Practice 350-501 Security and Services questions with full explanations on every answer.
Start practicing
Security and Services — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A service provider wants to protect its routers from CPU overload caused by excessive traffic to the control plane. Which mechanism should be configured on IOS XR routers to classify and rate-limit management traffic?
2An engineer is configuring management plane hardening on an IOS XR router. The requirement is to authenticate users against a central server and provide granular command authorization. Which protocol and feature should be used?
3A service provider is deploying uRPF on customer-facing interfaces to prevent IP spoofing. The network has asymmetric routing due to multiple upstream connections. Which uRPF mode should be used?
4During a DDoS attack, an SP uses Cisco Peakflow for detection and wants to drop attack traffic at the edge routers. They decide to use S/RTBH. Which action must be performed on the edge routers to trigger the black hole?
5An SP wants to filter BGP prefixes received from a customer to prevent hijacking. Which two tools can be used together on the provider edge router to implement inbound prefix filtering?
6An SP is implementing RPKI to validate BGP route origins. They have set up an RPKI cache and configured routers with the RPKI-to-Router (RTR) protocol. During validation, a route is received with an AS that does not match any ROA. What is the validation state?
7A network engineer needs to perform maintenance on a BGP router without causing traffic loss. They plan to use BGP Graceful Shutdown (GSHUT). What does GSHUT do?
8To prevent MPLS label spoofing in a Layer 3 VPN, which configuration should be applied on the PE-CE link?
9A service provider is deploying a BNG for subscriber management. Which protocol is used to authenticate subscribers and assign IP addresses via the BNG?
10An SP is implementing CGNAT to conserve IPv4 addresses. For legal compliance, they must log all NAT translations with timestamps and source/destination information. Which CGNAT feature should be enabled?
11An SP uses DPI to classify traffic. What is the primary purpose of DPI in a service provider network?
12An engineer is configuring NTP authentication on IOS XR routers to ensure secure time synchronization. What is required for NTP authentication to work?
13An SP wants to secure management access to IOS XR routers. Which two measures should be implemented? (Choose two.)
14An SP is implementing DDoS mitigation using BGP FlowSpec. Which three types of actions can be specified in a FlowSpec rule? (Choose three.)
15An SP is deploying BGP security features. Which three mechanisms can be used to prevent BGP route hijacking? (Choose three.)
16A service provider wants to protect its core routers from CPU exhaustion caused by excessive ICMP traffic. Which control plane protection mechanism on IOS XR would be most appropriate to rate-limit ICMP packets destined to the router?
17An SP engineers want to restrict management access to their IOS XR routers. Which combination provides the most secure management plane hardening?
18A service provider deploys uRPF on customer-facing interfaces to prevent IP spoofing. They have a multihomed customer with asymmetric routing. Which uRPF mode should be used to avoid dropping legitimate traffic?
19During a DDoS attack, an SP wants to drop traffic destined to the victim IP at the network edge without affecting other traffic. Which technique should be used to achieve this by propagating a black-hole route from a trigger router to all edge routers?
20A service provider uses BGP to exchange routes with customers. To prevent the customer from announcing prefixes they do not own (BGP hijacking), which tool should the provider apply on the customer-facing BGP session?
21An SP is implementing RPKI to validate BGP origin AS. After configuring RPKI-to-Router (RTR) and setting BGP origin validation, a route is marked as 'invalid'. What action does BGP default take for invalid routes?
22A service provider wants to gracefully shut down a BGP session to a customer for maintenance without causing traffic loss. Which BGP feature should be used to signal the peer to reroute traffic before the session is brought down?
23In an MPLS L3VPN, how can a service provider prevent a CE device from learning the MPLS label stack and potentially spoofing labels?
24A service provider is deploying a BNG for subscriber management. Which protocol is typically used to authenticate subscribers and assign IP addresses in a PPPoE-based broadband network?
25An SP implements Carrier-Grade NAT (CGNAT) to conserve IPv4 addresses. For legal compliance, what additional function must be enabled to log subscriber IP-port mappings?
