Practice 300-410 IPv6 First Hop Security questions with full explanations on every answer.
Start practicing
IPv6 First Hop Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A network engineer is troubleshooting an IPv6 neighbor discovery issue on a switch running IOS-XE. Hosts on VLAN 100 are intermittently losing connectivity to the default gateway. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The engineer notices that the switch is dropping valid Router Advertisements from the legitimate router. What is the most likely cause of this issue?
2An engineer is troubleshooting a network where IPv6 hosts cannot obtain IP addresses via DHCPv6. The switch is configured with DHCPv6 Guard to prevent rogue DHCP servers. The legitimate DHCPv6 server is connected to port GigabitEthernet1/0/1. The engineer sees that DHCPv6 Solicit messages from hosts reach the server, but the server's Advertise and Reply messages are not reaching the hosts. What is the most likely root cause?
3A network engineer is troubleshooting an issue where IPv6 traffic is being forwarded incorrectly on a switch. The switch is configured with IPv6 Source Guard on access ports. A legitimate host on port Fa0/1 with IPv6 address 2001:db8:1::10 is unable to send traffic to the default gateway. The engineer checks the IPv6 binding table and sees that the host's entry is missing. What is the most likely cause?
4An engineer is troubleshooting an IPv6 connectivity issue where hosts on VLAN 10 cannot reach the internet. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The legitimate router is connected to port Gi1/0/1. The engineer notices that the router is sending RAs, but hosts are not receiving them. The switch shows that RA Guard is dropping packets on port Gi1/0/1. What is the most likely misconfiguration?
5A network engineer is troubleshooting an issue where IPv6 hosts are unable to perform Duplicate Address Detection (DAD) successfully. The switch is configured with IPv6 First Hop Security features including ND Inspection and ND Suppress. The engineer notices that Neighbor Solicitation messages for DAD are being dropped by the switch. What is the most likely cause?
6An engineer is troubleshooting a network where IPv6 hosts on VLAN 20 are unable to communicate with each other. The switch is configured with IPv6 First Hop Security features including Private VLAN (PVLAN) and IPv6 Source Guard. The hosts are in the same VLAN but cannot ping each other. What is the most likely cause?
7A network engineer is troubleshooting an issue where IPv6 traffic from a host is being dropped by the switch. The switch has IPv6 Source Guard enabled. The host has a static IPv6 address 2001:db8:2::20. The engineer sees that the binding table does not contain an entry for this host. What should the engineer do to resolve the issue without disabling IPv6 Source Guard?
8An engineer is troubleshooting an issue where a rogue IPv6 router is sending false Router Advertisements on the network, causing hosts to use a malicious default gateway. The switch is configured with IPv6 First Hop Security features. The engineer wants to prevent this attack while allowing the legitimate router to send RAs. What is the correct configuration approach?
9A network engineer is troubleshooting an issue where IPv6 hosts are receiving multiple Router Advertisements from different routers, causing routing instability. The switch is configured with IPv6 First Hop Security features. The engineer wants to ensure that only the primary router's RAs are accepted by hosts. What is the most effective solution?
10A network engineer runs the following command on Router R1: R1# show ipv6 snooping policy Interface Policy Role State Gi0/0/0 GUARD_POLICY device-guard ACTIVE Gi0/0/1 GUARD_POLICY device-guard ACTIVE Gi0/0/2 (default) host ACTIVE Based on this output, which statement is correct?
11A network engineer runs the following command on Router R1: R1# show ipv6 nd raguard policy Interface Policy Role State Gi0/0/0 RA_GUARD router ACTIVE Gi0/0/1 RA_GUARD host ACTIVE Gi0/0/2 (default) host ACTIVE Based on this output, which statement is correct?
12A network engineer runs the following command on Router R1: R1# show ipv6 dhcp guard policy Interface Policy Role State Gi0/0/0 DHCP_GUARD server ACTIVE Gi0/0/1 DHCP_GUARD client ACTIVE Gi0/0/2 (default) client ACTIVE Based on this output, which statement is correct?
