CCNA Spcor Security Services Questions

75 questions · Spcor Security Services topic · All types, answers revealed

1
MCQmedium

A service provider is preparing for maintenance on a BGP-speaking router. To minimize packet loss, they want to signal to neighbors that the session is being shut down gracefully. Which BGP feature should be used?

A.BGP Route Refresh
B.BGP Multipath
C.BGP GSHUT
D.BGP Fast External Failover
AnswerC

GSHUT community signals graceful shutdown.

Why this answer

BGP Graceful Shutdown (GSHUT) uses a well-known community (GRACEFUL_SHUTDOWN) to inform peers to lower the local preference, draining traffic before session termination.

2
MCQmedium

A service provider wants to prevent BGP hijacking of its customer prefixes. The SP implements RPKI with BGP Origin Validation. When a route is received with an origin AS that does not match any ROA, what is the validation state?

A.Invalid
B.Valid
C.Unknown
D.Not-found
AnswerD

Not-found means no ROA is present for that prefix.

Why this answer

In RPKI, if no ROA exists for the prefix, the state is 'not-found'. If the origin AS matches a ROA, it's 'valid'; if it conflicts, it's 'invalid'.

3
MCQhard

An engineer is configuring BGP prefix filtering on a provider edge router to prevent BGP hijacking. They want to allow only customer prefixes that are registered in the RIR database. What is the most effective method to automate this filtering?

A.RPKI Origin Validation using RTR
B.AS_PATH filtering based on customer AS
C.Manual prefix-lists based on IRR data
D.BGP community tagging with customer AS
AnswerA

RPKI provides automated validation of prefix origin using ROAs.

Why this answer

RPKI with Origin Validation uses ROAs to validate origin AS, which can be automated. IRR-based filtering with prefix-lists requires manual updates, while RPKI can be automated via RTR.

4
MCQeasy

A service provider wants to protect its routers from CPU overload caused by excessive traffic to the control plane. Which mechanism should be configured on IOS XR routers to classify and rate-limit management traffic?

A.uRPF strict mode
B.BGP Flowspec
C.MPLS TTL propagation
D.CoPP (Control Plane Protection)
AnswerD

CoPP is designed to protect the control plane by rate-limiting traffic.

Why this answer

CoPP (Control Plane Protection) on IOS XR uses class maps and policy maps to classify and rate-limit traffic destined to the control plane, protecting the router from CPU overload.

5
Multi-Selectmedium

A service provider wants to deploy DDoS mitigation using BGP FlowSpec. Which two actions can FlowSpec rules specify? (Choose two.)

Select 2 answers
A.Advertise a static route
B.Log traffic
C.Redirect to a nexthop
D.Set BGP community
E.Rate-limit traffic
AnswersC, E

FlowSpec can redirect traffic to a specific nexthop for scrubbing.

Why this answer

FlowSpec actions include 'traffic-rate' (rate-limit), 'traffic-action' (drop), 'redirect', etc. The correct actions among the options are rate-limiting and dropping.

6
MCQhard

An MPLS L3VPN service provider wants to prevent label spoofing attacks where a customer could inject MPLS labels to bypass ACLs. Which configuration practice should be implemented on PE-CE links?

A.Disable MPLS on PE-CE links
B.Enable MPLS TTL propagation to detect spoofing
C.Enable MPLS on PE-CE links with TTL propagation disabled
D.Use explicit null labels on PE-CE links
AnswerA

Disabling MPLS on PE-CE links prevents customers from sending labeled packets.

Why this answer

To prevent label spoofing, MPLS should be disabled on PE-CE links so that customers cannot send labeled packets. Additionally, disabling TTL propagation prevents label stack visibility.

7
MCQeasy

An SP is implementing Carrier-Grade NAT (CGNAT) to conserve IPv4 addresses. Which feature must be enabled to support applications that embed IP addresses in the payload, such as SIP or FTP?

B.Port forwarding
C.ALG (Application Layer Gateway)
D.NAT traversal
AnswerC

ALG handles payload inspection for protocols that embed IP addresses.

Why this answer

Application Layer Gateway (ALG) is required to inspect and modify payloads for protocols like SIP and FTP that carry IP addresses in the data stream.

8
MCQmedium

An engineer is configuring management plane hardening on an IOS XR router. The requirement is to authenticate users against a central server and provide granular command authorization. Which protocol and feature should be used?

A.SSH with local username/password
B.TACACS+ with AAA and task groups
C.SNMPv3 with ACLs
D.RADIUS with local authentication
AnswerB

TACACS+ provides granular command authorization, and task groups enable role-based access.

Why this answer

TACACS+ provides separate authentication, authorization, and accounting, and is commonly used with AAA for centralized management. Role-based access is achieved via task groups in IOS XR.

9
MCQhard

An SP is implementing BGP FlowSpec to mitigate DDoS. The FlowSpec rule should match traffic with destination port 80 and DSCP value 0. Which FlowSpec component is used to specify the destination port?

A.Type 3: Destination Port
B.Type 2: Source Port
C.Type 4: ICMP Type
D.Type 1: Destination Prefix
AnswerA

Destination port component matches the destination L4 port.

Why this answer

FlowSpec defines traffic matching criteria using components like destination port (type 3), source port (type 2), etc. Destination port is type 3.

10
MCQmedium

An SP is implementing RPKI to validate BGP origin AS. After configuring RPKI-to-Router (RTR) and setting BGP origin validation, a route is marked as 'invalid'. What action does BGP default take for invalid routes?

