The answer is that the interface Gi0/1/1 is not configured as a trusted interface for RA guard. This is correct because IPv6 RA Guard protection is applied per interface based on a trust boundary; only interfaces explicitly trusted with the `ipv6 nd raguard trust` command are allowed to send legitimate Router Advertisements, while all other interfaces are treated as untrusted and have their RAs filtered. On the Cisco SCOR 350-701 exam, this concept tests your understanding of IPv6 first-hop security features, often appearing in troubleshooting scenarios where a device bypasses protection simply because its connecting port lacks the trust designation. A common trap is assuming RA Guard is enabled globally or by VLAN, but it is strictly interface-specific. Memory tip: “Trust the port, guard the rest”—if a port isn’t trusted, RA Guard blocks its RAs by default.
350-701 Practice Question: Secure Network Access, Visibility and Enforcement
This 350-701 practice question tests your understanding of secure network access, visibility and enforcement. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Router# show device-tracking database
Device-tracking database for Vlan 100:
Device ID MAC Address Interface VLAN Last seen
* 0050.7966.6800 Gi0/1/0 100 00:00:12
* aaaa.bbbb.cccc Gi0/1/1 100 00:00:05
Refer to the exhibit. A network administrator is troubleshooting device tracking on a Cisco switch. The output shows two devices in VLAN 100. The switch is configured with IPv6 first-hop security features. The administrator notices that the device with MAC address aaaa.bbbb.cccc is not receiving RA guard protection. What is the most likely reason?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "first"
Why it matters: Order matters here. You are being tested on which action comes before the others — not which action is generally useful.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Router# show device-tracking database
Device-tracking database for Vlan 100:
Device ID MAC Address Interface VLAN Last seen
* 0050.7966.6800 Gi0/1/0 100 00:00:12
* aaaa.bbbb.cccc Gi0/1/1 100 00:00:05
A
The interface Gi0/1/1 is not configured as a trusted interface for RA guard.
RA guard only applies to trusted interfaces.
B
The device is not in the same VLAN as the RA guard policy.
Why wrong: Both devices are in VLAN 100.
C
The device tracking entry for aaaa.bbbb.cccc is invalid.
Why wrong: The asterisk indicates a valid binding.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The interface Gi0/1/1 is not configured as a trusted interface for RA guard.
RA Guard protection is applied per interface based on trust configuration. The exhibit shows the device with MAC aaaa.bbbb.cccc is reachable via Gi0/1/1, but if that interface is not explicitly configured as trusted for RA Guard (e.g., using `ipv6 nd raguard trust`), the switch will not apply RA Guard filtering to RAs received on that port. This allows rogue RA messages from that device to bypass protection, making A the correct answer.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
The interface Gi0/1/1 is not configured as a trusted interface for RA guard.
Why this is correct
RA guard only applies to trusted interfaces.
Clue confirmation
The clue words "first", "most likely" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
✗
The device is not in the same VLAN as the RA guard policy.
The device tracking entry for aaaa.bbbb.cccc is invalid.
Why it's wrong here
The asterisk indicates a valid binding.
✗
The device tracking table has reached its limit.
Why it's wrong here
The table shows only two entries.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Cisco often tests the distinction between device tracking entries being present and the interface trust configuration being applied, leading candidates to incorrectly assume a valid tracking entry implies protection is active.
Trap categories for this question
Command / output trap
The table shows only two entries.
Detailed technical explanation
How to think about this question
RA Guard (RFC 6105) relies on device tracking to identify hosts and then applies policy based on interface trust. When an interface is not trusted, the switch drops Router Advertisements received on that port, preventing rogue RAs from redirecting traffic. The trust command `ipv6 nd raguard trust` must be applied on the upstream router-facing port, not on host-facing ports. In this scenario, Gi0/1/1 is likely a host-facing port that should be untrusted, but the device is still sending RAs; the absence of trust on Gi0/1/1 means the switch does not enforce RA Guard on that interface, leaving the device unprotected.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Secure Network Access, Visibility and Enforcement — This question tests Secure Network Access, Visibility and Enforcement — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The interface Gi0/1/1 is not configured as a trusted interface for RA guard. — RA Guard protection is applied per interface based on trust configuration. The exhibit shows the device with MAC aaaa.bbbb.cccc is reachable via Gi0/1/1, but if that interface is not explicitly configured as trusted for RA Guard (e.g., using `ipv6 nd raguard trust`), the switch will not apply RA Guard filtering to RAs received on that port. This allows rogue RA messages from that device to bypass protection, making A the correct answer.
What should I do if I get this 350-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "first", "most likely". Order matters here. You are being tested on which action comes before the others — not which action is generally useful.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 350-701 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.