26A service provider uses BGP FlowSpec (RFC 8955) to mitigate DDoS attacks. Which component in the network is responsible for originating the FlowSpec rules and distributing them to routers?
27To secure NTP in a service provider network, which feature should be enabled on IOS XR routers to prevent time synchronization with unauthorized NTP servers?
28A service provider is deploying uRPF on peering edges with multiple upstream providers and asymmetric routing. Which two statements are true about uRPF operation in this scenario? (Choose two.)
29A service provider is implementing BGP security using RPKI. Which three components are required for RPKI-based BGP origin validation? (Choose three.)
30A service provider wants to protect its core routers from control plane attacks. Which two mechanisms are effective in mitigating such attacks on IOS XR? (Choose two.)
31A service provider is implementing control plane protection (CoPP) on an IOS XR router. Which protocol should be classified and rate-limited to prevent excessive control plane load due to routing updates?
32An engineer is hardening the management plane of an IOS XR router. Which combination is the most secure for remote administration?
33A service provider wants to prevent IP spoofing at the customer edge by verifying that the source IP address of incoming packets is reachable via the interface they arrive on. Which uRPF mode should be used?
34During a DDoS attack, a service provider uses Cisco Peakflow to detect anomalous traffic and then triggers S/RTBH. What must be configured on the router to black hole attack traffic using a /32 null route?
35A network operator wants to distribute traffic filtering rules to multiple routers dynamically during a DDoS attack. Which technology should be used?
36Which feature is used to validate that a BGP route origin is authorized by the prefix owner?
37A service provider is preparing for maintenance on a BGP-speaking router. To minimize packet loss, they want to signal to neighbors that the session is being shut down gracefully. Which BGP feature should be used?
38In an MPLS L3VPN network, which security measure should be taken on PE-CE links to prevent MPLS label spoofing?
39Which protocol is used by a BNG to authenticate and authorize subscribers?
40A service provider implements CGNAT to conserve IPv4 addresses. Which feature is required to ensure that application-level protocols such as SIP or FTP function correctly?
41Which IOS XR feature allows an administrator to grant specific commands to a user based on their role, using task groups?
42What is the purpose of NTP authentication in a service provider network?
43A service provider wants to deploy DDoS mitigation using BGP FlowSpec. Which two actions can FlowSpec rules specify? (Choose two.)
44When implementing RPKI for BGP origin validation, which three states can a route be marked as? (Choose three.)
45A service provider is implementing security for BGP peering. Which two methods help prevent BGP route hijacking? (Choose two.)
46A service provider is configuring Control Plane Policing (CoPP) on IOS XR routers to protect the control plane. The engineer wants to rate-limit ICMP traffic destined to the router to 1 Mbps, while allowing BGP and OSPF traffic with higher limits. Which type of CoPP classification should be used for the ICMP traffic?
47An SP engineer is hardening management plane access on IOS XR routers. They want to enforce role-based access control using task groups. Which AAA protocol is required to support attribute-based authorization on IOS XR?
48An engineer is implementing Unicast Reverse Path Forwarding (uRPF) on a provider edge (PE) router to mitigate IP spoofing. The customer-facing interface has a single static default route. Which uRPF mode should be used to provide anti-spoofing without causing false drops?
49A service provider wants to mitigate DDoS attacks by blackholing traffic destined to a victim IP address. They plan to use Remotely Triggered Black Hole (RTBH) filtering. What BGP community is commonly used to trigger the blackhole route?
50An SP is deploying BGP FlowSpec (RFC 8955) to distribute traffic filtering rules. Which component is responsible for disseminating FlowSpec rules to routers in the network?
51A service provider wants to prevent BGP hijacking by validating the origin AS of received routes. They deploy RPKI with Route Origin Authorizations (ROAs). When a router receives a prefix with an origin AS that matches the ROA, what is the BGP Origin Validation state?
