300-410 IPv6 First Hop Security • Complete Question Bank
Complete 300-410 IPv6 First Hop Security question bank — all 0 questions with answers and detailed explanations.
A network engineer runs the following command on Router R1:
R1# show ipv6 snooping policy Interface Policy Role State
Gi0/0/0 GUARD_POLICY device-guard ACTIVE Gi0/0/1 GUARD_POLICY device-guard ACTIVE Gi0/0/2 (default) host ACTIVE
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show ipv6 nd raguard policy Interface Policy Role State
Gi0/0/0 RA_GUARD router ACTIVE Gi0/0/1 RA_GUARD host ACTIVE Gi0/0/2 (default) host ACTIVE
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show ipv6 dhcp guard policy Interface Policy Role State
Gi0/0/0 DHCP_GUARD server ACTIVE Gi0/0/1 DHCP_GUARD client ACTIVE Gi0/0/2 (default) client ACTIVE
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show ipv6 source-guard policy Interface Policy Role State
Gi0/0/0 SRC_GUARD host ACTIVE Gi0/0/1 SRC_GUARD host ACTIVE Gi0/0/2 (default) host ACTIVE
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface 2001:DB8:1::1 0 aaaa.bbbb.cccc REACH Gi0/0/0 2001:DB8:1::2 10 aaaa.bbbb.cccd STALE Gi0/0/0 2001:DB8:1::3 - aaaa.bbbb.ccce DELAY Gi0/0/1 FE80::1 0 aaaa.bbbb.cccf REACH Gi0/0/0
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show ipv6 dhcp binding
Client: FE80::1 DUID: 0003000100AABBCCDDEE
Username: unknown
IA NA: IA ID 0x00010001, T1 302400, T2 483840 Address: 2001:DB8:1::100/128 Preferred lifetime 604800, valid lifetime 2592000 Expires at Sep 15 2024 12:00 PM (2592000 seconds)
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show ipv6 dhcp interface Gi0/0/0
Gi0/0/0 is in server mode Uses prefix 2001:DB8:1::/64 Rapid-Commit is disabled Preference value: 0 Information refresh option: 86400 DNS server: 2001:DB8::1 Domain name: example.com Active clients: 5 Pool: DHCP_POOL
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show ipv6 traffic
IPv6 statistics: Rcvd: 1000 total, 800 unicast, 200 multicast Sent: 900 total, 700 unicast, 200 multicast Errors: 0 Dropped: 0 ND statistics: NS: 50 received, 40 sent NA: 30 received, 20 sent RS: 10 received, 5 sent RA: 2 received, 8 sent Redirect: 0 received, 0 sent
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show ipv6 snooping binding
IPv6 Address MAC Address VLAN Interface State 2001:DB8:1::100 aaaa.bbbb.cccc 10 Gi0/0/0 ACTIVE 2001:DB8:1::101 aaaa.bbbb.cccd 10 Gi0/0/0 ACTIVE 2001:DB8:1::102 aaaa.bbbb.ccce 10 Gi0/0/1 ACTIVE 2001:DB8:1::103 aaaa.bbbb.cccf 10 Gi0/0/1 ACTIVE
Based on this output, which statement is correct?
Interface GigabitEthernet0/1 is configured as shown: interface GigabitEthernet0/1
ipv6 address 2001:db8:1::1/64 ipv6 nd raguard ipv6 nd prefix default no-autoconfig
What is the effect of this configuration?
Examine the following partial IPv6 DHCP guard configuration:
ipv6 dhcp guard policy DHCP_GUARD device-role server match server access-list SERVER_ACL
interface GigabitEthernet0/2
ipv6 dhcp guard policy DHCP_GUARD
Which statement is true about this configuration?
A network engineer configures IPv6 Source Guard on an interface:
interface GigabitEthernet0/3
ipv6 verify source
What is the immediate effect of this command?
Consider the following partial configuration:
ipv6 nd inspection policy ND_INSPECT device-role host trusted-port
interface GigabitEthernet0/4
ipv6 nd inspection policy ND_INSPECT
What is the effect of the 'trusted-port' command in this policy?
An engineer applies the following configuration to an interface:
interface GigabitEthernet0/5
ipv6 dhcp guard attach-policy DHCP_GUARD ipv6 snooping database file nvram:ipv6-snoop.db
Which statement is true?
A large enterprise network is experiencing intermittent IPv6 connectivity loss for hosts on VLAN 100. Router R1 has the following relevant configuration:
interface GigabitEthernet0/0.100 encapsulation dot1Q 100
ipv6 address 2001:DB8:1:100::1/64 ipv6 nd raguard ipv6 nd prefix default ipv6 dhcp relay destination 2001:DB8:1:200::1 !
