Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← IPv6 First Hop Security practice sets

300-410 IPv6 First Hop Security • Complete Question Bank

300-410 IPv6 First Hop Security — All Questions With Answers

Complete 300-410 IPv6 First Hop Security question bank — all 0 questions with answers and detailed explanations.

76
Questions
Free
No signup
Certifications/300-410/Practice Test/IPv6 First Hop Security/All Questions
Question 1mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting an IPv6 neighbor discovery issue on a switch running IOS-XE. Hosts on VLAN 100 are intermittently losing connectivity to the default gateway. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The engineer notices that the switch is dropping valid Router Advertisements from the legitimate router. What is the most likely cause of this issue?

Question 2hardmultiple choice
Read the full DHCP explanation →

An engineer is troubleshooting a network where IPv6 hosts cannot obtain IP addresses via DHCPv6. The switch is configured with DHCPv6 Guard to prevent rogue DHCP servers. The legitimate DHCPv6 server is connected to port GigabitEthernet1/0/1. The engineer sees that DHCPv6 Solicit messages from hosts reach the server, but the server's Advertise and Reply messages are not reaching the hosts. What is the most likely root cause?

Question 3mediummultiple choice
Study the full IPv6 explanation →

A network engineer is troubleshooting an issue where IPv6 traffic is being forwarded incorrectly on a switch. The switch is configured with IPv6 Source Guard on access ports. A legitimate host on port Fa0/1 with IPv6 address 2001:db8:1::10 is unable to send traffic to the default gateway. The engineer checks the IPv6 binding table and sees that the host's entry is missing. What is the most likely cause?

Question 4hardmultiple choice
Open the full VLAN trunking answer →

An engineer is troubleshooting an IPv6 connectivity issue where hosts on VLAN 10 cannot reach the internet. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The legitimate router is connected to port Gi1/0/1. The engineer notices that the router is sending RAs, but hosts are not receiving them. The switch shows that RA Guard is dropping packets on port Gi1/0/1. What is the most likely misconfiguration?

Question 5hardmultiple choice
Study the full IPv6 explanation →

A network engineer is troubleshooting an issue where IPv6 hosts are unable to perform Duplicate Address Detection (DAD) successfully. The switch is configured with IPv6 First Hop Security features including ND Inspection and ND Suppress. The engineer notices that Neighbor Solicitation messages for DAD are being dropped by the switch. What is the most likely cause?

Question 6mediummultiple choice
Open the full VLAN trunking answer →

An engineer is troubleshooting a network where IPv6 hosts on VLAN 20 are unable to communicate with each other. The switch is configured with IPv6 First Hop Security features including Private VLAN (PVLAN) and IPv6 Source Guard. The hosts are in the same VLAN but cannot ping each other. What is the most likely cause?

Question 7mediummultiple choice
Study the full IPv6 explanation →

A network engineer is troubleshooting an issue where IPv6 traffic from a host is being dropped by the switch. The switch has IPv6 Source Guard enabled. The host has a static IPv6 address 2001:db8:2::20. The engineer sees that the binding table does not contain an entry for this host. What should the engineer do to resolve the issue without disabling IPv6 Source Guard?

Question 8hardmultiple choice
Study the full IPv6 explanation →

An engineer is troubleshooting an issue where a rogue IPv6 router is sending false Router Advertisements on the network, causing hosts to use a malicious default gateway. The switch is configured with IPv6 First Hop Security features. The engineer wants to prevent this attack while allowing the legitimate router to send RAs. What is the correct configuration approach?

Question 9mediummultiple choice
Study the full IPv6 explanation →

A network engineer is troubleshooting an issue where IPv6 hosts are receiving multiple Router Advertisements from different routers, causing routing instability. The switch is configured with IPv6 First Hop Security features. The engineer wants to ensure that only the primary router's RAs are accepted by hosts. What is the most effective solution?

Question 10mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 snooping policy
Interface                      Policy                      Role            State

Gi0/0/0 GUARD_POLICY device-guard ACTIVE Gi0/0/1 GUARD_POLICY device-guard ACTIVE Gi0/0/2 (default) host ACTIVE

Based on this output, which statement is correct?