52An engineer is configuring BGP Graceful Shutdown (GSHUT) for maintenance on a router. Which BGP attribute is set to trigger the graceful shutdown behavior?
53An MPLS L3VPN service provider wants to prevent label spoofing attacks where a customer could inject MPLS labels to bypass ACLs. Which configuration practice should be implemented on PE-CE links?
54A service provider is deploying a Broadband Network Gateway (BNG) for subscriber management. Which protocol is used by the BNG to authenticate subscribers via a RADIUS server?
55An SP is implementing Carrier-Grade NAT (CGNAT) to conserve IPv4 addresses. Which feature must be enabled to support applications that embed IP addresses in the payload, such as SIP or FTP?
56An engineer is configuring BGP prefix filtering on a provider edge router to prevent BGP hijacking. They want to allow only customer prefixes that are registered in the RIR database. What is the most effective method to automate this filtering?
57An SP is deploying Deep Packet Inspection (DPI) to classify traffic for QoS and security. Which DPI technique is used to identify applications regardless of port numbers?
58An engineer wants to secure NTP on IOS XR routers. Which configuration is required to prevent unauthorized time synchronization?
59A service provider is using Cisco Peakflow for DDoS detection. Peakflow identifies anomalies based on network traffic telemetry. Which data collection method does Peakflow primarily use?
60An SP is implementing BGP FlowSpec to mitigate DDoS. The FlowSpec rule should match traffic with destination port 80 and DSCP value 0. Which FlowSpec component is used to specify the destination port?
61A service provider is hardening management plane access on IOS XR routers. Which TWO measures should be implemented to secure management access? (Choose two)
62Which TWO protocols are supported by a BNG (Broadband Network Gateway) for subscriber session establishment? (Choose two)
63A service provider is implementing RPKI to validate BGP routes. Which THREE components are necessary for a complete RPKI deployment on routers? (Choose three)
64A service provider router running IOS XR is configured with Control Plane Policing (CoPP) to protect the route processor. Which type of traffic is most commonly rate-limited using CoPP in the control plane?
65An SP network engineer is hardening management plane access on IOS XR routers. They require authentication, authorization, and accounting (AAA) with per-command authorization and role-based access control. Which combination should be used?
66A service provider wants to prevent IP spoofing attacks from customer edge devices connected to a PE router. The customer prefixes are known and asymmetric routing is not present. Which uRPF mode should be configured on the PE-CE interface?
67An SP detects a volumetric DDoS attack targeting a customer network. The SP uses Cisco's S/RTBH technique to drop attack traffic. Which action is performed by the edge routers upon receiving a BGP route with a specific community?
68A service provider wants to prevent BGP hijacking of its customer prefixes. The SP implements RPKI with BGP Origin Validation. When a route is received with an origin AS that does not match any ROA, what is the validation state?
69An SP engineer is configuring BGP Graceful Shutdown (GSHUT) for maintenance on a router. What does the GSHUT community do to the BGP best path selection process?
70Which MPLS security best practice helps prevent label spoofing attacks where an attacker injects MPLS packets with a forged label stack to bypass ACLs?
71A BNG (Broadband Network Gateway) is used for subscriber management. Which protocol is typically used between the BNG and the subscriber's modem (CPE) for authentication and IP address assignment in a PPPoE environment?
72A network engineer is configuring management plane security on IOS XR. Which TWO of the following are recommended practices? (Choose two.)
73A service provider is implementing BGP security measures to prevent route hijacking. Which TWO mechanisms directly validate the origin AS of BGP prefixes? (Choose two.)
74An SP is deploying DDoS mitigation using BGP FlowSpec. Which THREE types of actions can be encoded in a FlowSpec rule? (Choose three.)
75An SP engineer is configuring NTP authentication on IOS XR routers in the management plane. Which TWO statements about NTP authentication are correct? (Choose two.)
The Security and Services domain covers the key concepts tested in this area of the 350-501 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-501 domains — no account required.
The Courseiva 350-501 question bank contains 75 questions in the Security and Services domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security and Services domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included