A.The route is installed with a lower local preference
B.The route is not installed in the routing table unless it is the only path
C.The route is treated as valid but with a lower preference
D.The route is dropped and not considered for best path selection
AnswerB

Invalid routes are not selected if any valid or not-found route exists; they may be used as a last resort.

Why this answer

By default, BGP does not drop invalid routes; they are considered but with a lower preference (typically not installed in the routing table if a valid route exists). To drop invalid routes, explicit policy is needed.

11
MCQeasy

Which protocol is used by a BNG to authenticate and authorize subscribers?

B.DIAMETER
C.LDAP
AnswerA

RADIUS is the standard for subscriber authentication in BNG.

Why this answer

BNG uses RADIUS for AAA (authentication, authorization, and accounting) of subscribers. RADIUS exchanges messages with a backend server to validate credentials and assign policies.

12
MCQmedium

A service provider is deploying a Broadband Network Gateway (BNG) for subscriber management. Which protocol is used by the BNG to authenticate subscribers via a RADIUS server?

A.LDAP
B.Diameter
AnswerD

RADIUS is used for subscriber authentication, authorization, and accounting.

Why this answer

The BNG acts as a RADIUS client and uses RADIUS protocol to send authentication requests (Access-Request) for PPPoE or IPoE sessions.

13
MCQhard

In an MPLS L3VPN network, which security measure should be taken on PE-CE links to prevent MPLS label spoofing?

A.Enable MPLS OAM
B.Use BGP prefix filtering
C.Enable TTL propagation
D.Disable MPLS on the PE-CE link
AnswerD

This prevents customer from injecting labeled packets.

Why this answer

Disabling MPLS on the PE-CE link ensures that the customer cannot send labeled packets into the MPLS core, preventing label spoofing. Additionally, disabling TTL propagation can hide the core topology but does not prevent spoofing.

14
MCQmedium

A network operator wants to distribute traffic filtering rules to multiple routers dynamically during a DDoS attack. Which technology should be used?

A.uRPF
B.S/RTBH
C.BGP FlowSpec
D.ACLs
AnswerC

FlowSpec distributes fine-grained filtering rules via BGP.

Why this answer

BGP FlowSpec (RFC 8955) allows encoding of flow specifications (e.g., source/dest IP, ports, protocol) and distributing them via BGP to routers, which then apply traffic filtering actions (e.g., drop, rate-limit) dynamically.

15
MCQhard

An SP engineer is configuring BGP Graceful Shutdown (GSHUT) for maintenance on a router. What does the GSHUT community do to the BGP best path selection process?

A.It prepends the AS path
B.It removes the route from the BGP table
C.It increases the MED value by 100
D.It sets the local preference to 0
AnswerD

The GSHUT community reduces local preference, making the route less preferred.

Why this answer

BGP GSHUT uses a well-known community (0xFFFF0000) that lowers the local preference by 100 (to 0 by default) to make the routes less preferred, thus draining traffic gracefully.

16
Multi-Selectmedium

A service provider is hardening management plane access on IOS XR routers. Which TWO measures should be implemented to secure management access? (Choose two)

Select 2 answers
A.Use SNMPv2c for monitoring
B.Enable Telnet for remote access
C.Disable password encryption
D.Implement AAA with TACACS+
E.Enable SSH only
AnswersD, E

TACACS+ provides granular authorization and accounting.

Why this answer

Enabling SSH only and using AAA with TACACS+ are key management plane hardening steps. SNMPv3 with encryption is also important but not listed as an option.

17
MCQmedium

An SP is deploying Deep Packet Inspection (DPI) to classify traffic for QoS and security. Which DPI technique is used to identify applications regardless of port numbers?

A.IP address filtering
B.Port-based classification
C.Signature-based pattern matching
D.NetFlow analysis
AnswerC

Signature matching identifies application-specific patterns in payload.

Why this answer

DPI inspects packet payloads using signatures, pattern matching, or behavioral analysis to identify applications, even if they use non-standard ports.

18
Multi-Selecteasy

An SP wants to secure management access to IOS XR routers. Which two measures should be implemented? (Choose two.)

Select 2 answers
A.Implement AAA with TACACS+
B.Enable Telnet for remote access
C.Use SNMPv2c for monitoring
D.Use SSH for remote access
E.Disable all logging
AnswersA, D

TACACS+ provides secure authentication and authorization.

Why this answer

SSH provides encrypted remote access, and AAA with TACACS+ provides centralized authentication and authorization. SNMPv3 is also secure but not a management access method per se; the question asks for access measures.

19
MCQmedium

An SP implements Carrier-Grade NAT (CGNAT) to conserve IPv4 addresses. For legal compliance, what additional function must be enabled to log subscriber IP-port mappings?

A.Port allocation algorithm (deterministic or random)
B.Application Layer Gateway (ALG) support
C.Deep Packet Inspection (DPI)
D.NAT logging (syslog or other)
AnswerD

Logging records subscriber IP, public IP, port, and timestamps.

Why this answer

CGNAT logging is required for lawful intercept and auditing. ALG support is for application layer protocols, not logging. Port allocation is part of NAT operation.

DPI classifies traffic.

20
MCQeasy

A service provider uses BGP to exchange routes with customers. To prevent the customer from announcing prefixes they do not own (BGP hijacking), which tool should the provider apply on the customer-facing BGP session?

A.BGP Graceful Shutdown
B.Prefix-list and route-map to filter incoming updates
C.RPKI Origin Validation only
D.Set BGP community to tag customer routes
AnswerB

This explicitly permits only customer-owned prefixes.

Why this answer

Prefix-lists and route-maps are used to filter incoming BGP advertisements based on prefix and attributes. RPKI validates origin but requires ROA; BGP GSHUT is for maintenance; communities are for tagging.