13A network engineer runs the following command on Router R1: R1# show ipv6 source-guard policy Interface Policy Role State Gi0/0/0 SRC_GUARD host ACTIVE Gi0/0/1 SRC_GUARD host ACTIVE Gi0/0/2 (default) host ACTIVE Based on this output, which statement is correct?
14A network engineer runs the following command on Router R1: R1# show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface 2001:DB8:1::1 0 aaaa.bbbb.cccc REACH Gi0/0/0 2001:DB8:1::2 10 aaaa.bbbb.cccd STALE Gi0/0/0 2001:DB8:1::3 - aaaa.bbbb.ccce DELAY Gi0/0/1 FE80::1 0 aaaa.bbbb.cccf REACH Gi0/0/0 Based on this output, which statement is correct?
15A network engineer runs the following command on Router R1: R1# show ipv6 dhcp binding Client: FE80::1 DUID: 0003000100AABBCCDDEE Username: unknown IA NA: IA ID 0x00010001, T1 302400, T2 483840 Address: 2001:DB8:1::100/128 Preferred lifetime 604800, valid lifetime 2592000 Expires at Sep 15 2024 12:00 PM (2592000 seconds) Based on this output, which statement is correct?
16A network engineer runs the following command on Router R1: R1# show ipv6 dhcp interface Gi0/0/0 Gi0/0/0 is in server mode Uses prefix 2001:DB8:1::/64 Rapid-Commit is disabled Preference value: 0 Information refresh option: 86400 DNS server: 2001:DB8::1 Domain name: example.com Active clients: 5 Pool: DHCP_POOL Based on this output, which statement is correct?
17A network engineer runs the following command on Router R1: R1# show ipv6 traffic IPv6 statistics: Rcvd: 1000 total, 800 unicast, 200 multicast Sent: 900 total, 700 unicast, 200 multicast Errors: 0 Dropped: 0 ND statistics: NS: 50 received, 40 sent NA: 30 received, 20 sent RS: 10 received, 5 sent RA: 2 received, 8 sent Redirect: 0 received, 0 sent Based on this output, which statement is correct?
18A network engineer runs the following command on Router R1: R1# show ipv6 snooping binding IPv6 Address MAC Address VLAN Interface State 2001:DB8:1::100 aaaa.bbbb.cccc 10 Gi0/0/0 ACTIVE 2001:DB8:1::101 aaaa.bbbb.cccd 10 Gi0/0/0 ACTIVE 2001:DB8:1::102 aaaa.bbbb.ccce 10 Gi0/0/1 ACTIVE 2001:DB8:1::103 aaaa.bbbb.cccf 10 Gi0/0/1 ACTIVE Based on this output, which statement is correct?
19Interface GigabitEthernet0/1 is configured as shown: interface GigabitEthernet0/1 ipv6 address 2001:db8:1::1/64 ipv6 nd raguard ipv6 nd prefix default no-autoconfig What is the effect of this configuration?
20Examine the following partial IPv6 DHCP guard configuration: ipv6 dhcp guard policy DHCP_GUARD device-role server match server access-list SERVER_ACL interface GigabitEthernet0/2 ipv6 dhcp guard policy DHCP_GUARD Which statement is true about this configuration?
21A network engineer configures IPv6 Source Guard on an interface: interface GigabitEthernet0/3 ipv6 verify source What is the immediate effect of this command?
22Consider the following partial configuration: ipv6 nd inspection policy ND_INSPECT device-role host trusted-port interface GigabitEthernet0/4 ipv6 nd inspection policy ND_INSPECT What is the effect of the 'trusted-port' command in this policy?
23An engineer applies the following configuration to an interface: interface GigabitEthernet0/5 ipv6 dhcp guard attach-policy DHCP_GUARD ipv6 snooping database file nvram:ipv6-snoop.db Which statement is true?
