Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security and Services practice sets

350-501 Security and Services • Complete Question Bank

350-501 Security and Services — All Questions With Answers

Complete 350-501 Security and Services question bank — all 0 questions with answers and detailed explanations.

75
Questions
Free
No signup
Certifications/350-501/Practice Test/Security and Services/All Questions
Question 1easymultiple choice
Review the full routing breakdown →

A service provider wants to protect its routers from CPU overload caused by excessive traffic to the control plane. Which mechanism should be configured on IOS XR routers to classify and rate-limit management traffic?

Question 2mediummultiple choice
Review the full routing breakdown →

An engineer is configuring management plane hardening on an IOS XR router. The requirement is to authenticate users against a central server and provide granular command authorization. Which protocol and feature should be used?

Question 3mediummultiple choice
Review the full routing breakdown →

A service provider is deploying uRPF on customer-facing interfaces to prevent IP spoofing. The network has asymmetric routing due to multiple upstream connections. Which uRPF mode should be used?

Question 4hardmultiple choice
Review the full routing breakdown →

During a DDoS attack, an SP uses Cisco Peakflow for detection and wants to drop attack traffic at the edge routers. They decide to use S/RTBH. Which action must be performed on the edge routers to trigger the black hole?

Question 5mediummultiple choice
Open the full BGP breakdown →

An SP wants to filter BGP prefixes received from a customer to prevent hijacking. Which two tools can be used together on the provider edge router to implement inbound prefix filtering?

Question 6hardmultiple choice
Open the full BGP breakdown →

An SP is implementing RPKI to validate BGP route origins. They have set up an RPKI cache and configured routers with the RPKI-to-Router (RTR) protocol. During validation, a route is received with an AS that does not match any ROA. What is the validation state?

Question 7easymultiple choice
Open the full BGP breakdown →

A network engineer needs to perform maintenance on a BGP router without causing traffic loss. They plan to use BGP Graceful Shutdown (GSHUT). What does GSHUT do?

Question 8mediummultiple choice
Read the full MPLS explanation →

To prevent MPLS label spoofing in a Layer 3 VPN, which configuration should be applied on the PE-CE link?

Question 9mediummultiple choice
Read the full Security and Services explanation →

A service provider is deploying a BNG for subscriber management. Which protocol is used to authenticate subscribers and assign IP addresses via the BNG?

Question 10hardmultiple choice
Read the full NAT/PAT explanation →

An SP is implementing CGNAT to conserve IPv4 addresses. For legal compliance, they must log all NAT translations with timestamps and source/destination information. Which CGNAT feature should be enabled?

Question 11easymultiple choice
Read the full Security and Services explanation →

An SP uses DPI to classify traffic. What is the primary purpose of DPI in a service provider network?

Question 12mediummultiple choice
Review the full routing breakdown →

An engineer is configuring NTP authentication on IOS XR routers to ensure secure time synchronization. What is required for NTP authentication to work?

Question 13easymulti select
Review the full routing breakdown →

An SP wants to secure management access to IOS XR routers. Which two measures should be implemented? (Choose two.)

Question 14mediummulti select
Open the full BGP breakdown →

An SP is implementing DDoS mitigation using BGP FlowSpec. Which three types of actions can be specified in a FlowSpec rule? (Choose three.)

Question 15hardmulti select
Open the full BGP breakdown →

An SP is deploying BGP security features. Which three mechanisms can be used to prevent BGP route hijacking? (Choose three.)

Question 16mediummultiple choice
Review the full routing breakdown →

A service provider wants to protect its core routers from CPU exhaustion caused by excessive ICMP traffic. Which control plane protection mechanism on IOS XR would be most appropriate to rate-limit ICMP packets destined to the router?

Question 17easymultiple choice
Review the full routing breakdown →

An SP engineers want to restrict management access to their IOS XR routers. Which combination provides the most secure management plane hardening?

Question 18hardmultiple choice
Review the full routing breakdown →

A service provider deploys uRPF on customer-facing interfaces to prevent IP spoofing. They have a multihomed customer with asymmetric routing. Which uRPF mode should be used to avoid dropping legitimate traffic?

Question 19mediummultiple choice
Review the full routing breakdown →

During a DDoS attack, an SP wants to drop traffic destined to the victim IP at the network edge without affecting other traffic. Which technique should be used to achieve this by propagating a black-hole route from a trigger router to all edge routers?

