CCNA IPv6 First Hop Security Questions

75 of 76 questions · Page 1/2 · IPv6 First Hop Security · Answers revealed

1
Multi-Selecthard

An engineer is troubleshooting IPv6 connectivity issues on a switch that has IPv6 First Hop Security features enabled. Clients are unable to obtain a valid IPv6 address via SLAAC. Which TWO configuration changes could resolve this issue? (Choose TWO.)

Select 2 answers
A.Modify the RA Guard policy to permit Router Advertisements from the trusted router port.
B.Disable DHCPv6 snooping on the VLAN to allow RAs to be forwarded.
C.Enable IPv6 Source Guard on the client-facing interfaces.
D.Add the router's MAC address to the ND inspection allowed-list.
E.Configure a DHCPv6 pool on the switch to provide addresses to clients.
AnswersA, D

Correct. If RA Guard is blocking legitimate RAs, permitting the trusted port resolves the issue.

Why this answer

SLAAC relies on Router Advertisements (RAs) from a router. If RA Guard is blocking legitimate RAs, or if ND inspection is dropping them, clients cannot obtain addresses. Option A is correct: if RA Guard is blocking RAs from the legitimate router, adjusting the policy to permit that router's port will fix the issue.

Option D is correct: if ND inspection is enabled and the router's MAC is not in the allowed list, adding it will allow RAs to pass. Option B is incorrect: disabling DHCPv6 snooping would not help SLAAC, as SLAAC does not use DHCPv6. Option C is incorrect: enabling IPv6 Source Guard would not help; it filters source addresses, not RAs.

Option E is incorrect: configuring a DHCPv6 pool is for stateful DHCPv6, not SLAAC.

2
Multi-Selecthard

Which TWO configuration steps are required to enable IPv6 RA Guard on a Cisco switch interface? (Choose TWO.)

Select 2 answers
A.Create an RA Guard policy using the 'ipv6 nd raguard policy POLICY_NAME' command.
B.Apply the RA Guard policy to the interface with the 'ipv6 nd raguard attach-policy POLICY_NAME' command.
C.Enable IPv6 routing globally with 'ipv6 unicast-routing'.
D.Configure 'ipv6 nd raguard' directly on the interface without a policy.
E.Enable DHCPv6 Guard on the same interface to complement RA Guard.
AnswersA, B

The policy defines the role (router or host) and other parameters; it is a mandatory step.

Why this answer

RA Guard requires defining a policy that specifies the device role (router or host) and then applying that policy to the interface. Simply enabling 'ipv6 nd raguard' without a policy is not sufficient. The other options are either for different features or incorrect.

3
MCQmedium

A network engineer configures IPv6 Source Guard on an interface: interface GigabitEthernet0/3 ipv6 verify source What is the immediate effect of this command?

A.The interface filters all incoming IPv6 traffic unless the source address is in the DHCP snooping binding table.
B.The interface allows all IPv6 traffic but logs violations.
C.The interface only filters Neighbor Discovery messages.
D.The interface requires a static binding to be configured first.
AnswerA

IPv6 Source Guard checks source IPv6 and MAC against the binding table; unmatched traffic is dropped.

Why this answer

IPv6 Source Guard with no additional parameters uses the DHCPv6 snooping binding table to validate source addresses. It filters traffic based on source IPv6 and MAC addresses.

4
MCQmedium

A network engineer is troubleshooting an issue where IPv6 traffic is being forwarded incorrectly on a switch. The switch is configured with IPv6 Source Guard on access ports. A legitimate host on port Fa0/1 with IPv6 address 2001:db8:1::10 is unable to send traffic to the default gateway. The engineer checks the IPv6 binding table and sees that the host's entry is missing. What is the most likely cause?

A.The host is using a static IPv6 address, and ND snooping is not enabled on the VLAN, so the binding was never learned.
B.The host's MAC address is not in the MAC address table for VLAN 1.
C.The switch is running IPv6 First Hop Security in monitor mode, which logs violations but does not drop traffic.
D.The default gateway router is not sending Router Advertisements, so the host cannot form a default route.
AnswerA

Correct because IPv6 Source Guard relies on ND snooping to learn static addresses; without it, the host's traffic is dropped.

Why this answer

IPv6 Source Guard requires a valid binding entry (learned via DHCPv6 snooping or ND snooping) to permit traffic. If the host is using a static IPv6 address, ND snooping must be enabled to learn the binding; otherwise, traffic is dropped.