21
MCQeasy

A service provider wants to mitigate DDoS attacks by blackholing traffic destined to a victim IP address. They plan to use Remotely Triggered Black Hole (RTBH) filtering. What BGP community is commonly used to trigger the blackhole route?

A.Community 666
B.Community 100
C.Community no-export
D.Community local-AS
AnswerA

Community 666 is a commonly used standard for RTBH to trigger null routing.

Why this answer

RTBH works by advertising a /32 route with a specific community (often 666 or a locally defined one) that causes the router to forward traffic to a null interface. The well-known community for RTBH is often 666 or custom.

22
Multi-Selecthard

A service provider is implementing RPKI to validate BGP routes. Which THREE components are necessary for a complete RPKI deployment on routers? (Choose three)

Select 3 answers
A.RPKI cache server (Relying Party)
B.Route Origin Authorization (ROA)
C.Prefix-list for filtering
D.BGP path manipulation using local preference
E.BGP Origin Validation feature on routers
AnswersA, B, E

The cache server fetches and validates ROAs from RIRs.

Why this answer

RPKI requires ROAs (created by RIRs), a local cache server (like RPKI validator), and RTR protocol to download VRP to routers. BGP Origin Validation is a router feature that uses the VRP.

23
MCQeasy

An engineer is configuring BGP Graceful Shutdown (GSHUT) for maintenance on a router. Which BGP attribute is set to trigger the graceful shutdown behavior?

A.MED to maximum
B.Community GRACEFUL_SHUTDOWN
C.AS_PATH prepend
D.Local preference to 0
AnswerB

The well-known community GRACEFUL_SHUTDOWN (65535:0) triggers graceful shutdown.

Why this answer

BGP GSHUT uses a specific community (GRACEFUL_SHUTDOWN, value 65535:0) to signal peers that the session is being gracefully shut down, causing them to depreference the routes.

24
MCQmedium

A service provider is deploying a BNG for subscriber management. Which protocol is used to authenticate subscribers and assign IP addresses via the BNG?

A.PPPoE only
B.LDAP
AnswerD

RADIUS is the standard for subscriber authentication in BNG deployments.

Why this answer

BNG typically uses RADIUS for authentication, authorization, and accounting of subscribers. DHCP server functionality on BNG assigns IP addresses, but authentication is via RADIUS.

25
MCQmedium

A service provider wants to prevent BGP hijacking by validating the origin AS of received routes. They deploy RPKI with Route Origin Authorizations (ROAs). When a router receives a prefix with an origin AS that matches the ROA, what is the BGP Origin Validation state?

A.Invalid
B.Unknown
C.Not-found
D.Valid
AnswerD

A matching ROA results in 'valid' state.

Why this answer

If the prefix and origin AS match a ROA exactly, the validation state is 'valid'. If no ROA is found, it's 'not-found'. If there is a mismatch, it's 'invalid'.

26
MCQmedium

A service provider is configuring Control Plane Policing (CoPP) on IOS XR routers to protect the control plane. The engineer wants to rate-limit ICMP traffic destined to the router to 1 Mbps, while allowing BGP and OSPF traffic with higher limits. Which type of CoPP classification should be used for the ICMP traffic?

A.Critical class
B.Management class
C.Normal priority class
D.Control-plane class
AnswerD

ICMP traffic to the router is classified under the 'control-plane' class in IOS XR CoPP.

Why this answer

CoPP on IOS XR uses different classes for classification. ICMP traffic destined to the router is classified as 'control-plane' (or 'management') traffic, not 'normal' or 'critical'. The 'control-plane' class is appropriate for ICMP.

27
MCQmedium

Which MPLS security best practice helps prevent label spoofing attacks where an attacker injects MPLS packets with a forged label stack to bypass ACLs?

A.Disabling TTL propagation on PE-CE interfaces
B.Enabling MPLS on all interfaces including CE-facing
C.Enabling TTL propagation on all PE routers
D.Using IP explicit null labels on all LSPs
AnswerA

Disabling TTL propagation hides the MPLS hops from the customer.

Why this answer

Disabling MPLS TTL propagation prevents an attacker from gleaning information about the MPLS network. More importantly, ensuring that the label stack is not exposed to customers and that ingress filtering is applied. Among options, disabling TTL propagation is a direct measure against label spoofing by hiding the network topology.

28
MCQhard

An SP is implementing RPKI to validate BGP route origins. They have set up an RPKI cache and configured routers with the RPKI-to-Router (RTR) protocol. During validation, a route is received with an AS that does not match any ROA. What is the validation state?

A.Valid
B.Not-found
C.Unknown
D.Invalid
AnswerB

No ROA found for the prefix results in 'not-found'.

Why this answer

If no ROA exists for the prefix, the state is 'not-found'. 'Invalid' means the AS does not match an existing ROA. 'Valid' means the AS matches.

29
MCQmedium

An SP engineer is hardening management plane access on IOS XR routers. They want to enforce role-based access control using task groups. Which AAA protocol is required to support attribute-based authorization on IOS XR?

A.Kerberos
D.LDAP
AnswerB

TACACS+ provides granular command authorization and is used with IOS XR task groups.

Why this answer

TACACS+ supports per-command authorization and attribute-value pairs for role-based access, while RADIUS has limited authorization capabilities. IOS XR uses TACACS+ for task group-based authorization.

30
MCQmedium

An engineer is configuring NTP authentication on IOS XR routers to ensure secure time synchronization. What is required for NTP authentication to work?

