Sample questions
Cisco CCNP ENARSI 300-410 practice questions
Drag and drop the steps to negotiate an IKEv2 IPsec site-to-site tunnel into the correct order, from first to last.
Drag and drop the steps to troubleshoot an IPsec site-to-site VPN adjacency failure into the correct order, from first to last.
Drag and drop the steps to verify and validate the operational state of an IPsec site-to-site VPN into the correct order, from first to last.
Drag and drop the steps to configure a GRE tunnel for IPv6 over IPv4 into the correct order, from first to last.
Drag and drop the steps to troubleshoot IPv6 over IPv4 tunnel adjacency or connectivity failures into the correct order, from first to last.
Drag and drop the steps to verify and validate the operational state of an IPv6 tunneling technique into the correct order, from first to last.
Drag and drop the steps to configure SSH access with local AAA on a Cisco router into the correct order, from first to last.
Drag and drop the steps to troubleshoot Device Access Control adjacency or connectivity failures into the correct order, from first to last.
Drag and drop the steps to verify and validate Device Access Control operational state into the correct order, from first to last.
Drag and drop the steps to troubleshoot IPv4 ACL adjacency or connectivity failures into the correct order, from first to last.
Drag and drop the steps to apply and verify an extended IPv4 ACL on a router interface into the correct order, from first to last.
Drag and drop the steps to verify and validate the operational state of IPv4 ACLs into the correct order, from first to last.
A network engineer is troubleshooting a connectivity issue between two routers R1 and R2 connected via GigabitEthernet0/0. The engineer notices that R1 can ping its own IPv6 address 2001:db8:1::1/64, but cannot ping R2's interface address 2001:db8:1::2/64. The output of 'show ipv6 interface GigabitEthernet0/0' on R1 indicates that IPv6 is enabled and the interface is up/up. The engineer checks the access list applied to the interface and sees an inbound IPv6 ACL that permits only ICMPv6 echo requests from a specific source. What is the most likely cause of the ping failure?
Trap 1: The ACL is applied outbound on R1 and blocks the echo request.
Incorrect because the ACL is applied inbound, not outbound.
Trap 2: IPv6 unicast-routing is not enabled on R1.
Incorrect because R1 can ping its own address, indicating IPv6 is operational; unicast-routing is not required for direct link pings.
Trap 3: The ACL is missing a permit statement for IPv6 neighbor discovery…
Incorrect because ND messages are needed for address resolution, but the symptom is a ping failure after ND has likely succeeded (R1 can ping its own address, implying layer 2 is up).
- A
The ACL is applied inbound on R1 and does not permit ICMPv6 echo replies from R2.
Correct because ICMPv6 echo replies are sourced from the destination address (R2) and must be permitted inbound on R1 for the ping to succeed.
- B
The ACL is applied outbound on R1 and blocks the echo request.
Why wrong: Incorrect because the ACL is applied inbound, not outbound.
- C
IPv6 unicast-routing is not enabled on R1.
Why wrong: Incorrect because R1 can ping its own address, indicating IPv6 is operational; unicast-routing is not required for direct link pings.
- D
The ACL is missing a permit statement for IPv6 neighbor discovery (ND) messages.
Why wrong: Incorrect because ND messages are needed for address resolution, but the symptom is a ping failure after ND has likely succeeded (R1 can ping its own address, implying layer 2 is up).
Examine this configuration:
interface GigabitEthernet0/4
ipv6 address 2001:db8:2::1/64 ipv6 verify unicast source reachable-via any
What is the effect of the 'ipv6 verify unicast source reachable-via any' command?
Trap 1: The router performs strict uRPF: the source address must be…
The 'any' keyword indicates loose mode, not strict.
Trap 2: The router drops all packets with source addresses not in the same…
Loose mode does not require the source to be in the same subnet; it only checks for a route.
Trap 3: The command is invalid because 'ipv6 verify unicast' requires a…
The command is valid; the 'reachable-via any' option is a standard uRPF configuration.
- A
The router performs strict uRPF: the source address must be reachable via the same interface the packet arrived on.
Why wrong: The 'any' keyword indicates loose mode, not strict.
- B
The router performs loose uRPF: the source address must be reachable via any route in the FIB.