24Which configuration is missing to properly implement IPv6 First Hop Security on an access switch port that should only allow traffic from a single host with a static IPv6 address 2001:db8:1::10?
25What is the default role of an interface in IPv6 Neighbor Discovery Inspection when no policy is explicitly applied?
26In IPv6 First Hop Security, what is the purpose of the 'device-role' command in a DHCP guard policy?
27Which RFC defines the IPv6 Neighbor Discovery Protocol that is the basis for many First Hop Security features?
28Which TWO commands can be used to verify the operation of IPv6 First Hop Security features such as RA Guard and DHCPv6 Guard on a Cisco IOS-XE switch? (Choose TWO.)
29Which TWO statements about IPv6 Neighbor Discovery (ND) Inspection are true? (Choose TWO.)
30Which TWO configuration steps are required to enable IPv6 RA Guard on a Cisco switch interface? (Choose TWO.)
31Which THREE symptoms indicate that IPv6 First Hop Security features are misconfigured or not functioning correctly? (Choose THREE.)
32Which THREE statements about IPv6 Source Guard are true? (Choose THREE.)
33A large enterprise network is experiencing intermittent IPv6 connectivity loss for hosts on VLAN 100. Router R1 has the following relevant configuration: interface GigabitEthernet0/0.100 encapsulation dot1Q 100 ipv6 address 2001:DB8:1:100::1/64 ipv6 nd raguard ipv6 nd prefix default ipv6 dhcp relay destination 2001:DB8:1:200::1 ! Router R2 shows: debug ipv6 dhcp relay output indicates that DHCPv6 requests from VLAN 100 are being relayed, but the server never receives the SOLICIT messages. What is the root cause?
34A network engineer notices that IPv6 hosts on a segment are not receiving Router Advertisements, even though Router R1 has IPv6 unicast-routing enabled and an IPv6 address on the interface. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ipv6 address 2001:DB8:1::1/64 ipv6 nd suppress-ra ! Router R2, connected to the same segment, shows: no IPv6 neighbors in the neighbor cache for R1's link-local address. What is the root cause?
35A network engineer is troubleshooting IPv6 connectivity issues on a multi-access segment where Router R1 and Router R2 are both acting as default routers. Hosts on the segment are not using R1 as a preferred router, even though R1 has a higher router preference. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ipv6 address 2001:DB8:1::1/64 ipv6 nd router-preference high ! Router R2 shows: debug ipv6 nd output indicates that R2 is sending RAs with default preference (medium). What is the root cause?
36A network engineer is troubleshooting IPv6 neighbor discovery issues on a VLAN. Router R1 is configured with IPv6 First Hop Security features. Hosts are unable to communicate with each other, even though they have valid IPv6 addresses. Router R1 has the following relevant configuration: interface Vlan100 ipv6 address 2001:DB8:1:100::1/64 ipv6 nd raguard ipv6 dhcp guard ipv6 source guard ! Router R2 shows: debug ipv6 nd output indicates that Neighbor Solicitations from hosts are being dropped. What is the root cause?
37A network engineer is troubleshooting IPv6 routing issues between two routers connected via a serial link. Router R1 and Router R2 are running OSPFv3. The OSPFv3 adjacency is not forming. Router R1 has the following relevant configuration: interface Serial0/0 ipv6 address 2001:DB8:1::1/64 ipv6 ospf 1 area 0 ! Router R2 shows: debug ipv6 ospf hello output indicates that R2 is receiving Hello packets from R1, but the neighbor state remains INIT. What is the root cause?
38A network engineer is troubleshooting IPv6 redistribution between EIGRP and OSPFv3 on Router R1. Routes from OSPFv3 are being redistributed into EIGRP, but they are not appearing in the EIGRP topology table. Router R1 has the following relevant configuration: router eigrp Test address-family ipv6 unicast redistribute ospf 1 metric 10000 100 255 1 1500 ! Router R2 shows: show ipv6 eigrp topology output does not include any OSPF-derived routes. What is the root cause?