Router R2 shows: debug ipv6 dhcp relay output indicates that DHCPv6 requests from VLAN 100 are being relayed, but the server never receives the SOLICIT messages. What is the root cause?
A network engineer notices that IPv6 hosts on a segment are not receiving Router Advertisements, even though Router R1 has IPv6 unicast-routing enabled and an IPv6 address on the interface. Router R1 has the following relevant configuration:
interface GigabitEthernet0/0
ipv6 address 2001:DB8:1::1/64 ipv6 nd suppress-ra !
Router R2, connected to the same segment, shows: no IPv6 neighbors in the neighbor cache for R1's link-local address. What is the root cause?
A network engineer is troubleshooting IPv6 connectivity issues on a multi-access segment where Router R1 and Router R2 are both acting as default routers. Hosts on the segment are not using R1 as a preferred router, even though R1 has a higher router preference. Router R1 has the following relevant configuration:
interface GigabitEthernet0/0
ipv6 address 2001:DB8:1::1/64 ipv6 nd router-preference high !
Router R2 shows: debug ipv6 nd output indicates that R2 is sending RAs with default preference (medium). What is the root cause?
A network engineer is troubleshooting IPv6 neighbor discovery issues on a VLAN. Router R1 is configured with IPv6 First Hop Security features. Hosts are unable to communicate with each other, even though they have valid IPv6 addresses. Router R1 has the following relevant configuration:
interface Vlan100
ipv6 address 2001:DB8:1:100::1/64 ipv6 nd raguard ipv6 dhcp guard ipv6 source guard !
Router R2 shows: debug ipv6 nd output indicates that Neighbor Solicitations from hosts are being dropped. What is the root cause?
A network engineer is troubleshooting IPv6 routing issues between two routers connected via a serial link. Router R1 and Router R2 are running OSPFv3. The OSPFv3 adjacency is not forming. Router R1 has the following relevant configuration:
interface Serial0/0
ipv6 address 2001:DB8:1::1/64 ipv6 ospf 1 area 0 !
Router R2 shows: debug ipv6 ospf hello output indicates that R2 is receiving Hello packets from R1, but the neighbor state remains INIT. What is the root cause?
A network engineer is troubleshooting IPv6 redistribution between EIGRP and OSPFv3 on Router R1. Routes from OSPFv3 are being redistributed into EIGRP, but they are not appearing in the EIGRP topology table. Router R1 has the following relevant configuration:
router eigrp Test
address-family ipv6 unicast redistribute ospf 1 metric 10000 100 255 1 1500 !
Router R2 shows: show ipv6 eigrp topology output does not include any OSPF-derived routes. What is the root cause?
A network engineer is troubleshooting IPv6 BGP path selection on Router R1. Router R1 is receiving a prefix from two different BGP peers, but it is not selecting the expected best path. Router R1 has the following relevant configuration:
router bgp 65000
address-family ipv6 unicast
neighbor 2001:DB8:1::2 route-map SET_LOCAL_PREF in neighbor 2001:DB8:2::2 route-map SET_MED in
! route-map SET_LOCAL_PREF permit 10 set local-preference 200 ! route-map SET_MED permit 10 set metric 50 !
Router R2 shows: show bgp ipv6 unicast 2001:DB8:3::/64 output indicates that the path from 2001:DB8:1::2 has local preference 200, but the path from 2001:DB8:2::2 is selected. What is the root cause?
A network engineer is troubleshooting IPv6 DMVPN phase 2 spoke-to-spoke tunnel failures. Spoke routers are able to communicate with the hub, but direct spoke-to-spoke traffic is not working. Router R1 (spoke) has the following relevant configuration:
interface Tunnel0
ipv6 address 2001:DB8:1::1/64 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ipv6 nhrp network-id 1 ipv6 nhrp nhs 2001:DB8:1::2 ipv6 nhrp map multicast dynamic !
Router R2 (hub) shows: show ipv6 nhrp brief output indicates that both spokes are registered. What is the root cause?
A network engineer is troubleshooting IPv6 MPLS LDP neighbor discovery on a link between Router R1 and Router R2. The LDP session is not forming. Router R1 has the following relevant configuration:
interface GigabitEthernet0/0
ipv6 address 2001:DB8:1::1/64 mpls ip mpls ldp discovery transport-address interface !
Router R2 shows: debug mpls ldp discovery output indicates that R2 is receiving Hello packets from R1, but the LDP session remains in INIT state. What is the root cause?