Loose mode only requires a route to the source, not necessarily via the receiving interface.
- C
The router drops all packets with source addresses not in the same subnet as the interface.
Why wrong: Loose mode does not require the source to be in the same subnet; it only checks for a route.
- D
The command is invalid because 'ipv6 verify unicast' requires a route-map.
Why wrong: The command is valid; the 'reachable-via any' option is a standard uRPF configuration.
Consider the following configuration:
ipv6 access-list FILTER
permit ipv6 2001:db8:3::/48 any deny ipv6 any any interface GigabitEthernet0/5
ipv6 traffic-filter FILTER in ipv6 verify unicast source reachable-via rx
A packet arrives on GigabitEthernet0/5 with source 2001:db8:3::100 and destination 2001:db8:4::1. The route for 2001:db8:3::/48 points out interface GigabitEthernet0/6. What happens?
Trap 1: The packet is permitted because the ACL matches and uRPF is not…
uRPF is applied; both ACL and uRPF must pass.
Trap 2: The packet is dropped by the ACL because the deny statement blocks…
The permit statement matches the source prefix, so the ACL permits the packet.
Trap 3: The packet is permitted because uRPF only checks destination…
uRPF checks the source address, not the destination.
- A
The packet is permitted because the ACL matches and uRPF is not applied.
Why wrong: uRPF is applied; both ACL and uRPF must pass.
- B
The packet is dropped by uRPF because strict mode requires the source to be reachable via the receiving interface.
Strict uRPF (rx) fails because the return route uses a different interface.
- C
The packet is dropped by the ACL because the deny statement blocks all traffic.
Why wrong: The permit statement matches the source prefix, so the ACL permits the packet.
- D
The packet is permitted because uRPF only checks destination addresses.
Why wrong: uRPF checks the source address, not the destination.
Review this configuration:
route-map RMAP permit 10 match ipv6 address prefix-list PREFIX set interface null0 ! ipv6 prefix-list PREFIX seq 5 permit 2001:db8:5::/48 !
interface GigabitEthernet0/6
ipv6 verify unicast source reachable-via any allow-default
What is the purpose of the 'allow-default' keyword?
Trap 1: It allows the router to accept packets with source addresses from…
The default route is ::/0, not a specific prefix; the keyword affects how uRPF treats default routes.
Trap 2: It disables uRPF for packets matching the default route.
It does the opposite: it enables uRPF to consider the default route as valid.
Trap 3: It is used to allow multicast traffic through uRPF.
The 'allow-default' keyword is specific to default route handling, not multicast.
- A
It allows uRPF to use the default route as a valid path for source reachability.
Normally, loose uRPF ignores default routes; 'allow-default' includes them.
- B
It allows the router to accept packets with source addresses from the default prefix.
Why wrong: The default route is ::/0, not a specific prefix; the keyword affects how uRPF treats default routes.
- C
It disables uRPF for packets matching the default route.
Why wrong: It does the opposite: it enables uRPF to consider the default route as valid.
- D
It is used to allow multicast traffic through uRPF.
Why wrong: The 'allow-default' keyword is specific to default route handling, not multicast.
In IPv6, what is the default action for an access-list entry that does not specify a protocol?
Trap 1: The ACE defaults to 'permit ipv6'.
There is no default protocol; the ACE must explicitly specify a protocol.
Trap 2: The ACE defaults to 'deny ipv6'.
No default protocol is assumed; the entry is simply invalid.
Trap 3: The ACE matches all IPv6 traffic.
Only the 'ipv6' keyword matches all IPv6 traffic; omitting the protocol makes the entry invalid.
- A
The ACE defaults to 'permit ipv6'.
Why wrong: There is no default protocol; the ACE must explicitly specify a protocol.
- B
The ACE is invalid and ignored.
Cisco IOS requires a protocol in each IPv6 ACL entry; without it, the entry is invalid.
- C
The ACE defaults to 'deny ipv6'.
Why wrong: No default protocol is assumed; the entry is simply invalid.
- D
The ACE matches all IPv6 traffic.
Why wrong: Only the 'ipv6' keyword matches all IPv6 traffic; omitting the protocol makes the entry invalid.