Question 11mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 nd raguard policy
Interface                      Policy                      Role            State

Gi0/0/0 RA_GUARD router ACTIVE Gi0/0/1 RA_GUARD host ACTIVE Gi0/0/2 (default) host ACTIVE

Based on this output, which statement is correct?

Question 12mediummultiple choice
Read the full DHCP explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 dhcp guard policy
Interface                      Policy                      Role            State

Gi0/0/0 DHCP_GUARD server ACTIVE Gi0/0/1 DHCP_GUARD client ACTIVE Gi0/0/2 (default) client ACTIVE

Based on this output, which statement is correct?

Question 13mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 source-guard policy
Interface                      Policy                      Role            State

Gi0/0/0 SRC_GUARD host ACTIVE Gi0/0/1 SRC_GUARD host ACTIVE Gi0/0/2 (default) host ACTIVE

Based on this output, which statement is correct?

Question 14mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 neighbors

IPv6 Address Age Link-layer Addr State Interface 2001:DB8:1::1 0 aaaa.bbbb.cccc REACH Gi0/0/0 2001:DB8:1::2 10 aaaa.bbbb.cccd STALE Gi0/0/0 2001:DB8:1::3 - aaaa.bbbb.ccce DELAY Gi0/0/1 FE80::1 0 aaaa.bbbb.cccf REACH Gi0/0/0

Based on this output, which statement is correct?

Question 15mediummultiple choice
Read the full DHCP explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 dhcp binding

Client: FE80::1 DUID: 0003000100AABBCCDDEE

Username: unknown

IA NA: IA ID 0x00010001, T1 302400, T2 483840 Address: 2001:DB8:1::100/128 Preferred lifetime 604800, valid lifetime 2592000 Expires at Sep 15 2024 12:00 PM (2592000 seconds)

Based on this output, which statement is correct?

Question 16mediummultiple choice
Read the full DHCP explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 dhcp interface Gi0/0/0

Gi0/0/0 is in server mode Uses prefix 2001:DB8:1::/64 Rapid-Commit is disabled Preference value: 0 Information refresh option: 86400 DNS server: 2001:DB8::1 Domain name: example.com Active clients: 5 Pool: DHCP_POOL

Based on this output, which statement is correct?

Question 17mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 traffic

IPv6 statistics: Rcvd: 1000 total, 800 unicast, 200 multicast Sent: 900 total, 700 unicast, 200 multicast Errors: 0 Dropped: 0 ND statistics: NS: 50 received, 40 sent NA: 30 received, 20 sent RS: 10 received, 5 sent RA: 2 received, 8 sent Redirect: 0 received, 0 sent

Based on this output, which statement is correct?

Question 18mediummultiple choice
Open the full VLAN trunking answer →

A network engineer runs the following command on Router R1:

R1# show ipv6 snooping binding

IPv6 Address MAC Address VLAN Interface State 2001:DB8:1::100 aaaa.bbbb.cccc 10 Gi0/0/0 ACTIVE 2001:DB8:1::101 aaaa.bbbb.cccd 10 Gi0/0/0 ACTIVE 2001:DB8:1::102 aaaa.bbbb.ccce 10 Gi0/0/1 ACTIVE 2001:DB8:1::103 aaaa.bbbb.cccf 10 Gi0/0/1 ACTIVE

Based on this output, which statement is correct?

Question 19mediummultiple choice
Study the full IPv6 explanation →
Interface GigabitEthernet0/1 is configured as shown:

interface GigabitEthernet0/1

ipv6 address 2001:db8:1::1/64 ipv6 nd raguard ipv6 nd prefix default no-autoconfig

What is the effect of this configuration?

Question 20mediummultiple choice
Read the full DHCP explanation →

Examine the following partial IPv6 DHCP guard configuration:

ipv6 dhcp guard policy DHCP_GUARD device-role server match server access-list SERVER_ACL

interface GigabitEthernet0/2

ipv6 dhcp guard policy DHCP_GUARD

Which statement is true about this configuration?

Question 21mediummultiple choice
Study the full IPv6 explanation →

A network engineer configures IPv6 Source Guard on an interface:

interface GigabitEthernet0/3

ipv6 verify source

What is the immediate effect of this command?