A.SNMPv3 for secure time exchange
B.A pre-shared key configured on both NTP client and server
C.A digital certificate from a CA
D.An ACL permitting NTP traffic
AnswerB

The key must be shared and trusted.

Why this answer

NTP authentication uses a shared key (MD5 or SHA) configured on both client and server. The key must match for the client to accept time updates.

31
Multi-Selecteasy

A network engineer is configuring management plane security on IOS XR. Which TWO of the following are recommended practices? (Choose two.)

Select 2 answers
A.Use SNMPv3 with authentication and encryption
B.Use SNMPv2c with read-only community strings
C.Disable all remote access and use console only
D.Enable Telnet for remote access
E.Enable SSH for remote access
AnswersA, E

SNMPv3 provides secure network management.

Why this answer

SSH provides encrypted remote access, and SNMPv3 with encryption and authentication secures monitoring. Telnet and SNMPv2c are insecure. Disabling all access is not practical.

32
Multi-Selecthard

An SP is deploying BGP security features. Which three mechanisms can be used to prevent BGP route hijacking? (Choose three.)

Select 3 answers
A.Prefix-lists to filter customer routes
B.RPKI with BGP Origin Validation
C.AS-path prepending
D.Route-maps to match and set attributes
E.BGP communities to tag routes
AnswersA, B, D

Prefix-lists restrict which prefixes are accepted.

Why this answer

RPKI validates origin AS, prefix-list filters prefixes, and route-maps can apply additional filters. BGP communities are used for tagging, not direct hijacking prevention. AS-path prepending is for path selection, not hijacking.

33
MCQmedium

To prevent MPLS label spoofing in a Layer 3 VPN, which configuration should be applied on the PE-CE link?

A.Enable MPLS TTL propagation
B.Configure uRPF on the PE-CE link
C.Use BGP FlowSpec to filter labels
D.Disable MPLS on the PE-CE link
AnswerD

This ensures the customer does not receive MPLS labels, preventing spoofing.

Why this answer

Disabling MPLS on PE-CE links (by not enabling MPLS on the interface) prevents the customer from seeing or injecting MPLS labels, thus preventing label spoofing. TTL propagation is used for traceroute but not a primary anti-spoofing measure.

34
MCQeasy

A service provider router running IOS XR is configured with Control Plane Policing (CoPP) to protect the route processor. Which type of traffic is most commonly rate-limited using CoPP in the control plane?

A.BGP update messages
B.Multicast data forwarding
C.MPLS label imposition
D.Layer 2 data plane traffic
AnswerA

BGP updates are control plane traffic that CoPP can rate-limit.

Why this answer

CoPP on IOS XR is used to classify and rate-limit control plane traffic such as routing protocols (BGP, OSPF, IS-IS) and management traffic (SSH, SNMP). Among the options, BGP updates are control plane traffic that can be rate-limited to protect the CPU.

35
MCQmedium

A service provider is implementing control plane protection (CoPP) on an IOS XR router. Which protocol should be classified and rate-limited to prevent excessive control plane load due to routing updates?

AnswerB

BGP updates are control plane traffic that must be rate-limited via CoPP.

Why this answer

BGP updates are sent to the control plane; without CoPP, a flood of BGP updates can overwhelm the router. CoPP classifies BGP traffic and rate-limits it to protect the control plane.

36
MCQeasy

To secure NTP in a service provider network, which feature should be enabled on IOS XR routers to prevent time synchronization with unauthorized NTP servers?

A.NTP authentication with MD5 keys
B.NTP symmetric active mode
C.NTP broadcast client mode
D.NTP access group with read-only community
AnswerA

Authentication verifies the identity of the NTP server.

Why this answer

NTP authentication ensures that the router only synchronizes with trusted servers that have the correct key. Access lists can also limit, but authentication provides cryptographic verification. NTP broadcast mode is less secure; symmetric mode is for peer-to-peer.

37
Multi-Selecthard

When implementing RPKI for BGP origin validation, which three states can a route be marked as? (Choose three.)

Select 3 answers
A.Invalid
B.Trusted
C.Not-found
D.Unknown
E.Valid
AnswersA, C, E

Route origin conflicts with a ROA.

Why this answer

RPKI validation results in three states: valid (matches a ROA), invalid (conflicts with a ROA), and not-found (no ROA exists). These states are used to influence BGP decision.

38
MCQmedium

An SP is deploying BGP FlowSpec (RFC 8955) to distribute traffic filtering rules. Which component is responsible for disseminating FlowSpec rules to routers in the network?

B.MP-BGP
C.PIM
D.LDP
AnswerB

MP-BGP carries FlowSpec NLRI in address family IPv4/IPv6 FlowSpec.

Why this answer

BGP FlowSpec uses a separate BGP address family (AFI 1, SAFI 133) to carry flow specifications. The rules are encoded as BGP NLRIs and distributed via BGP sessions.

39
MCQmedium

A service provider is deploying uRPF on customer-facing interfaces to prevent IP spoofing. The network has asymmetric routing due to multiple upstream connections. Which uRPF mode should be used?

A.Strict mode
B.uRPF with allow-default
C.uRPF is not recommended for asymmetric routing
D.Loose mode
AnswerD

Loose mode allows asymmetric routing while still providing anti-spoofing.

Why this answer

Strict mode requires the source address to be reachable via the incoming interface, which fails with asymmetric routing. Loose mode only checks that the source address exists in the routing table, making it suitable for asymmetric paths.

40
MCQhard

During a DDoS attack, an SP uses Cisco Peakflow for detection and wants to drop attack traffic at the edge routers. They decide to use S/RTBH. Which action must be performed on the edge routers to trigger the black hole?

A.Use BGP Flowspec to create a rule that drops traffic to the victim
B.Advertise the victim's IP via BGP with a blackhole community to edge routers
C.Configure a static null route and redistribute into IGP
D.Deploy IDMS traffic scrubbing inline
AnswerB

This is the standard RTBH mechanism: trigger routers to install a null route for the victim's IP.

Why this answer

Remotely Triggered Black Hole (RTBH) works by advertising a /32 route for the victim's IP address with a specific BGP community (e.g., NO_EXPORT) to a black hole next-hop (e.g., 192.0.2.1). The edge routers must be configured to trigger based on that community.

41
MCQeasy

An SP engineers want to restrict management access to their IOS XR routers. Which combination provides the most secure management plane hardening?

A.SSH with AAA via TACACS+ and role-based access using task groups
B.Telnet with local passwords and SNMPv2c read-only
C.HTTP with AAA via RADIUS
D.SSH with local authentication only
AnswerA

This provides encryption, centralized authentication, and authorization.

Why this answer

SSH provides encrypted access, TACACS+ centralizes AAA with encryption, and IOS XR task groups allow fine-grained RBAC. Telnet and SNMPv2c are insecure; SNMPv3 is required for security.

42
MCQhard

Which IOS XR feature allows an administrator to grant specific commands to a user based on their role, using task groups?

A.SNMPv3
B.IP access lists
C.Role-based access control (RBAC) with task groups
D.AAA with RADIUS
AnswerC

Task groups are the RBAC mechanism in IOS XR.

Why this answer

IOS XR uses task groups (e.g., cisco-support, cisco-config) to define sets of commands or operations. Users are assigned to task groups to control access to specific router functions.

43
MCQhard

A service provider deploys uRPF on customer-facing interfaces to prevent IP spoofing. They have a multihomed customer with asymmetric routing. Which uRPF mode should be used to avoid dropping legitimate traffic?

A.Loose mode
B.Strict mode
C.No uRPF
D.Strict mode with allow-default option
AnswerA

Loose mode only requires a route to the source, allowing asymmetric paths.

Why this answer

Strict uRPF checks that the source IP matches the best route in the FIB and that the incoming interface matches the outgoing interface for that route. Loose uRPF only checks that a route to the source exists in the FIB, which accommodates asymmetric routing.

44
MCQmedium

An SP network engineer is hardening management plane access on IOS XR routers. They require authentication, authorization, and accounting (AAA) with per-command authorization and role-based access control. Which combination should be used?

A.SSH with local authentication and privilege levels
B.SSH with TACACS+ authentication and authorization, and task groups for role-based access
C.Telnet with RADIUS authentication and authorization
D.SNMPv3 with RADIUS authentication
AnswerB

SSH ensures encryption, TACACS+ provides per-command authorization, and task groups enable RBAC.

Why this answer

For per-command authorization and role-based access, TACACS+ is preferred over RADIUS. IOS XR uses task groups to define roles. SSH provides encrypted management access.

45
MCQhard

An SP is implementing CGNAT to conserve IPv4 addresses. For legal compliance, they must log all NAT translations with timestamps and source/destination information. Which CGNAT feature should be enabled?

A.Destination NAT
B.Port block allocation
C.ALG support
D.NAT logging
AnswerD

NAT logging records translations for compliance purposes.

Why this answer

CGNAT logging is required for compliance; it logs translation events including port allocation. ALG support handles application protocols but not logging. Port allocation is part of NAT, but logging is the specific feature for compliance.

46
Multi-Selectmedium

An SP is deploying DDoS mitigation using BGP FlowSpec. Which THREE types of actions can be encoded in a FlowSpec rule? (Choose three.)

Select 3 answers
A.Set a BGP community
B.Drop traffic
C.Encrypt traffic with IPsec
D.Redirect traffic to a VRF
E.Rate-limit traffic
AnswersB, D, E

FlowSpec can drop packets.

Why this answer

FlowSpec rules can include traffic rate-limiting, redirecting to a VRF (e.g., for scrubbing), and dropping traffic. Setting a BGP community is not a FlowSpec action; community is for routing policy. IPsec encryption is not a FlowSpec action.

47
Multi-Selecthard

An SP engineer is configuring NTP authentication on IOS XR routers in the management plane. Which TWO statements about NTP authentication are correct? (Choose two.)

Select 2 answers
A.NTP authentication is only supported on IOS XR, not on classic IOS
B.NTP authentication uses pre-shared keys to authenticate time sources
C.Only one NTP authentication key can be configured on a router
D.NTP authentication encrypts the NTP packets to ensure confidentiality
E.The NTP client must have the key configured and marked as trusted
AnswersB, E

A key is configured and used to authenticate NTP packets.

Why this answer

NTP authentication uses a symmetric key (MD5 or SHA) to authenticate NTP packets. The key must be trusted on the client. NTP authentication does not encrypt packets; it only provides integrity.

Multiple keys can be configured.

48
Multi-Selecthard

A service provider is implementing BGP security using RPKI. Which three components are required for RPKI-based BGP origin validation? (Choose three.)

Select 3 answers
A.Route Origin Authorization (ROA)
B.BGPsec path validation
C.Relying Party (cache server)
D.IS-IS routing protocol
E.RPKI-to-Router (RTR) protocol
AnswersA, C, E

ROA authorizes an AS to originate a prefix.

Why this answer

RPKI requires: 1) ROA (Route Origin Authorization) created by the prefix holder; 2) Relying Party (cache server) that fetches and validates ROAs; 3) RTR protocol to download the VRP (Validated ROA Payload) to routers. BGPsec is a separate standard for path validation. IS-IS is not involved.

49
MCQmedium

In an MPLS L3VPN, how can a service provider prevent a CE device from learning the MPLS label stack and potentially spoofing labels?

A.Disable MPLS on the PE-CE interface
B.Use LDP authentication between PE and CE
C.Configure MPLS VPN route-target filtering
D.Enable TTL propagation on the PE-CE link
AnswerA

This prevents the CE from seeing MPLS labels.

Why this answer

Disabling MPLS on the PE-CE link ensures the CE does not receive labeled packets. TTL propagation is for traceroute, not for preventing label exposure. LDP authentication secures label distribution but does not prevent CE from receiving labels if MPLS is enabled.

50
MCQeasy

A service provider wants to prevent IP spoofing at the customer edge by verifying that the source IP address of incoming packets is reachable via the interface they arrive on. Which uRPF mode should be used?

A.Strict mode
B.ACL-based filtering
C.Reverse path filtering disabled
D.Loose mode
AnswerA

Strict mode verifies source IP reachability via the same interface.

Why this answer

Strict mode checks that the source IP is in the FIB and that the best return route is through the same interface. Loose mode only checks that the source IP is in the FIB. Strict mode is used at customer edges where traffic should come from a specific interface.

51
MCQeasy

A service provider is deploying a BNG for subscriber management. Which protocol is typically used to authenticate subscribers and assign IP addresses in a PPPoE-based broadband network?

C.IPoE
AnswerB

RADIUS is widely used for subscriber AAA in BNG.

Why this answer

RADIUS is the standard protocol for authentication, authorization, and accounting (AAA) in BNG environments. DHCP assigns IP addresses, but authentication is via RADIUS. TACACS+ is for device administration; IPoE uses DHCP but not typically for authentication.

52
MCQhard

A service provider uses BGP FlowSpec (RFC 8955) to mitigate DDoS attacks. Which component in the network is responsible for originating the FlowSpec rules and distributing them to routers?

A.A FlowSpec controller (e.g., router with policy or SDN controller)
B.The trigger router used for RTBH
C.The victim's CE router
D.An anomaly detection system like Cisco Peakflow
AnswerA

The controller originates FlowSpec NLRI and distributes via BGP.

Why this answer

In FlowSpec, a controller (or a router acting as controller) originates the FlowSpec NLRI and distributes it to edge routers via BGP. Edge routers apply the actions (e.g., drop, rate-limit). The trigger router is for RTBH; detection system may trigger but does not distribute FlowSpec.

53
MCQhard

A service provider wants to gracefully shut down a BGP session to a customer for maintenance without causing traffic loss. Which BGP feature should be used to signal the peer to reroute traffic before the session is brought down?

A.BGP TTL Security
B.BGP Route Refresh
C.BGP Graceful Shutdown (GSHUT)
D.BGP Fast External Failover
AnswerC

GSHUT advertises routes with a low local preference to drain traffic.

Why this answer

BGP Graceful Shutdown (GSHUT) uses a well-known community or attribute to inform peers that the session is going down, allowing them to reroute traffic. BFD detects failures fast but does not signal; TTL propagation is for MPLS; route refresh is for soft reconfiguration.

54
MCQeasy

A network engineer needs to perform maintenance on a BGP router without causing traffic loss. They plan to use BGP Graceful Shutdown (GSHUT). What does GSHUT do?

A.It immediately terminates all BGP sessions
B.It uses BGP fast external failover to speed up convergence
C.It sets the local preference to a lower value to withdraw routes gracefully
D.It increases the MED to deprefer routes
AnswerC

Lower local preference makes routes less preferred, causing traffic to shift before shutdown.

Why this answer

BGP GSHUT adjusts the local preference of routes to make them less preferred, gracefully draining traffic before the session is shut down. This avoids packet loss.

55
Multi-Selectmedium

A service provider is implementing security for BGP peering. Which two methods help prevent BGP route hijacking? (Choose two.)

Select 2 answers
A.BGP next-hop-self
B.BGP multipath
C.RPKI origin validation
D.BGP prefix filtering
E.BGP GSHUT
AnswersC, D

Validates that the origin AS is authorized.

Why this answer

Prefix filtering (with prefix-lists and route-maps) ensures only expected prefixes are accepted from peers. RPKI validation provides cryptographic verification of origin AS. Both prevent hijacking.

56
MCQmedium

During a DDoS attack, an SP wants to drop traffic destined to the victim IP at the network edge without affecting other traffic. Which technique should be used to achieve this by propagating a black-hole route from a trigger router to all edge routers?

A.S/RTBH (Remotely Triggered Black Hole) using BGP community
B.Cisco Peakflow to reroute traffic
C.BGP FlowSpec to distribute filtering rules
D.IDMS to scrub traffic
AnswerA

S/RTBH advertises a /32 route with a blackhole community to trigger null routing.

Why this answer

S/RTBH uses BGP to advertise a /32 route with a specific community to trigger routers to install a null route. This drops traffic to the victim IP at the edge. FlowSpec is more flexible but not specifically for RTBH; Peakflow detects anomalies; IDMS scrubs traffic.

57
MCQeasy

An engineer wants to secure NTP on IOS XR routers. Which configuration is required to prevent unauthorized time synchronization?

A.NTP broadcast mode
B.NTP access group with ACL
C.NTP version 4 only
D.NTP authentication with a key
AnswerD

NTP authentication validates the source using a shared key.

Why this answer

NTP authentication using a key ensures that only trusted NTP servers can update the router's clock, preventing spoofing attacks.

58
MCQeasy

Which feature is used to validate that a BGP route origin is authorized by the prefix owner?

A.BGP prefix filtering
B.BGP community filtering
C.BGP GSHUT
D.RPKI Origin Validation
AnswerD

RPKI validates origin AS using ROAs.

Why this answer

RPKI BGP Origin Validation uses ROAs to validate the origin AS. Routes are marked as valid, invalid, or not-found based on ROA records.

59
MCQmedium

A service provider wants to protect its core routers from CPU exhaustion caused by excessive ICMP traffic. Which control plane protection mechanism on IOS XR would be most appropriate to rate-limit ICMP packets destined to the router?

A.Enable MPLS traffic engineering to reroute ICMP
B.Use BGP prefix filtering to block ICMP routes
C.Implement CoPP by creating a class-map for ICMP and applying a police rate under a control-plane policy-map
D.Configure an ACL to deny ICMP on all interfaces
AnswerC

CoPP allows granular classification and rate-limiting of control plane traffic.

Why this answer

CoPP (Control Plane Policing) on IOS XR uses class maps and policy maps to classify and rate-limit control plane traffic, including ICMP. ACL-based policing is less granular, and MPLS TE or BGP prefix filtering do not apply.

60
Multi-Selectmedium

A service provider wants to protect its core routers from control plane attacks. Which two mechanisms are effective in mitigating such attacks on IOS XR? (Choose two.)

Select 2 answers
A.MPLS TTL propagation
B.Unicast Reverse Path Forwarding (uRPF)
C.Control Plane Policing (CoPP)
D.BGP prefix filtering
E.NTP authentication
AnswersB, C

uRPF drops packets with spoofed source IPs, reducing attack traffic.

Why this answer

CoPP polices control plane traffic. uRPF prevents spoofed source IPs, which are often used in attacks. BGP prefix filtering is for routing updates, not control plane attacks. MPLS TTL propagation is for traceroute.

NTP authentication secures time sync.

61
MCQmedium

A service provider wants to prevent IP spoofing attacks from customer edge devices connected to a PE router. The customer prefixes are known and asymmetric routing is not present. Which uRPF mode should be configured on the PE-CE interface?

A.No uRPF needed because BGP prefix filtering prevents spoofing
B.Strict mode uRPF
C.VRF-aware uRPF
D.Loose mode uRPF
AnswerB

Strict mode verifies the source IP is reachable via the incoming interface, ideal for PE-CE links with symmetric routing.

Why this answer

Strict mode uRPF checks that the source IP address is reachable via the same interface the packet arrived on, and that the route points back to that interface. This is suitable when symmetric routing is guaranteed, as on PE-CE links in L3VPN.

62
Multi-Selectmedium

An SP is implementing DDoS mitigation using BGP FlowSpec. Which three types of actions can be specified in a FlowSpec rule? (Choose three.)

Select 3 answers
A.Drop (discard)
B.Sample (copy to analyzer)
C.Mark DSCP
D.Traffic-rate (rate-limit)
E.Redirect to a next-hop
AnswersA, D, E

Drop is a standard action to discard traffic.

Why this answer

BGP FlowSpec can specify actions like traffic-rate (rate-limiting), redirect (to a next-hop or VRF), and drop (discard). Marking DSCP is not typical; sample is used for traffic analysis but not a standard action in FlowSpec.

63
MCQmedium

A service provider is using Cisco Peakflow for DDoS detection. Peakflow identifies anomalies based on network traffic telemetry. Which data collection method does Peakflow primarily use?

A.NetFlow/IPFIX
C.SNMP polling
D.Packet capture
AnswerA

Peakflow relies on flow data for anomaly detection.

Why this answer

Peakflow uses NetFlow (or IPFIX) data exported from routers to analyze traffic patterns and detect anomalies.

64
Multi-Selecteasy

Which TWO protocols are supported by a BNG (Broadband Network Gateway) for subscriber session establishment? (Choose two)

Select 2 answers
A.PPPoE
B.IPoE (DHCP)
D.L2TP
E.PPPoA
AnswersA, B

PPPoE is a common protocol for DSL broadband.

Why this answer

BNG supports PPPoE and IPoE (DHCP) for subscriber access. PPPoA is asynchronous transfer mode, not typically used in modern BNG.

65
MCQhard

An SP detects a volumetric DDoS attack targeting a customer network. The SP uses Cisco's S/RTBH technique to drop attack traffic. Which action is performed by the edge routers upon receiving a BGP route with a specific community?

A.The edge router applies a BGP FlowSpec rule to rate-limit the traffic
B.The edge router forwards the attack traffic to a scrubbing center
C.The edge router installs a /32 route pointing to a discard interface
D.The edge router sends ICMP unreachable messages to the attacker
AnswerC

The /32 route with next-hop Null0 causes traffic to be dropped.

Why this answer

S/RTBH works by advertising a /32 prefix (the victim's IP) with a special BGP community (e.g., NO_EXPORT) and a next-hop of the discard interface (e.g., Null0). Edge routers install the route pointing to Null0, dropping traffic to that IP.

66
MCQeasy

What is the purpose of NTP authentication in a service provider network?

A.To encrypt NTP traffic
B.To rate-limit NTP packets
C.To synchronize time across devices
D.To verify the identity of the NTP server
AnswerD

Authentication uses keys to verify that the server is legitimate.

Why this answer

NTP authentication ensures that time synchronization messages are from a trusted source, preventing spoofed NTP packets that could cause time changes affecting logs, protocols, and security.