What is the default uRPF mode when 'ipv6 verify unicast source reachable-via' is configured without any keyword?
Trap 1: Loose mode (any)
Loose mode requires the 'any' keyword; the default is strict.
Trap 2: No uRPF is applied
The command itself enables uRPF; the default mode is strict.
Trap 3: Only default routes are allowed
That would be 'allow-default', which is not the default.
- A
Loose mode (any)
Why wrong: Loose mode requires the 'any' keyword; the default is strict.
- B
Strict mode (rx)
Without keywords, the router uses strict uRPF, checking the source is reachable via the receiving interface.
- C
No uRPF is applied
Why wrong: The command itself enables uRPF; the default mode is strict.
- D
Only default routes are allowed
Why wrong: That would be 'allow-default', which is not the default.
According to RFC 2460, what is the correct behavior when an IPv6 router receives a packet with a source address that is a multicast address?
Trap 1: The router forwards the packet normally.
IPv6 does not allow multicast source addresses.
Trap 2: The router sends an ICMPv6 error message back to the source.
No ICMP error is generated for invalid source addresses; the packet is simply dropped.
Trap 3: The router rewrites the source address to the link-local address of…
Routers do not modify source addresses; they drop invalid packets.
- A
The router forwards the packet normally.
Why wrong: IPv6 does not allow multicast source addresses.
- B
The router drops the packet silently.
Per RFC 2460, a packet with a multicast source address is invalid and must be discarded.
- C
The router sends an ICMPv6 error message back to the source.
Why wrong: No ICMP error is generated for invalid source addresses; the packet is simply dropped.
- D
The router rewrites the source address to the link-local address of the interface.
Why wrong: Routers do not modify source addresses; they drop invalid packets.
Which TWO commands can be used to verify IPv6 unicast RPF operation on an interface? (Choose TWO.)
Trap 1: show ipv6 access-list
Displays IPv6 ACLs, not uRPF verification.
Trap 2: show ipv6 route
Shows the IPv6 routing table, not uRPF status.
Trap 3: show ipv6 traffic
Shows IPv6 traffic statistics, not per-interface uRPF state.
- A
show ipv6 interface
Displays IPv6 interface configuration including uRPF status (e.g., 'ipv6 verify unicast source reachable-via any').
- B
show ipv6 cef detail
Shows CEF FIB entries with RPF information (e.g., 'RPF: Yes' or 'RPF: No').
- C
show ipv6 access-list
Why wrong: Displays IPv6 ACLs, not uRPF verification.
- D
show ipv6 route
Why wrong: Shows the IPv6 routing table, not uRPF status.
- E
show ipv6 traffic
Why wrong: Shows IPv6 traffic statistics, not per-interface uRPF state.
Which THREE symptoms indicate that IPv6 unicast RPF is misconfigured or failing on an interface? (Choose THREE.)
Trap 1: The command 'ipv6 verify unicast source reachable-via any' is…
This is a configuration command, not a symptom of misconfiguration.
Trap 2: High CPU utilization is observed due to RPF processing.
uRPF is typically performed in hardware (CEF) and does not cause high CPU.
- A
Traffic from a valid source IP is being dropped on the interface.
uRPF drops packets when the source IP is not reachable via the incoming interface, even if the IP is valid.
- B
The router logs 'IPv6 unicast RPF drop' messages.
Syslog messages can indicate uRPF drops when logging is enabled.
- C
The command 'ipv6 verify unicast source reachable-via any' is present in the running config.
Why wrong: This is a configuration command, not a symptom of misconfiguration.
- D
High CPU utilization is observed due to RPF processing.
Why wrong: uRPF is typically performed in hardware (CEF) and does not cause high CPU.
- E
The 'show ipv6 interface' output shows an increasing 'RPF drops' counter.
The 'show ipv6 interface' command displays a counter for uRPF drops, indicating drops are occurring.
Which TWO configuration steps are required to implement IPv6 traffic filtering using a named ACL on a Cisco router? (Choose TWO.)
Trap 1: Create the ACL using the access-list command.
The 'access-list' command is for IPv4, not IPv6.
Trap 2: Apply the ACL to the interface using the ip access-group command.
The 'ip access-group' command is for IPv4 ACLs.