Question 20easymultiple choice
Open the full BGP breakdown →

A service provider uses BGP to exchange routes with customers. To prevent the customer from announcing prefixes they do not own (BGP hijacking), which tool should the provider apply on the customer-facing BGP session?

Question 21mediummultiple choice
Open the full BGP breakdown →

An SP is implementing RPKI to validate BGP origin AS. After configuring RPKI-to-Router (RTR) and setting BGP origin validation, a route is marked as 'invalid'. What action does BGP default take for invalid routes?

Question 22hardmultiple choice
Open the full BGP breakdown →

A service provider wants to gracefully shut down a BGP session to a customer for maintenance without causing traffic loss. Which BGP feature should be used to signal the peer to reroute traffic before the session is brought down?

Question 23mediummultiple choice
Read the full MPLS explanation →

In an MPLS L3VPN, how can a service provider prevent a CE device from learning the MPLS label stack and potentially spoofing labels?

Question 24easymultiple choice
Read the full Security and Services explanation →

A service provider is deploying a BNG for subscriber management. Which protocol is typically used to authenticate subscribers and assign IP addresses in a PPPoE-based broadband network?

Question 25mediummultiple choice
Read the full NAT/PAT explanation →

An SP implements Carrier-Grade NAT (CGNAT) to conserve IPv4 addresses. For legal compliance, what additional function must be enabled to log subscriber IP-port mappings?

Question 26hardmultiple choice
Open the full BGP breakdown →

A service provider uses BGP FlowSpec (RFC 8955) to mitigate DDoS attacks. Which component in the network is responsible for originating the FlowSpec rules and distributing them to routers?

Question 27easymultiple choice
Review the full routing breakdown →

To secure NTP in a service provider network, which feature should be enabled on IOS XR routers to prevent time synchronization with unauthorized NTP servers?

Question 28mediummulti select
Review the full routing breakdown →

A service provider is deploying uRPF on peering edges with multiple upstream providers and asymmetric routing. Which two statements are true about uRPF operation in this scenario? (Choose two.)

Question 29hardmulti select
Open the full BGP breakdown →

A service provider is implementing BGP security using RPKI. Which three components are required for RPKI-based BGP origin validation? (Choose three.)

Question 30mediummulti select
Review the full routing breakdown →

A service provider wants to protect its core routers from control plane attacks. Which two mechanisms are effective in mitigating such attacks on IOS XR? (Choose two.)

Question 31mediummultiple choice
Study the full ACL explanation →

A service provider is implementing control plane protection (CoPP) on an IOS XR router. Which protocol should be classified and rate-limited to prevent excessive control plane load due to routing updates?

Question 32mediummultiple choice
Review the full routing breakdown →

An engineer is hardening the management plane of an IOS XR router. Which combination is the most secure for remote administration?

Question 33easymultiple choice
Read the full Security and Services explanation →

A service provider wants to prevent IP spoofing at the customer edge by verifying that the source IP address of incoming packets is reachable via the interface they arrive on. Which uRPF mode should be used?

Question 34hardmultiple choice
Review the full routing breakdown →

During a DDoS attack, a service provider uses Cisco Peakflow to detect anomalous traffic and then triggers S/RTBH. What must be configured on the router to black hole attack traffic using a /32 null route?

Question 35mediummultiple choice
Review the full routing breakdown →

A network operator wants to distribute traffic filtering rules to multiple routers dynamically during a DDoS attack. Which technology should be used?

Question 36easymultiple choice
Open the full BGP breakdown →

Which feature is used to validate that a BGP route origin is authorized by the prefix owner?

Question 37mediummultiple choice
Open the full BGP breakdown →

A service provider is preparing for maintenance on a BGP-speaking router. To minimize packet loss, they want to signal to neighbors that the session is being shut down gracefully. Which BGP feature should be used?

Question 38hardmultiple choice
Read the full MPLS explanation →

In an MPLS L3VPN network, which security measure should be taken on PE-CE links to prevent MPLS label spoofing?

Question 39easymultiple choice
Read the full Security and Services explanation →

Which protocol is used by a BNG to authenticate and authorize subscribers?

Question 40mediummultiple choice
Read the full Security and Services explanation →

A service provider implements CGNAT to conserve IPv4 addresses. Which feature is required to ensure that application-level protocols such as SIP or FTP function correctly?