5
MCQhard

A network engineer enables IPv6 First Hop Security with 'ipv6 dhcp guard' on a switch port connected to a legitimate DHCPv6 server. Clients on other ports receive DHCPv6 replies, but the server's port is being err-disabled repeatedly. The engineer checks the logs and sees DHCPv6 server advertisements being dropped. What is the most likely cause?

A.The port is not configured as 'trusted' for DHCPv6 Guard, causing all server advertisements to be dropped.
B.The DHCPv6 server is sending messages with an invalid DUID.
C.DHCPv6 Guard only works with stateful DHCPv6, not stateless.
D.The switch is running an older IOS version that does not support DHCPv6 Guard.
AnswerA

DHCPv6 Guard requires explicit trust for server ports.

Why this answer

DHCPv6 Guard by default blocks all DHCPv6 server advertisements (Reply and Advertise messages) from untrusted ports. If the port connected to the legitimate DHCPv6 server is not explicitly configured as 'trusted', the switch will drop the server's messages and may err-disable the port due to violation. The edge case is that the default behavior for DHCPv6 Guard is to treat all ports as untrusted, so even a legitimate server must be manually trusted.

6
Multi-Selecthard

Which TWO statements about IPv6 First Hop Security (FHS) Source Guard are true? (Choose TWO.)

Select 2 answers
A.IPv6 Source Guard dynamically creates binding entries for all IPv6 addresses learned via ND.
B.IPv6 Source Guard uses the IPv6 binding table to permit or deny traffic based on source address.
C.IPv6 Source Guard filters traffic based on the destination IPv6 address in the packet.
D.IPv6 Source Guard can be enabled on a per-interface or per-VLAN basis.
E.IPv6 Source Guard only works with addresses learned via DHCPv6.
AnswersB, D

Correct. Source Guard checks the source IPv6 address and MAC against the binding table and drops unauthorized traffic.

Why this answer

IPv6 Source Guard filters traffic based on the source IPv6 address and MAC address, using the binding table. It can be used with both SLAAC and DHCPv6, but it does not create bindings itself—it relies on DHCPv6 snooping or ND snooping. Option B is correct because Source Guard uses the binding table to validate source addresses.

Option D is correct because Source Guard can be enabled per interface or per VLAN. Option A is incorrect because Source Guard does not create bindings; it uses bindings from DHCPv6 snooping or ND snooping. Option C is incorrect because Source Guard filters on source IP and MAC, not destination.

Option E is incorrect because Source Guard is not limited to DHCPv6-learned addresses; it can also use ND snooping entries.

7
Drag & Drophard

Drag and drop the steps to troubleshoot IPv6 First Hop Security adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking basic connectivity with ping. Then examine the neighbor cache for incomplete entries. Verify if IPv6 snooping is enabled and inspect the binding table.

Check RA Guard and DHCPv6 Guard policies that may drop packets. Finally, use debug ipv6 snooping to capture packet drops.

8
MCQmedium

A network engineer is troubleshooting an issue where IPv6 traffic from a host is being dropped by the switch. The switch has IPv6 Source Guard enabled. The host has a static IPv6 address 2001:db8:2::20. The engineer sees that the binding table does not contain an entry for this host. What should the engineer do to resolve the issue without disabling IPv6 Source Guard?

A.Enable IPv6 ND snooping on the VLAN to allow the switch to learn the host's binding from Neighbor Discovery messages.
B.Configure the host to use DHCPv6 to obtain an address so that the binding is learned via DHCPv6 snooping.
C.Add a static binding entry for the host in the IPv6 binding table using the 'ipv6 neighbor' command.
D.Disable IPv6 Source Guard on the port connected to the host.
AnswerA

Correct because ND snooping creates bindings for static addresses, allowing IPv6 Source Guard to permit traffic.

Why this answer

For static IPv6 addresses, IPv6 Source Guard relies on ND snooping to learn the binding. If ND snooping is not enabled, the binding will not be created, and traffic will be dropped. The fix is to enable ND snooping on the VLAN.

9
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 source-guard policy Interface Policy Role State Gi0/0/0 SRC_GUARD host ACTIVE Gi0/0/1 SRC_GUARD host ACTIVE Gi0/0/2 (default) host ACTIVE Based on this output, which statement is correct?