Trap 3: Apply the ACL to the interface using the ipv6 access-group command.
There is no 'ipv6 access-group' command; the correct command is 'ipv6 traffic-filter'.
- A
Create the ACL using the ipv6 access-list command.
Correct: 'ipv6 access-list NAME' enters IPv6 ACL configuration mode.
- B
Apply the ACL to the interface using the ipv6 traffic-filter command.
Correct: 'ipv6 traffic-filter NAME in' or 'out' applies the ACL.
- C
Create the ACL using the access-list command.
Why wrong: The 'access-list' command is for IPv4, not IPv6.
- D
Apply the ACL to the interface using the ip access-group command.
Why wrong: The 'ip access-group' command is for IPv4 ACLs.
- E
Apply the ACL to the interface using the ipv6 access-group command.
Why wrong: There is no 'ipv6 access-group' command; the correct command is 'ipv6 traffic-filter'.
Which THREE statements about IPv6 unicast RPF (uRPF) are true? (Choose THREE.)
Trap 1: IPv6 uRPF checks the destination address of incoming packets.
uRPF checks the source address, not the destination.
Trap 2: IPv6 uRPF is used to filter multicast traffic.
uRPF is for unicast traffic only; multicast uses different mechanisms (e.g., RPF for multicast routing).
- A
IPv6 uRPF uses the Forwarding Information Base (FIB) to verify source address reachability.
Correct: uRPF checks the FIB to see if the source address is reachable via the incoming interface.
- B
IPv6 uRPF can be configured in strict mode or loose mode.
Correct: Strict mode requires the source to be reachable via the exact incoming interface; loose mode only requires a route to the source.
- C
IPv6 uRPF is configured on a per-interface basis.
Correct: The 'ipv6 verify unicast source reachable-via' command is applied per interface.
- D
IPv6 uRPF checks the destination address of incoming packets.
Why wrong: uRPF checks the source address, not the destination.
- E
IPv6 uRPF is used to filter multicast traffic.
Why wrong: uRPF is for unicast traffic only; multicast uses different mechanisms (e.g., RPF for multicast routing).
A large enterprise network uses OSPFv3 for IPv6 routing. Router R1 and R2 are connected via a multi-access Ethernet link. R1 is configured with 'ipv6 ospf network point-to-point' while R2 uses the default broadcast network type. R1 has an IPv6 ACL applied inbound on its interface that permits only OSPF (89) and denies all other traffic. R2 is unable to form a full OSPF adjacency with R1. R2 shows 'OSPFv3 adjacency state is EXSTART/EXCHANGE' and logs 'Bad LSReq'. What is the root cause?
Trap 1: R2's OSPFv3 process is configured with a different router-id,…
Router-id mismatch would not cause 'Bad LSReq' specifically; it would affect neighbor state earlier.
Trap 2: The MTU mismatch between R1 and R2 causes OSPFv3 packet…
MTU mismatch typically causes 'Bad LSA' or adjacency stuck in EXSTART, not specifically 'Bad LSReq'.
Trap 3: R2 has a passive interface configured, preventing it from sending…
A passive interface would prevent neighbor discovery entirely, not cause EXSTART/EXCHANGE state.
- A
R1's ACL blocks OSPFv3 multicast hello packets (FF02::5), preventing adjacency formation on the broadcast link.
On a broadcast network, OSPFv3 sends hellos to FF02::5. R1's ACL permits only OSPF protocol, but the destination address is filtered because the ACL does not explicitly permit multicast. The network type mismatch exacerbates the issue as R1 expects unicast hellos.
- B
R2's OSPFv3 process is configured with a different router-id, causing a DR election conflict.
Why wrong: Router-id mismatch would not cause 'Bad LSReq' specifically; it would affect neighbor state earlier.
- C
The MTU mismatch between R1 and R2 causes OSPFv3 packet fragmentation, leading to LSReq errors.
Why wrong: MTU mismatch typically causes 'Bad LSA' or adjacency stuck in EXSTART, not specifically 'Bad LSReq'.
- D
R2 has a passive interface configured, preventing it from sending OSPFv3 hellos.
Why wrong: A passive interface would prevent neighbor discovery entirely, not cause EXSTART/EXCHANGE state.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.