350-501?

Yes — the session launcher on this page draws questions exclusively from the Security and Services domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your 350-501 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide