350-501 · topic practice

Security and Services practice questions

Practise Cisco SPCOR / CCNP Service Provider Core 350-501 Security and Services practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security and Services

What the exam tests

What to know about Security and Services

Security and Services questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security and Services exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security and Services questions

20 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Review the full routing breakdown →

A service provider wants to protect its routers from CPU overload caused by excessive traffic to the control plane. Which mechanism should be configured on IOS XR routers to classify and rate-limit management traffic?

Question 2mediummultiple choice
Review the full routing breakdown →

An engineer is configuring management plane hardening on an IOS XR router. The requirement is to authenticate users against a central server and provide granular command authorization. Which protocol and feature should be used?

Question 3mediummultiple choice
Review the full routing breakdown →

A service provider is deploying uRPF on customer-facing interfaces to prevent IP spoofing. The network has asymmetric routing due to multiple upstream connections. Which uRPF mode should be used?

Question 4hardmultiple choice
Review the full routing breakdown →

During a DDoS attack, an SP uses Cisco Peakflow for detection and wants to drop attack traffic at the edge routers. They decide to use S/RTBH. Which action must be performed on the edge routers to trigger the black hole?

Question 5mediummultiple choice
Open the full BGP breakdown →

An SP wants to filter BGP prefixes received from a customer to prevent hijacking. Which two tools can be used together on the provider edge router to implement inbound prefix filtering?

Question 6hardmultiple choice
Open the full BGP breakdown →

An SP is implementing RPKI to validate BGP route origins. They have set up an RPKI cache and configured routers with the RPKI-to-Router (RTR) protocol. During validation, a route is received with an AS that does not match any ROA. What is the validation state?

Question 7easymultiple choice
Open the full BGP breakdown →

A network engineer needs to perform maintenance on a BGP router without causing traffic loss. They plan to use BGP Graceful Shutdown (GSHUT). What does GSHUT do?

Question 8mediummultiple choice
Read the full MPLS explanation →

To prevent MPLS label spoofing in a Layer 3 VPN, which configuration should be applied on the PE-CE link?

A service provider is deploying a BNG for subscriber management. Which protocol is used to authenticate subscribers and assign IP addresses via the BNG?

Question 10hardmultiple choice
Read the full NAT/PAT explanation →

An SP is implementing CGNAT to conserve IPv4 addresses. For legal compliance, they must log all NAT translations with timestamps and source/destination information. Which CGNAT feature should be enabled?

An SP uses DPI to classify traffic. What is the primary purpose of DPI in a service provider network?

Question 12mediummultiple choice
Review the full routing breakdown →

An engineer is configuring NTP authentication on IOS XR routers to ensure secure time synchronization. What is required for NTP authentication to work?

Question 13easymulti select
Review the full routing breakdown →

An SP wants to secure management access to IOS XR routers. Which two measures should be implemented? (Choose two.)

Question 14mediummulti select
Open the full BGP breakdown →

An SP is implementing DDoS mitigation using BGP FlowSpec. Which three types of actions can be specified in a FlowSpec rule? (Choose three.)

Question 15hardmulti select
Open the full BGP breakdown →

An SP is deploying BGP security features. Which three mechanisms can be used to prevent BGP route hijacking? (Choose three.)

Question 16mediummultiple choice
Review the full routing breakdown →

A service provider wants to protect its core routers from CPU exhaustion caused by excessive ICMP traffic. Which control plane protection mechanism on IOS XR would be most appropriate to rate-limit ICMP packets destined to the router?

Question 17easymultiple choice
Review the full routing breakdown →

An SP engineers want to restrict management access to their IOS XR routers. Which combination provides the most secure management plane hardening?

Question 18hardmultiple choice
Review the full routing breakdown →

A service provider deploys uRPF on customer-facing interfaces to prevent IP spoofing. They have a multihomed customer with asymmetric routing. Which uRPF mode should be used to avoid dropping legitimate traffic?

Question 19mediummultiple choice
Review the full routing breakdown →

During a DDoS attack, an SP wants to drop traffic destined to the victim IP at the network edge without affecting other traffic. Which technique should be used to achieve this by propagating a black-hole route from a trigger router to all edge routers?

Question 20easymultiple choice
Open the full BGP breakdown →

A service provider uses BGP to exchange routes with customers. To prevent the customer from announcing prefixes they do not own (BGP hijacking), which tool should the provider apply on the customer-facing BGP session?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security and Services sessions

Start a Security and Services only practice session

Every question in these sessions is drawn from the Security and Services domain — nothing else.

Related practice questions

Related 350-501 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-501 exam test about Security and Services?
Security and Services questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security and Services questions in a focused session?
Yes — the session launcher on this page draws every question from the Security and Services domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-501 topics?
Use the topic links above to move to related areas, or go back to the 350-501 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-501 exam covers. They are not copied from any real exam or dump site.