67
MCQhard

An engineer is implementing Unicast Reverse Path Forwarding (uRPF) on a provider edge (PE) router to mitigate IP spoofing. The customer-facing interface has a single static default route. Which uRPF mode should be used to provide anti-spoofing without causing false drops?

A.VRF mode
B.Strict mode
C.Feasible mode
D.Loose mode
AnswerD

Loose mode only checks that a route exists (including default) to the source, preventing spoofing with minimal false drops.

Why this answer

With a single default route, strict uRPF would fail because the reverse path check expects a specific route back to the source. Loose uRPF only checks if a route exists (including default) to the source, making it suitable.

68
Multi-Selectmedium

A service provider is deploying uRPF on peering edges with multiple upstream providers and asymmetric routing. Which two statements are true about uRPF operation in this scenario? (Choose two.)

Select 2 answers
A.Loose mode may drop traffic if no route to the source exists in the FIB
B.uRPF requires CEF to be disabled
C.Loose mode requires a default route to function
D.uRPF can be applied in both IPv4 and IPv6
E.Strict mode is preferred for asymmetric routing environments
AnswersA, D

Loose mode drops only if there is no route at all.

Why this answer

Loose uRPF only checks that a route to the source exists, suitable for asymmetric routing. Strict uRPF requires the incoming interface to match the best return route, which can drop legitimate traffic with asymmetric routing. Default routes do not affect loose mode.

69
Multi-Selectmedium

A service provider is implementing BGP security measures to prevent route hijacking. Which TWO mechanisms directly validate the origin AS of BGP prefixes? (Choose two.)

Select 1 answer
A.BGP prefix lists
B.BGP route-maps with AS path matching
C.BGP community-based filtering
D.RPKI Origin Validation using ROAs
E.BGPSec (BGP Security)
AnswersD

RPKI validates the origin AS of a prefix.

Why this answer

RPKI Origin Validation uses ROAs to validate the origin AS. BGP prefix lists and route-maps filter based on prefix, not AS origin. BGPSec validates AS path, but RPKI is the primary origin validation.

BGP community filtering does not validate origin.

70
MCQmedium

An SP wants to filter BGP prefixes received from a customer to prevent hijacking. Which two tools can be used together on the provider edge router to implement inbound prefix filtering?

A.Prefix-list and route-map
B.Distribute-list and ACL
C.RPKI and BGP community
D.AS-path access-list and community-list
AnswerA

This combination allows matching prefixes and applying actions like permit/deny.

Why this answer

Prefix-lists and route-maps are commonly used together to match and filter BGP prefixes. Prefix-lists define the prefixes, and route-maps apply them in BGP neighbor statements.

71
MCQmedium

A service provider implements CGNAT to conserve IPv4 addresses. Which feature is required to ensure that application-level protocols such as SIP or FTP function correctly?

A.Port block allocation
B.ALG support
C.Logging
D.Session limits
AnswerB

ALGs handle protocol-specific translations like SIP, FTP.

Why this answer

Many application protocols embed IP addresses in payload. ALGs (Application Level Gateways) inspect and modify these payloads to ensure proper translation. Without ALGs, these protocols may break.

72
MCQeasy

A BNG (Broadband Network Gateway) is used for subscriber management. Which protocol is typically used between the BNG and the subscriber's modem (CPE) for authentication and IP address assignment in a PPPoE environment?

B.RADIUS directly to CPE
C.L2TP
D.PPPoE with PPP authentication and IPCP
AnswerD

PPPoE uses PPP for authentication and IPCP for IP address assignment.

Why this answer

In a PPPoE environment, the BNG acts as the access concentrator. Authentication is performed using PAP or CHAP, and IP address assignment is done via IPCP (IP Control Protocol). The BNG also uses RADIUS for centralized authentication but between BNG and CPE, PPPoE uses PPP for authentication and IPCP for IP address.

73
MCQeasy

An SP uses DPI to classify traffic. What is the primary purpose of DPI in a service provider network?

A.To block all traffic from a specific IP
B.To identify applications regardless of port
C.To classify traffic based on port numbers only
D.To encrypt traffic
AnswerB

DPI can identify applications even if they use non-standard ports.

Why this answer

DPI inspects packet payloads to identify application-layer protocols (e.g., HTTP, BitTorrent), enabling traffic shaping, QoS, or security policies.

74
MCQhard

During a DDoS attack, a service provider uses Cisco Peakflow to detect anomalous traffic and then triggers S/RTBH. What must be configured on the router to black hole attack traffic using a /32 null route?

A.QoS policy to rate-limit attack traffic
B.An inbound ACL blocking the attack source IPs
C.A static route to Null0 for the victim IP and a BGP community to trigger blackholing
D.PBR to redirect traffic to a scrubbing center
AnswerC

This is the standard S/RTBH mechanism.

Why this answer

S/RTBH relies on BGP to propagate a /32 route with a specific community (commonly no-export) pointing to a null interface (e.g., Null0). The trigger router sets the next-hop to a static route pointing to Null0 and advertises it via BGP.

75
MCQmedium

An engineer is hardening the management plane of an IOS XR router. Which combination is the most secure for remote administration?

A.SSH with TACACS+ authentication and authorization
B.HTTP with local authentication
C.Telnet with local authentication
D.SSH with RADIUS authentication
AnswerA

SSH encryption plus TACACS+ full encryption and granular command authorization.

Why this answer

SSH provides encrypted remote access, and TACACS+ offers granular AAA control with encryption of all traffic, making it more secure than RADIUS (which encrypts only password) or local authentication.

Ready to test yourself?

Try a timed practice session using only Spcor Security Services questions.