39A network engineer is troubleshooting IPv6 BGP path selection on Router R1. Router R1 is receiving a prefix from two different BGP peers, but it is not selecting the expected best path. Router R1 has the following relevant configuration: router bgp 65000 address-family ipv6 unicast neighbor 2001:DB8:1::2 route-map SET_LOCAL_PREF in neighbor 2001:DB8:2::2 route-map SET_MED in ! route-map SET_LOCAL_PREF permit 10 set local-preference 200 ! route-map SET_MED permit 10 set metric 50 ! Router R2 shows: show bgp ipv6 unicast 2001:DB8:3::/64 output indicates that the path from 2001:DB8:1::2 has local preference 200, but the path from 2001:DB8:2::2 is selected. What is the root cause?
40A network engineer is troubleshooting IPv6 DMVPN phase 2 spoke-to-spoke tunnel failures. Spoke routers are able to communicate with the hub, but direct spoke-to-spoke traffic is not working. Router R1 (spoke) has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ipv6 nhrp network-id 1 ipv6 nhrp nhs 2001:DB8:1::2 ipv6 nhrp map multicast dynamic ! Router R2 (hub) shows: show ipv6 nhrp brief output indicates that both spokes are registered. What is the root cause?
41A network engineer is troubleshooting IPv6 MPLS LDP neighbor discovery on a link between Router R1 and Router R2. The LDP session is not forming. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ipv6 address 2001:DB8:1::1/64 mpls ip mpls ldp discovery transport-address interface ! Router R2 shows: debug mpls ldp discovery output indicates that R2 is receiving Hello packets from R1, but the LDP session remains in INIT state. What is the root cause?
42A network engineer runs the following command to troubleshoot an IPv6 First Hop Security issue: R1# debug ipv6 nd raguard *Mar 1 00:01:23.456: IPv6-ND-RA-Guard: R1, Fa0/0, RA received on port Fa0/0, src fe80::1, dst ff02::1 *Mar 1 00:01:23.456: IPv6-ND-RA-Guard: R1, Fa0/0, RA from fe80::1 is allowed by policy TRUSTED *Mar 1 00:01:24.789: IPv6-ND-RA-Guard: R1, Fa0/0, RA received on port Fa0/0, src fe80::2, dst ff02::1 *Mar 1 00:01:24.789: IPv6-ND-RA-Guard: R1, Fa0/0, RA from fe80::2 is blocked by policy UNTRUSTED What does this output indicate?
43A network engineer runs the following command to verify IPv6 First Hop Security operation: R1# show ipv6 nd raguard policy TRUSTED Policy: TRUSTED Status: Active Device role: host Trusted ports: Fa0/1 Untrusted ports: none RA Guard: enabled RA Guard policy: allow ND inspection: enabled ND inspection policy: INSPECT What does this output indicate?
44A network engineer runs the following command to troubleshoot IPv6 ND inspection: R1# debug ipv6 nd inspection *Mar 1 00:02:34.567: IPv6-ND-Inspection: R1, Fa0/0, NS from fe80::1 to ff02::1, target 2001:db8::1, options: SLLA 0011.2233.4455 *Mar 1 00:02:34.567: IPv6-ND-Inspection: R1, Fa0/0, NS from fe80::1 to ff02::1, target 2001:db8::1, SLLA 0011.2233.4455 is allowed by policy INSPECT *Mar 1 00:02:35.890: IPv6-ND-Inspection: R1, Fa0/0, NA from fe80::2 to fe80::1, target 2001:db8::2, options: TLLA 00aa.bbcc.ddee *Mar 1 00:02:35.890: IPv6-ND-Inspection: R1, Fa0/0, NA from fe80::2 to fe80::1, target 2001:db8::2, TLLA 00aa.bbcc.ddee is blocked by policy INSPECT What does this output indicate?