Question 22mediummultiple choice
Study the full IPv6 explanation →

Consider the following partial configuration:

ipv6 nd inspection policy ND_INSPECT device-role host trusted-port

interface GigabitEthernet0/4

ipv6 nd inspection policy ND_INSPECT

What is the effect of the 'trusted-port' command in this policy?

Question 23mediummultiple choice
Read the full DHCP explanation →

An engineer applies the following configuration to an interface:

interface GigabitEthernet0/5

ipv6 dhcp guard attach-policy DHCP_GUARD ipv6 snooping database file nvram:ipv6-snoop.db

Which statement is true?

Question 24mediummultiple choice
Study the full IPv6 explanation →

Which configuration is missing to properly implement IPv6 First Hop Security on an access switch port that should only allow traffic from a single host with a static IPv6 address 2001:db8:1::10?

Question 25easymultiple choice
Study the full IPv6 explanation →

What is the default role of an interface in IPv6 Neighbor Discovery Inspection when no policy is explicitly applied?

Question 26mediummultiple choice
Read the full DHCP explanation →

In IPv6 First Hop Security, what is the purpose of the 'device-role' command in a DHCP guard policy?

Question 27easymultiple choice
Study the full IPv6 explanation →

Which RFC defines the IPv6 Neighbor Discovery Protocol that is the basis for many First Hop Security features?

Question 28mediummulti select
Read the full DHCP explanation →

Which TWO commands can be used to verify the operation of IPv6 First Hop Security features such as RA Guard and DHCPv6 Guard on a Cisco IOS-XE switch? (Choose TWO.)

Question 29mediummulti select
Study the full IPv6 explanation →

Which TWO statements about IPv6 Neighbor Discovery (ND) Inspection are true? (Choose TWO.)

Question 30hardmulti select
Study the full IPv6 explanation →

Which TWO configuration steps are required to enable IPv6 RA Guard on a Cisco switch interface? (Choose TWO.)

Question 31mediummulti select
Study the full IPv6 explanation →

Which THREE symptoms indicate that IPv6 First Hop Security features are misconfigured or not functioning correctly? (Choose THREE.)

Question 32hardmulti select
Study the full IPv6 explanation →

Which THREE statements about IPv6 Source Guard are true? (Choose THREE.)

Question 33hardmultiple choice
Open the full VLAN trunking answer →

A large enterprise network is experiencing intermittent IPv6 connectivity loss for hosts on VLAN 100. Router R1 has the following relevant configuration:

interface GigabitEthernet0/0.100
 encapsulation dot1Q 100

ipv6 address 2001:DB8:1:100::1/64 ipv6 nd raguard ipv6 nd prefix default ipv6 dhcp relay destination 2001:DB8:1:200::1 !

Router R2 shows: debug ipv6 dhcp relay output indicates that DHCPv6 requests from VLAN 100 are being relayed, but the server never receives the SOLICIT messages. What is the root cause?
Question 34hardmultiple choice
Study the full IPv6 explanation →

A network engineer notices that IPv6 hosts on a segment are not receiving Router Advertisements, even though Router R1 has IPv6 unicast-routing enabled and an IPv6 address on the interface. Router R1 has the following relevant configuration:

interface GigabitEthernet0/0

ipv6 address 2001:DB8:1::1/64 ipv6 nd suppress-ra !

Router R2, connected to the same segment, shows: no IPv6 neighbors in the neighbor cache for R1's link-local address. What is the root cause?
Question 35hardmultiple choice
Study the full IPv6 explanation →

A network engineer is troubleshooting IPv6 connectivity issues on a multi-access segment where Router R1 and Router R2 are both acting as default routers. Hosts on the segment are not using R1 as a preferred router, even though R1 has a higher router preference. Router R1 has the following relevant configuration:

interface GigabitEthernet0/0

ipv6 address 2001:DB8:1::1/64 ipv6 nd router-preference high !

Router R2 shows: debug ipv6 nd output indicates that R2 is sending RAs with default preference (medium). What is the root cause?
Question 36hardmultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting IPv6 neighbor discovery issues on a VLAN. Router R1 is configured with IPv6 First Hop Security features. Hosts are unable to communicate with each other, even though they have valid IPv6 addresses. Router R1 has the following relevant configuration:

interface Vlan100

ipv6 address 2001:DB8:1:100::1/64 ipv6 nd raguard ipv6 dhcp guard ipv6 source guard !