A network engineer runs the following command to troubleshoot an IPv6 First Hop Security issue:
R1# debug ipv6 nd raguard *Mar 1 00:01:23.456: IPv6-ND-RA-Guard: R1, Fa0/0, RA received on port Fa0/0, src fe80::1, dst ff02::1 *Mar 1 00:01:23.456: IPv6-ND-RA-Guard: R1, Fa0/0, RA from fe80::1 is allowed by policy TRUSTED *Mar 1 00:01:24.789: IPv6-ND-RA-Guard: R1, Fa0/0, RA received on port Fa0/0, src fe80::2, dst ff02::1 *Mar 1 00:01:24.789: IPv6-ND-RA-Guard: R1, Fa0/0, RA from fe80::2 is blocked by policy UNTRUSTED
What does this output indicate?
A network engineer runs the following command to verify IPv6 First Hop Security operation:
R1# show ipv6 nd raguard policy TRUSTED
Policy: TRUSTED Status: Active Device role: host Trusted ports: Fa0/1 Untrusted ports: none RA Guard: enabled RA Guard policy: allow ND inspection: enabled ND inspection policy: INSPECT
What does this output indicate?
A network engineer runs the following command to troubleshoot IPv6 ND inspection:
R1# debug ipv6 nd inspection *Mar 1 00:02:34.567: IPv6-ND-Inspection: R1, Fa0/0, NS from fe80::1 to ff02::1, target 2001:db8::1, options: SLLA 0011.2233.4455 *Mar 1 00:02:34.567: IPv6-ND-Inspection: R1, Fa0/0, NS from fe80::1 to ff02::1, target 2001:db8::1, SLLA 0011.2233.4455 is allowed by policy INSPECT *Mar 1 00:02:35.890: IPv6-ND-Inspection: R1, Fa0/0, NA from fe80::2 to fe80::1, target 2001:db8::2, options: TLLA 00aa.bbcc.ddee *Mar 1 00:02:35.890: IPv6-ND-Inspection: R1, Fa0/0, NA from fe80::2 to fe80::1, target 2001:db8::2, TLLA 00aa.bbcc.ddee is blocked by policy INSPECT
What does this output indicate?
A network engineer runs the following command to verify IPv6 ND inspection policy:
R1# show ipv6 nd inspection policy INSPECT
Policy: INSPECT Status: Active Device role: node Trusted ports: none Untrusted ports: Fa0/0 ND inspection: enabled Validation: - Source MAC address: verify - Destination MAC address: verify - IPv6 source address: verify - IPv6 destination address: verify - Nonce: disabled - Timestamp: disabled
What does this output indicate?
A network engineer runs the following command to troubleshoot DHCPv6 guard:
R1# debug ipv6 dhcp guard *Mar 1 00:03:45.678: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 SOLICIT from fe80::3, client DUID 00010001abcd1234 *Mar 1 00:03:45.678: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 SOLICIT from fe80::3 is allowed by policy DHCP-POLICY *Mar 1 00:03:46.901: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 ADVERTISE from fe80::4, server DUID 0001000156789012 *Mar 1 00:03:46.901: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 ADVERTISE from fe80::4 is blocked by policy DHCP-POLICY
What does this output indicate?
A network engineer runs the following command to verify DHCPv6 guard policy:
R1# show ipv6 dhcp guard policy DHCP-POLICY
Policy: DHCP-POLICY Status: Active Device role: dhcp-client Trusted ports: none Untrusted ports: Fa0/0 DHCPv6 guard: enabled DHCPv6 guard action: block DHCPv6 server validation: enabled DHCPv6 server list: 2001:db8::10
What does this output indicate?
A network engineer runs the following command to troubleshoot IPv6 source guard:
R1# debug ipv6 source-guard *Mar 1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, IPv6 packet from 2001:db8::5, src MAC 0011.2233.4455, dst 2001:db8::1 *Mar 1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, Binding lookup: 2001:db8::5 not found in binding table *Mar 1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, Packet dropped: source 2001:db8::5 not allowed
What does this output indicate?
A network engineer runs the following command to verify IPv6 binding table:
R1# show ipv6 neighbors binding
IPv6 Address Age Link-layer Addr State Interface VLAN Policy 2001:db8::1 10 0011.2233.4455 REACH Fa0/1 10 TRUSTED 2001:db8::2 5 00aa.bbcc.ddee STALE Fa0/0 10 INSPECT 2001:db8::3 0 1111.2222.3333 INCOMP Fa0/0 10 -
What does this output indicate?
A network engineer runs the following command to verify IPv6 device tracking:
R1# show ipv6 device-tracking database Interface MAC Address VLAN IPv6 Address State Age Policy
Fa0/0 0011.2233.4455 10 2001:db8::1 ACTIVE 10 TRUSTED Fa0/0 00aa.bbcc.ddee 10 2001:db8::2 ACTIVE 5 INSPECT Fa0/0 1111.2222.3333 10 2001:db8::3 VERIFY 0 -
What does this output indicate?