45A network engineer runs the following command to verify IPv6 ND inspection policy: R1# show ipv6 nd inspection policy INSPECT Policy: INSPECT Status: Active Device role: node Trusted ports: none Untrusted ports: Fa0/0 ND inspection: enabled Validation: - Source MAC address: verify - Destination MAC address: verify - IPv6 source address: verify - IPv6 destination address: verify - Nonce: disabled - Timestamp: disabled What does this output indicate?
46A network engineer runs the following command to troubleshoot DHCPv6 guard: R1# debug ipv6 dhcp guard *Mar 1 00:03:45.678: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 SOLICIT from fe80::3, client DUID 00010001abcd1234 *Mar 1 00:03:45.678: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 SOLICIT from fe80::3 is allowed by policy DHCP-POLICY *Mar 1 00:03:46.901: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 ADVERTISE from fe80::4, server DUID 0001000156789012 *Mar 1 00:03:46.901: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 ADVERTISE from fe80::4 is blocked by policy DHCP-POLICY What does this output indicate?
47A network engineer runs the following command to verify DHCPv6 guard policy: R1# show ipv6 dhcp guard policy DHCP-POLICY Policy: DHCP-POLICY Status: Active Device role: dhcp-client Trusted ports: none Untrusted ports: Fa0/0 DHCPv6 guard: enabled DHCPv6 guard action: block DHCPv6 server validation: enabled DHCPv6 server list: 2001:db8::10 What does this output indicate?
48A network engineer runs the following command to troubleshoot IPv6 source guard: R1# debug ipv6 source-guard *Mar 1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, IPv6 packet from 2001:db8::5, src MAC 0011.2233.4455, dst 2001:db8::1 *Mar 1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, Binding lookup: 2001:db8::5 not found in binding table *Mar 1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, Packet dropped: source 2001:db8::5 not allowed What does this output indicate?
49A network engineer runs the following command to verify IPv6 binding table: R1# show ipv6 neighbors binding IPv6 Address Age Link-layer Addr State Interface VLAN Policy 2001:db8::1 10 0011.2233.4455 REACH Fa0/1 10 TRUSTED 2001:db8::2 5 00aa.bbcc.ddee STALE Fa0/0 10 INSPECT 2001:db8::3 0 1111.2222.3333 INCOMP Fa0/0 10 - What does this output indicate?
50A network engineer runs the following command to verify IPv6 device tracking: R1# show ipv6 device-tracking database Interface MAC Address VLAN IPv6 Address State Age Policy Fa0/0 0011.2233.4455 10 2001:db8::1 ACTIVE 10 TRUSTED Fa0/0 00aa.bbcc.ddee 10 2001:db8::2 ACTIVE 5 INSPECT Fa0/0 1111.2222.3333 10 2001:db8::3 VERIFY 0 - What does this output indicate?
51What is the default value of the Router Advertisement (RA) interval in IPv6 First Hop Security (FHS) when using the 'ipv6 nd ra-interval' command on an IOS-XE interface?
52What is the default value of the RA lifetime (Router Lifetime) in IPv6 Router Advertisements on Cisco IOS-XE?
53In IPv6 First Hop Security, which feature is used to prevent duplicate address detection (DAD) attacks by snooping Neighbor Discovery (ND) messages?
54What is the default value of the 'hold-down' timer in IPv6 FHS's ND Snooping feature on Cisco IOS-XE?
55Which IPv6 FHS feature uses a 'device tracking' database to maintain reachability information for hosts?
56In IPv6 FHS, what is the default action for 'RA Guard' when a rogue RA is detected on a switch port?
57What is the default value of the 'limit' parameter in the 'ipv6 nd prefix' command for the number of prefixes advertised in RA messages?
58In IPv6 FHS, which protocol is used to secure Neighbor Discovery messages with cryptographic authentication?
59What is the default value of the 'reachable time' in IPv6 Neighbor Discovery (ND) on Cisco IOS-XE?