Question 41hardmultiple choice
Read the full Security and Services explanation →

Which IOS XR feature allows an administrator to grant specific commands to a user based on their role, using task groups?

Question 42easymultiple choice
Read the full Security and Services explanation →

What is the purpose of NTP authentication in a service provider network?

Question 43mediummulti select
Open the full BGP breakdown →

A service provider wants to deploy DDoS mitigation using BGP FlowSpec. Which two actions can FlowSpec rules specify? (Choose two.)

Question 44hardmulti select
Open the full BGP breakdown →

When implementing RPKI for BGP origin validation, which three states can a route be marked as? (Choose three.)

Question 45mediummulti select
Open the full BGP breakdown →

A service provider is implementing security for BGP peering. Which two methods help prevent BGP route hijacking? (Choose two.)

Question 46mediummultiple choice
Review the full OSPF breakdown →

A service provider is configuring Control Plane Policing (CoPP) on IOS XR routers to protect the control plane. The engineer wants to rate-limit ICMP traffic destined to the router to 1 Mbps, while allowing BGP and OSPF traffic with higher limits. Which type of CoPP classification should be used for the ICMP traffic?

Question 47mediummultiple choice
Study the full AAA explanation →

An SP engineer is hardening management plane access on IOS XR routers. They want to enforce role-based access control using task groups. Which AAA protocol is required to support attribute-based authorization on IOS XR?

Question 48hardmultiple choice
Review the full routing breakdown →

An engineer is implementing Unicast Reverse Path Forwarding (uRPF) on a provider edge (PE) router to mitigate IP spoofing. The customer-facing interface has a single static default route. Which uRPF mode should be used to provide anti-spoofing without causing false drops?

Question 49easymultiple choice
Open the full BGP breakdown →

A service provider wants to mitigate DDoS attacks by blackholing traffic destined to a victim IP address. They plan to use Remotely Triggered Black Hole (RTBH) filtering. What BGP community is commonly used to trigger the blackhole route?

Question 50mediummultiple choice
Open the full BGP breakdown →

An SP is deploying BGP FlowSpec (RFC 8955) to distribute traffic filtering rules. Which component is responsible for disseminating FlowSpec rules to routers in the network?

Question 51mediummultiple choice
Open the full BGP breakdown →

A service provider wants to prevent BGP hijacking by validating the origin AS of received routes. They deploy RPKI with Route Origin Authorizations (ROAs). When a router receives a prefix with an origin AS that matches the ROA, what is the BGP Origin Validation state?

Question 52easymultiple choice
Open the full BGP breakdown →

An engineer is configuring BGP Graceful Shutdown (GSHUT) for maintenance on a router. Which BGP attribute is set to trigger the graceful shutdown behavior?

Question 53hardmultiple choice
Read the full MPLS explanation →

An MPLS L3VPN service provider wants to prevent label spoofing attacks where a customer could inject MPLS labels to bypass ACLs. Which configuration practice should be implemented on PE-CE links?

Question 54mediummultiple choice
Study the full AAA explanation →

A service provider is deploying a Broadband Network Gateway (BNG) for subscriber management. Which protocol is used by the BNG to authenticate subscribers via a RADIUS server?

Question 55easymultiple choice
Read the full NAT/PAT explanation →

An SP is implementing Carrier-Grade NAT (CGNAT) to conserve IPv4 addresses. Which feature must be enabled to support applications that embed IP addresses in the payload, such as SIP or FTP?

Question 56hardmultiple choice
Open the full BGP breakdown →

An engineer is configuring BGP prefix filtering on a provider edge router to prevent BGP hijacking. They want to allow only customer prefixes that are registered in the RIR database. What is the most effective method to automate this filtering?

Question 57mediummultiple choice
Study the full QoS explanation →

An SP is deploying Deep Packet Inspection (DPI) to classify traffic for QoS and security. Which DPI technique is used to identify applications regardless of port numbers?

Question 58easymultiple choice
Review the full routing breakdown →

An engineer wants to secure NTP on IOS XR routers. Which configuration is required to prevent unauthorized time synchronization?

Question 59mediummultiple choice
Read the full network assurance explanation →

A service provider is using Cisco Peakflow for DDoS detection. Peakflow identifies anomalies based on network traffic telemetry. Which data collection method does Peakflow primarily use?