Router R2 shows: debug ipv6 nd output indicates that Neighbor Solicitations from hosts are being dropped. What is the root cause?
Question 37hardmultiple choice
Review the full OSPF breakdown →

A network engineer is troubleshooting IPv6 routing issues between two routers connected via a serial link. Router R1 and Router R2 are running OSPFv3. The OSPFv3 adjacency is not forming. Router R1 has the following relevant configuration:

interface Serial0/0

ipv6 address 2001:DB8:1::1/64 ipv6 ospf 1 area 0 !

Router R2 shows: debug ipv6 ospf hello output indicates that R2 is receiving Hello packets from R1, but the neighbor state remains INIT. What is the root cause?
Question 38hardmultiple choice
Review the full OSPF breakdown →

A network engineer is troubleshooting IPv6 redistribution between EIGRP and OSPFv3 on Router R1. Routes from OSPFv3 are being redistributed into EIGRP, but they are not appearing in the EIGRP topology table. Router R1 has the following relevant configuration:

router eigrp Test

address-family ipv6 unicast redistribute ospf 1 metric 10000 100 255 1 1500 !

Router R2 shows: show ipv6 eigrp topology output does not include any OSPF-derived routes. What is the root cause?
Question 39hardmultiple choice
Open the full BGP breakdown →

A network engineer is troubleshooting IPv6 BGP path selection on Router R1. Router R1 is receiving a prefix from two different BGP peers, but it is not selecting the expected best path. Router R1 has the following relevant configuration:

router bgp 65000

address-family ipv6 unicast

neighbor 2001:DB8:1::2 route-map SET_LOCAL_PREF in
 neighbor 2001:DB8:2::2 route-map SET_MED in

! route-map SET_LOCAL_PREF permit 10 set local-preference 200 ! route-map SET_MED permit 10 set metric 50 !

Router R2 shows: show bgp ipv6 unicast 2001:DB8:3::/64 output indicates that the path from 2001:DB8:1::2 has local preference 200, but the path from 2001:DB8:2::2 is selected. What is the root cause?
Question 40hardmultiple choice
Study the full IPv6 explanation →

A network engineer is troubleshooting IPv6 DMVPN phase 2 spoke-to-spoke tunnel failures. Spoke routers are able to communicate with the hub, but direct spoke-to-spoke traffic is not working. Router R1 (spoke) has the following relevant configuration:

interface Tunnel0

ipv6 address 2001:DB8:1::1/64 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ipv6 nhrp network-id 1 ipv6 nhrp nhs 2001:DB8:1::2 ipv6 nhrp map multicast dynamic !

Router R2 (hub) shows: show ipv6 nhrp brief output indicates that both spokes are registered. What is the root cause?
Question 41hardmultiple choice
Read the full MPLS explanation →

A network engineer is troubleshooting IPv6 MPLS LDP neighbor discovery on a link between Router R1 and Router R2. The LDP session is not forming. Router R1 has the following relevant configuration:

interface GigabitEthernet0/0

ipv6 address 2001:DB8:1::1/64 mpls ip mpls ldp discovery transport-address interface !

Router R2 shows: debug mpls ldp discovery output indicates that R2 is receiving Hello packets from R1, but the LDP session remains in INIT state. What is the root cause?
Question 42mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command to troubleshoot an IPv6 First Hop Security issue:

R1# debug ipv6 nd raguard

*Mar  1 00:01:23.456: IPv6-ND-RA-Guard: R1, Fa0/0, RA received on port Fa0/0, src fe80::1, dst ff02::1
*Mar  1 00:01:23.456: IPv6-ND-RA-Guard: R1, Fa0/0, RA from fe80::1 is allowed by policy TRUSTED
*Mar  1 00:01:24.789: IPv6-ND-RA-Guard: R1, Fa0/0, RA received on port Fa0/0, src fe80::2, dst ff02::1
*Mar  1 00:01:24.789: IPv6-ND-RA-Guard: R1, Fa0/0, RA from fe80::2 is blocked by policy UNTRUSTED

What does this output indicate?

Question 43mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command to verify IPv6 First Hop Security operation:

R1# show ipv6 nd raguard policy TRUSTED

Policy: TRUSTED Status: Active Device role: host Trusted ports: Fa0/1 Untrusted ports: none RA Guard: enabled RA Guard policy: allow ND inspection: enabled ND inspection policy: INSPECT

What does this output indicate?

Question 44hardmultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command to troubleshoot IPv6 ND inspection:

R1# debug ipv6 nd inspection

*Mar  1 00:02:34.567: IPv6-ND-Inspection: R1, Fa0/0, NS from fe80::1 to ff02::1, target 2001:db8::1, options: SLLA 0011.2233.4455
*Mar  1 00:02:34.567: IPv6-ND-Inspection: R1, Fa0/0, NS from fe80::1 to ff02::1, target 2001:db8::1, SLLA 0011.2233.4455 is allowed by policy INSPECT
*Mar  1 00:02:35.890: IPv6-ND-Inspection: R1, Fa0/0, NA from fe80::2 to fe80::1, target 2001:db8::2, options: TLLA 00aa.bbcc.ddee
*Mar  1 00:02:35.890: IPv6-ND-Inspection: R1, Fa0/0, NA from fe80::2 to fe80::1, target 2001:db8::2, TLLA 00aa.bbcc.ddee is blocked by policy INSPECT

What does this output indicate?

Question 45mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command to verify IPv6 ND inspection policy:

R1# show ipv6 nd inspection policy INSPECT

Policy: INSPECT Status: Active Device role: node Trusted ports: none Untrusted ports: Fa0/0 ND inspection: enabled Validation: - Source MAC address: verify - Destination MAC address: verify - IPv6 source address: verify - IPv6 destination address: verify - Nonce: disabled - Timestamp: disabled

What does this output indicate?

Question 46mediummultiple choice
Read the full DHCP explanation →

A network engineer runs the following command to troubleshoot DHCPv6 guard:

R1# debug ipv6 dhcp guard

*Mar  1 00:03:45.678: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 SOLICIT from fe80::3, client DUID 00010001abcd1234
*Mar  1 00:03:45.678: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 SOLICIT from fe80::3 is allowed by policy DHCP-POLICY
*Mar  1 00:03:46.901: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 ADVERTISE from fe80::4, server DUID 0001000156789012
*Mar  1 00:03:46.901: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 ADVERTISE from fe80::4 is blocked by policy DHCP-POLICY

What does this output indicate?

Question 47mediummultiple choice
Read the full DHCP explanation →

A network engineer runs the following command to verify DHCPv6 guard policy:

R1# show ipv6 dhcp guard policy DHCP-POLICY

Policy: DHCP-POLICY Status: Active Device role: dhcp-client Trusted ports: none Untrusted ports: Fa0/0 DHCPv6 guard: enabled DHCPv6 guard action: block DHCPv6 server validation: enabled DHCPv6 server list: 2001:db8::10

What does this output indicate?

Question 48mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command to troubleshoot IPv6 source guard:

R1# debug ipv6 source-guard

*Mar  1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, IPv6 packet from 2001:db8::5, src MAC 0011.2233.4455, dst 2001:db8::1
*Mar  1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, Binding lookup: 2001:db8::5 not found in binding table
*Mar  1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, Packet dropped: source 2001:db8::5 not allowed

What does this output indicate?

Question 49mediummultiple choice
Open the full VLAN trunking answer →

A network engineer runs the following command to verify IPv6 binding table:

R1# show ipv6 neighbors binding

IPv6 Address Age Link-layer Addr State Interface VLAN Policy 2001:db8::1 10 0011.2233.4455 REACH Fa0/1 10 TRUSTED 2001:db8::2 5 00aa.bbcc.ddee STALE Fa0/0 10 INSPECT 2001:db8::3 0 1111.2222.3333 INCOMP Fa0/0 10 -

What does this output indicate?

Question 50mediummultiple choice
Open the full VLAN trunking answer →

A network engineer runs the following command to verify IPv6 device tracking:

R1# show ipv6 device-tracking database

  Interface  MAC Address       VLAN  IPv6 Address                    State         Age  Policy

Fa0/0 0011.2233.4455 10 2001:db8::1 ACTIVE 10 TRUSTED Fa0/0 00aa.bbcc.ddee 10 2001:db8::2 ACTIVE 5 INSPECT Fa0/0 1111.2222.3333 10 2001:db8::3 VERIFY 0 -

What does this output indicate?

Question 51mediummultiple choice
Study the full IPv6 explanation →

What is the default value of the Router Advertisement (RA) interval in IPv6 First Hop Security (FHS) when using the 'ipv6 nd ra-interval' command on an IOS-XE interface?

Question 52easymultiple choice
Study the full IPv6 explanation →

What is the default value of the RA lifetime (Router Lifetime) in IPv6 Router Advertisements on Cisco IOS-XE?

Question 53mediummultiple choice
Study the full IPv6 explanation →

In IPv6 First Hop Security, which feature is used to prevent duplicate address detection (DAD) attacks by snooping Neighbor Discovery (ND) messages?

Question 54hardmultiple choice
Study the full IPv6 explanation →

What is the default value of the 'hold-down' timer in IPv6 FHS's ND Snooping feature on Cisco IOS-XE?

Question 55easymultiple choice
Study the full IPv6 explanation →

Which IPv6 FHS feature uses a 'device tracking' database to maintain reachability information for hosts?

Question 56mediummultiple choice
Study the full IPv6 explanation →

In IPv6 FHS, what is the default action for 'RA Guard' when a rogue RA is detected on a switch port?

Question 57hardmultiple choice
Study the full IPv6 explanation →

What is the default value of the 'limit' parameter in the 'ipv6 nd prefix' command for the number of prefixes advertised in RA messages?

Question 58mediummultiple choice
Study the full IPv6 explanation →

In IPv6 FHS, which protocol is used to secure Neighbor Discovery messages with cryptographic authentication?

Question 59hardmultiple choice
Study the full IPv6 explanation →

What is the default value of the 'reachable time' in IPv6 Neighbor Discovery (ND) on Cisco IOS-XE?

Question 60mediumdrag order
Study the full IPv6 explanation →

Drag and drop the steps to configure IPv6 RA Guard on a switch into the correct order, from first to last.

Question 61harddrag order
Study the full IPv6 explanation →

Drag and drop the steps to troubleshoot IPv6 First Hop Security adjacency or connectivity failures into the correct order, from first to last.

Question 62mediumdrag order
Study the full IPv6 explanation →

Drag and drop the steps to verify and validate IPv6 First Hop Security operational state into the correct order, from first to last.

Question 63hardmulti select
Study the full IPv6 explanation →

Which TWO statements about IPv6 First Hop Security (FHS) RA Guard are true? (Choose TWO.)

Question 64hardmulti select
Study the full IPv6 explanation →

Which TWO statements about IPv6 First Hop Security (FHS) Source Guard are true? (Choose TWO.)

Question 65hardmulti select
Study the full IPv6 explanation →

An engineer is troubleshooting IPv6 connectivity issues on a switch that has IPv6 First Hop Security features enabled. Clients are unable to obtain a valid IPv6 address via SLAAC. Which TWO configuration changes could resolve this issue? (Choose TWO.)

Question 66hardmulti select
Study the full IPv6 explanation →

Which THREE commands can be used to verify IPv6 First Hop Security (FHS) bindings or operations? (Choose THREE.)

Question 67hardmulti select
Study the full IPv6 explanation →

Which TWO statements about IPv6 First Hop Security (FHS) Device Tracking are true? (Choose TWO.)

Question 68hardmultiple choice
Review the full OSPF breakdown →

An engineer configures IPv6 RA Guard on a switch port connected to a router running OSPFv3. Unexpectedly, OSPFv3 neighbor adjacencies fail to form on that link. Which is the most likely explanation?

Question 69hardmultiple choice
Read the full DHCP explanation →

A network engineer enables IPv6 First Hop Security with 'ipv6 dhcp guard' on a switch port connected to a legitimate DHCPv6 server. Clients on other ports receive DHCPv6 replies, but the server's port is being err-disabled repeatedly. The engineer checks the logs and sees DHCPv6 server advertisements being dropped. What is the most likely cause?