A.Only Gi0/0/0 and Gi0/0/1 have source guard enabled.
B.Source guard is enabled on all interfaces, preventing IPv6 address spoofing.
C.Source guard is disabled on Gi0/0/2 because it uses the default policy.
D.Role 'host' means the interface is a router port.
AnswerB

All interfaces show active state with source guard policy.

Why this answer

All interfaces are using the SRC_GUARD policy or default with role 'host', meaning source address validation is enforced on all interfaces. This prevents hosts from spoofing IPv6 addresses.

10
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 dhcp interface Gi0/0/0 Gi0/0/0 is in server mode Uses prefix 2001:DB8:1::/64 Rapid-Commit is disabled Preference value: 0 Information refresh option: 86400 DNS server: 2001:DB8::1 Domain name: example.com Active clients: 5 Pool: DHCP_POOL Based on this output, which statement is correct?

A.The router is acting as a DHCPv6 client on Gi0/0/0.
B.The router is acting as a DHCPv6 server on Gi0/0/0 and has 5 active clients.
C.Rapid-Commit is enabled.
D.The interface is using SLAAC for address assignment.
AnswerB

Server mode with active clients indicates DHCPv6 server functionality.

Why this answer

The interface is configured as a DHCPv6 server with a prefix, DNS server, and domain name. It has 5 active clients. This means the router is providing DHCPv6 services on that interface.

11
MCQeasy

What is the default value of the RA lifetime (Router Lifetime) in IPv6 Router Advertisements on Cisco IOS-XE?

A.600 seconds
B.1800 seconds
C.3600 seconds
D.0 seconds
AnswerB

Correct. The default Router Lifetime is 1800 seconds on Cisco IOS-XE.

Why this answer

The default Router Lifetime in RA messages on Cisco IOS-XE is 1800 seconds (30 minutes), as per RFC 4861, which recommends a default of 3 times the default RA interval (600 seconds). However, Cisco defaults to 1800 seconds.

12
MCQmedium

A network engineer is troubleshooting an IPv6 neighbor discovery issue on a switch running IOS-XE. Hosts on VLAN 100 are intermittently losing connectivity to the default gateway. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The engineer notices that the switch is dropping valid Router Advertisements from the legitimate router. What is the most likely cause of this issue?

A.The RA Guard policy is configured with 'device-role router' on the port connected to the legitimate router, but the router's MAC address is not in the allowed list.
B.DHCPv6 Guard is blocking DHCPv6 Advertise messages from the router, preventing hosts from obtaining IPv6 addresses.
C.IPv6 Source Guard is dropping packets from the router because the router's IPv6 address is not in the binding table.
D.The switch has IPv6 unicast-routing enabled, causing it to send its own RAs and override the legitimate router.
AnswerA

Correct because RA Guard requires explicit authorization of routers; if the legitimate router's MAC is not allowed, its RAs are dropped.

Why this answer

RA Guard is configured to drop RAs from unauthorized routers. If the legitimate router's MAC address is not in the RA Guard policy's allowed list or the policy is misconfigured, valid RAs will be dropped, causing hosts to lose their default gateway.

13
MCQhard

An engineer is troubleshooting an issue where a rogue IPv6 router is sending false Router Advertisements on the network, causing hosts to use a malicious default gateway. The switch is configured with IPv6 First Hop Security features. The engineer wants to prevent this attack while allowing the legitimate router to send RAs. What is the correct configuration approach?

A.Configure RA Guard with a policy that sets the legitimate router's port as 'device-role router' and all other ports as 'device-role host', and apply the policy globally.
B.Enable DHCPv6 Guard on all ports to block any DHCPv6 server messages, which will also block RAs.
C.Use IPv6 Source Guard to filter traffic from the rogue router based on its IPv6 address.
D.Configure a static IPv6 neighbor entry for the legitimate router on the switch to override rogue RAs.
AnswerA

Correct because RA Guard will allow RAs only on ports configured as 'device-role router', blocking rogue RAs on host ports.

Why this answer

RA Guard is designed to prevent rogue RAs by allowing only authorized routers to send RAs. The correct approach is to configure RA Guard with a policy that trusts the legitimate router's port and drops RAs from all other ports.

14
MCQhard

An engineer configures IPv6 RA Guard on a switch port connected to a router running OSPFv3. Unexpectedly, OSPFv3 neighbor adjacencies fail to form on that link. Which is the most likely explanation?