Question 60hardmultiple choice
Open the full BGP breakdown →

An SP is implementing BGP FlowSpec to mitigate DDoS. The FlowSpec rule should match traffic with destination port 80 and DSCP value 0. Which FlowSpec component is used to specify the destination port?

Question 61mediummulti select
Review the full routing breakdown →

A service provider is hardening management plane access on IOS XR routers. Which TWO measures should be implemented to secure management access? (Choose two)

Question 62easymulti select
Read the full Security and Services explanation →

Which TWO protocols are supported by a BNG (Broadband Network Gateway) for subscriber session establishment? (Choose two)

Question 63hardmulti select
Open the full BGP breakdown →

A service provider is implementing RPKI to validate BGP routes. Which THREE components are necessary for a complete RPKI deployment on routers? (Choose three)

Question 64easymultiple choice
Study the full ACL explanation →

A service provider router running IOS XR is configured with Control Plane Policing (CoPP) to protect the route processor. Which type of traffic is most commonly rate-limited using CoPP in the control plane?

Question 65mediummultiple choice
Study the full AAA explanation →

An SP network engineer is hardening management plane access on IOS XR routers. They require authentication, authorization, and accounting (AAA) with per-command authorization and role-based access control. Which combination should be used?

Question 66mediummultiple choice
Review the full routing breakdown →

A service provider wants to prevent IP spoofing attacks from customer edge devices connected to a PE router. The customer prefixes are known and asymmetric routing is not present. Which uRPF mode should be configured on the PE-CE interface?

Question 67hardmultiple choice
Open the full BGP breakdown →

An SP detects a volumetric DDoS attack targeting a customer network. The SP uses Cisco's S/RTBH technique to drop attack traffic. Which action is performed by the edge routers upon receiving a BGP route with a specific community?

Question 68mediummultiple choice
Open the full BGP breakdown →

A service provider wants to prevent BGP hijacking of its customer prefixes. The SP implements RPKI with BGP Origin Validation. When a route is received with an origin AS that does not match any ROA, what is the validation state?

Question 69hardmultiple choice
Open the full BGP breakdown →

An SP engineer is configuring BGP Graceful Shutdown (GSHUT) for maintenance on a router. What does the GSHUT community do to the BGP best path selection process?

Question 70mediummultiple choice
Read the full MPLS explanation →

Which MPLS security best practice helps prevent label spoofing attacks where an attacker injects MPLS packets with a forged label stack to bypass ACLs?

Question 71easymultiple choice
Read the full Security and Services explanation →

A BNG (Broadband Network Gateway) is used for subscriber management. Which protocol is typically used between the BNG and the subscriber's modem (CPE) for authentication and IP address assignment in a PPPoE environment?

Question 72easymulti select
Read the full Security and Services explanation →

A network engineer is configuring management plane security on IOS XR. Which TWO of the following are recommended practices? (Choose two.)

Question 73mediummulti select
Open the full BGP breakdown →

A service provider is implementing BGP security measures to prevent route hijacking. Which TWO mechanisms directly validate the origin AS of BGP prefixes? (Choose two.)

Question 74mediummulti select
Open the full BGP breakdown →

An SP is deploying DDoS mitigation using BGP FlowSpec. Which THREE types of actions can be encoded in a FlowSpec rule? (Choose three.)

Question 75hardmulti select
Review the full routing breakdown →

An SP engineer is configuring NTP authentication on IOS XR routers in the management plane. Which TWO statements about NTP authentication are correct? (Choose two.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

350-501 Practice Test 1 — 25 Questions→350-501 Practice Test 2 — 25 Questions→350-501 Practice Test 3 — 25 Questions→350-501 Practice Test 4 — 25 Questions→350-501 Practice Test 5 — 25 Questions→350-501 Practice Exam 1 — 20 Questions→350-501 Practice Exam 2 — 20 Questions→350-501 Practice Exam 3 — 20 Questions→350-501 Practice Exam 4 — 20 Questions→Free 350-501 Practice Test 1 — 30 Questions→Free 350-501 Practice Test 2 — 30 Questions→Free 350-501 Practice Test 3 — 30 Questions→350-501 Practice Questions 1 — 50 Questions→350-501 Practice Questions 2 — 50 Questions→350-501 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

MPLS and Segment RoutingAutomation and Quality of ServicesArchitectureNetworkingSecurity and ServicesAutomation and Quality of ServiceServicesAutomation and Assurance

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security and Services setsAll Security and Services questions350-501 Practice Hub