Question 70hardmultiple choice
Study the full IPv6 explanation →

An engineer configures IPv6 Source Guard on a switch port with 'ipv6 verify source' and also enables 'ipv6 snooping' globally. A legitimate host on that port is unable to send traffic, and the switch logs show that packets are being dropped due to source address validation failure. The host has a static IPv6 address and the engineer has configured a static binding using 'ipv6 neighbor binding' command. What is the most likely oversight?

Question 71hardmultiple choice
Study the full IPv6 explanation →

A network administrator configures 'ipv6 nd raguard' on a switch port connected to a router. The router is sending Router Advertisements with a non-zero Router Lifetime. The switch logs indicate that RAs are being dropped, and the port goes into err-disable state. The engineer checks the RA Guard policy and sees that the default policy is applied. What is the most likely reason for the drops?

Question 72hardmultiple choice
Study the full IPv6 explanation →

An engineer enables 'ipv6 destination guard' on a switch to prevent IPv6 address spoofing. After configuration, a legitimate host on a port is unable to receive traffic from the network, although it can send traffic. The host has a global unicast address. The switch logs show that destination guard is dropping packets destined to that host. What is the most likely cause?

Question 73hardmultiple choice
Review the full OSPF breakdown →

A network engineer configures 'ipv6 snooping' globally on a switch and applies 'ipv6 verify source' on a port connected to a router running OSPFv3. The router's OSPFv3 neighborship with another router across the switch fails. The switch logs show that OSPFv3 packets are being dropped. The engineer checks the binding table and sees no entries for the router's link-local address. What is the most likely reason?

Question 74hardmultiple choice
Study the full IPv6 explanation →

An engineer configures 'ipv6 nd suppress' on a switch port to prevent the switch from sending Router Advertisements. However, after this configuration, hosts on that port cannot obtain IPv6 addresses via SLAAC, even though a router on another port is sending RAs. What is the most likely explanation?

Question 75hardmultiple choice
Open the full VLAN trunking answer →

A network administrator configures 'ipv6 dhcp guard' on a switch and sets the policy to 'allow only' for a specific DHCPv6 server. However, clients are still receiving DHCPv6 replies from a rogue server on the same VLAN. The engineer verifies that the rogue server's port is not trusted. What is the most likely reason the rogue server's advertisements are not being blocked?

Question 76hardmultiple choice
Study the full IPv6 explanation →

An engineer configures 'ipv6 verify source' with 'allow-default' on a switch port connected to a router that uses a default route via a static route. The router's traffic is being dropped by Source Guard. The engineer sees that the router's source address is in the binding table. What is the most likely cause?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

300-410 Practice Test 1 — 10 Questions→300-410 Practice Test 2 — 10 Questions→300-410 Practice Test 3 — 10 Questions→300-410 Practice Test 4 — 10 Questions→300-410 Practice Test 5 — 10 Questions→300-410 Practice Exam 1 — 20 Questions→300-410 Practice Exam 2 — 20 Questions→300-410 Practice Exam 3 — 20 Questions→300-410 Practice Exam 4 — 20 Questions→Free 300-410 Practice Test 1 — 30 Questions→Free 300-410 Practice Test 2 — 30 Questions→Free 300-410 Practice Test 3 — 30 Questions→300-410 Practice Questions 1 — 50 Questions→300-410 Practice Questions 2 — 50 Questions→300-410 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Layer 3 TechnologiesEIGRP TroubleshootingOSPF Troubleshooting (v2/v3)BGP TroubleshootingRoute RedistributionPolicy-Based Routing (PBR)VRF-LiteRoute Maps and Route FilteringAdministrative DistanceRoute SummarizationBidirectional Forwarding Detection (BFD)VPN TechnologiesMPLS OperationsMPLS L3VPNDMVPNIPsec Site-to-Site VPNIPv6 Tunneling TechniquesInfrastructure SecurityDevice Access ControlIPv4 Access Control ListsIPv6 Traffic Filtering and uRPFControl Plane Policing (CoPP)IPv6 First Hop SecurityInfrastructure ServicesDevice ManagementSNMP TroubleshootingNetwork Logging and SyslogEmbedded Event Manager (EEM)IP SLANetFlow and Flexible NetFlowSPAN, RSPAN, and ERSPANDHCP (IPv4 and IPv6)NAT and PAT

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All IPv6 First Hop Security setsAll IPv6 First Hop Security questions300-410 Practice Hub