Question 249 of 500

Quick Answer

The answer is that the interface Gi0/1/1 is not configured as a trusted interface for RA guard. This is correct because IPv6 RA Guard protection is applied per interface based on a trust boundary; only interfaces explicitly trusted with the `ipv6 nd raguard trust` command are allowed to send legitimate Router Advertisements, while all other interfaces are treated as untrusted and have their RAs filtered. On the Cisco SCOR 350-701 exam, this concept tests your understanding of IPv6 first-hop security features, often appearing in troubleshooting scenarios where a device bypasses protection simply because its connecting port lacks the trust designation. A common trap is assuming RA Guard is enabled globally or by VLAN, but it is strictly interface-specific. Memory tip: “Trust the port, guard the rest”—if a port isn’t trusted, RA Guard blocks its RAs by default.

350-701 Practice Question: Secure Network Access, Visibility and Enforcement

This 350-701 practice question tests your understanding of secure network access, visibility and enforcement. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Router# show device-tracking database
 Device-tracking database for Vlan 100:
  Device ID     MAC Address      Interface      VLAN     Last seen
  *             0050.7966.6800   Gi0/1/0        100      00:00:12
  *             aaaa.bbbb.cccc   Gi0/1/1        100      00:00:05

Refer to the exhibit. A network administrator is troubleshooting device tracking on a Cisco switch. The output shows two devices in VLAN 100. The switch is configured with IPv6 first-hop security features. The administrator notices that the device with MAC address aaaa.bbbb.cccc is not receiving RA guard protection. What is the most likely reason?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "first"

    Why it matters: Order matters here. You are being tested on which action comes before the others — not which action is generally useful.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Open the full VLAN trunking answer →

Exhibit

Router# show device-tracking database
 Device-tracking database for Vlan 100:
  Device ID     MAC Address      Interface      VLAN     Last seen
  *             0050.7966.6800   Gi0/1/0        100      00:00:12
  *             aaaa.bbbb.cccc   Gi0/1/1        100      00:00:05

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The interface Gi0/1/1 is not configured as a trusted interface for RA guard.

RA Guard protection is applied per interface based on trust configuration. The exhibit shows the device with MAC aaaa.bbbb.cccc is reachable via Gi0/1/1, but if that interface is not explicitly configured as trusted for RA Guard (e.g., using `ipv6 nd raguard trust`), the switch will not apply RA Guard filtering to RAs received on that port. This allows rogue RA messages from that device to bypass protection, making A the correct answer.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The interface Gi0/1/1 is not configured as a trusted interface for RA guard.

    Why this is correct

    RA guard only applies to trusted interfaces.

    Clue confirmation

    The clue words "first", "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The device is not in the same VLAN as the RA guard policy.

    Why it's wrong here

    Both devices are in VLAN 100.

  • The device tracking entry for aaaa.bbbb.cccc is invalid.

    Why it's wrong here

    The asterisk indicates a valid binding.

  • The device tracking table has reached its limit.

    Why it's wrong here

    The table shows only two entries.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the distinction between device tracking entries being present and the interface trust configuration being applied, leading candidates to incorrectly assume a valid tracking entry implies protection is active.

Trap categories for this question

  • Command / output trap

    The table shows only two entries.

Detailed technical explanation

How to think about this question

RA Guard (RFC 6105) relies on device tracking to identify hosts and then applies policy based on interface trust. When an interface is not trusted, the switch drops Router Advertisements received on that port, preventing rogue RAs from redirecting traffic. The trust command `ipv6 nd raguard trust` must be applied on the upstream router-facing port, not on host-facing ports. In this scenario, Gi0/1/1 is likely a host-facing port that should be untrusted, but the device is still sending RAs; the absence of trust on Gi0/1/1 means the switch does not enforce RA Guard on that interface, leaving the device unprotected.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 350-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 350-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 350-701 question test?

Secure Network Access, Visibility and Enforcement — This question tests Secure Network Access, Visibility and Enforcement — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The interface Gi0/1/1 is not configured as a trusted interface for RA guard. — RA Guard protection is applied per interface based on trust configuration. The exhibit shows the device with MAC aaaa.bbbb.cccc is reachable via Gi0/1/1, but if that interface is not explicitly configured as trusted for RA Guard (e.g., using `ipv6 nd raguard trust`), the switch will not apply RA Guard filtering to RAs received on that port. This allows rogue RA messages from that device to bypass protection, making A the correct answer.

What should I do if I get this 350-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "first", "most likely". Order matters here. You are being tested on which action comes before the others — not which action is generally useful.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 350-701 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-701 exam.