60Drag and drop the steps to configure IPv6 RA Guard on a switch into the correct order, from first to last.
61Drag and drop the steps to troubleshoot IPv6 First Hop Security adjacency or connectivity failures into the correct order, from first to last.
62Drag and drop the steps to verify and validate IPv6 First Hop Security operational state into the correct order, from first to last.
63Which TWO statements about IPv6 First Hop Security (FHS) RA Guard are true? (Choose TWO.)
64Which TWO statements about IPv6 First Hop Security (FHS) Source Guard are true? (Choose TWO.)
65An engineer is troubleshooting IPv6 connectivity issues on a switch that has IPv6 First Hop Security features enabled. Clients are unable to obtain a valid IPv6 address via SLAAC. Which TWO configuration changes could resolve this issue? (Choose TWO.)
66Which THREE commands can be used to verify IPv6 First Hop Security (FHS) bindings or operations? (Choose THREE.)
67Which TWO statements about IPv6 First Hop Security (FHS) Device Tracking are true? (Choose TWO.)
68An engineer configures IPv6 RA Guard on a switch port connected to a router running OSPFv3. Unexpectedly, OSPFv3 neighbor adjacencies fail to form on that link. Which is the most likely explanation?
69A network engineer enables IPv6 First Hop Security with 'ipv6 dhcp guard' on a switch port connected to a legitimate DHCPv6 server. Clients on other ports receive DHCPv6 replies, but the server's port is being err-disabled repeatedly. The engineer checks the logs and sees DHCPv6 server advertisements being dropped. What is the most likely cause?
70An engineer configures IPv6 Source Guard on a switch port with 'ipv6 verify source' and also enables 'ipv6 snooping' globally. A legitimate host on that port is unable to send traffic, and the switch logs show that packets are being dropped due to source address validation failure. The host has a static IPv6 address and the engineer has configured a static binding using 'ipv6 neighbor binding' command. What is the most likely oversight?
71A network administrator configures 'ipv6 nd raguard' on a switch port connected to a router. The router is sending Router Advertisements with a non-zero Router Lifetime. The switch logs indicate that RAs are being dropped, and the port goes into err-disable state. The engineer checks the RA Guard policy and sees that the default policy is applied. What is the most likely reason for the drops?
72An engineer enables 'ipv6 destination guard' on a switch to prevent IPv6 address spoofing. After configuration, a legitimate host on a port is unable to receive traffic from the network, although it can send traffic. The host has a global unicast address. The switch logs show that destination guard is dropping packets destined to that host. What is the most likely cause?
73A network engineer configures 'ipv6 snooping' globally on a switch and applies 'ipv6 verify source' on a port connected to a router running OSPFv3. The router's OSPFv3 neighborship with another router across the switch fails. The switch logs show that OSPFv3 packets are being dropped. The engineer checks the binding table and sees no entries for the router's link-local address. What is the most likely reason?
74An engineer configures 'ipv6 nd suppress' on a switch port to prevent the switch from sending Router Advertisements. However, after this configuration, hosts on that port cannot obtain IPv6 addresses via SLAAC, even though a router on another port is sending RAs. What is the most likely explanation?
75A network administrator configures 'ipv6 dhcp guard' on a switch and sets the policy to 'allow only' for a specific DHCPv6 server. However, clients are still receiving DHCPv6 replies from a rogue server on the same VLAN. The engineer verifies that the rogue server's port is not trusted. What is the most likely reason the rogue server's advertisements are not being blocked?
76An engineer configures 'ipv6 verify source' with 'allow-default' on a switch port connected to a router that uses a default route via a static route. The router's traffic is being dropped by Source Guard. The engineer sees that the router's source address is in the binding table. What is the most likely cause?
The IPv6 First Hop Security domain covers the key concepts tested in this area of the 300-410 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 300-410 domains — no account required.
The Courseiva 300-410 question bank contains 76 questions in the IPv6 First Hop Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the IPv6 First Hop Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included