A.RA Guard with device-role host drops all IPv6 traffic except Neighbor Discovery and DHCP, including OSPFv3 hellos.
B.OSPFv3 uses multicast address FF02::5 which is filtered by RA Guard by default.
C.RA Guard changes the MAC address of the router, causing OSPFv3 neighbor to be unreachable.
D.The router must send Router Advertisements for OSPFv3 to work, and RA Guard blocks them.
AnswerA

RA Guard host role restricts traffic to ND and DHCP only, blocking OSPFv3.

Why this answer

RA Guard drops all Router Advertisement messages, but OSPFv3 uses IPv6 multicast address FF02::5 for hello packets. However, RA Guard can also be configured to drop all ICMPv6 messages with type 134 (RA), but the default RA Guard policy blocks all RAs. If the router sends RAs (even if not needed), the port might be err-disabled or the RAs are dropped, but the issue is that OSPFv3 hellos are not affected.

The real edge case: RA Guard with 'device-role host' blocks all IPv6 traffic from the port except ND and DHCP, which can include OSPFv3 if the policy is too restrictive. The most common misconfiguration is that RA Guard is applied with 'device-role switch' which expects the port to be a switch, but if the port is actually a router, the router's OSPFv3 hellos are dropped because RA Guard treats the router as a host and drops non-ND traffic.

15
Multi-Selecthard

Which THREE statements about IPv6 Source Guard are true? (Choose THREE.)

Select 3 answers
A.It filters IPv6 traffic based on the source IPv6 address of incoming packets.
B.It relies on the IPv6 snooping binding table, which is populated by DHCPv6 snooping or ND Inspection.
C.It can be configured to allow traffic from specific prefixes using a static prefix list.
D.It filters both incoming and outgoing IPv6 traffic on a port.
E.It requires DHCPv6 snooping to be enabled on the VLAN to function.
AnswersA, B, C

IPv6 Source Guard checks the source address against the binding table and drops packets with invalid source addresses.

Why this answer

IPv6 Source Guard filters traffic based on the source address, using the binding table. It prevents spoofing, requires DHCPv6 snooping or ND Inspection to build the table, and can be configured with a static prefix list. The incorrect options misstate the filtering direction or necessity of DHCPv6.

16
MCQhard

An engineer configures IPv6 Source Guard on a switch port with 'ipv6 verify source' and also enables 'ipv6 snooping' globally. A legitimate host on that port is unable to send traffic, and the switch logs show that packets are being dropped due to source address validation failure. The host has a static IPv6 address and the engineer has configured a static binding using 'ipv6 neighbor binding' command. What is the most likely oversight?

A.The static binding must be associated with a valid ND entry; without an NA from the host, the binding remains incomplete.
B.The 'ipv6 verify source' command must include the 'allow-default' option to work with static addresses.
C.The switch port must be configured as 'trusted' for IPv6 snooping.
D.The host must use DHCPv6 to obtain an address for Source Guard to work.
AnswerA

Source Guard requires the binding to be in REACHABLE state, which requires ND activity.

Why this answer

IPv6 Source Guard with 'ipv6 verify source' uses the binding table to validate source addresses. Even with a static binding, the binding table entry must be in the 'REACHABLE' state for Source Guard to accept traffic. If the static binding is configured but the switch does not have a corresponding ND entry (because the host never sends an NS or the switch does not learn it), the binding remains in 'INCOMPLETE' state and Source Guard drops the traffic.

The edge case is that static bindings do not automatically populate the ND cache; the host must send an unsolicited NA or the switch must receive an RS to complete the binding.

17
MCQmedium

A network engineer runs the following command to verify IPv6 device tracking: R1# show ipv6 device-tracking database Interface MAC Address VLAN IPv6 Address State Age Policy Fa0/0 0011.2233.4455 10 2001:db8::1 ACTIVE 10 TRUSTED Fa0/0 00aa.bbcc.ddee 10 2001:db8::2 ACTIVE 5 INSPECT Fa0/0 1111.2222.3333 10 2001:db8::3 VERIFY 0 - What does this output indicate?

A.Device tracking shows two devices in ACTIVE state and one in VERIFY state, indicating ongoing ND verification for the third device.
B.All devices are in ACTIVE state, indicating stable tracking.
C.Device tracking is disabled, and the database is empty.
D.Device tracking only tracks IPv4 addresses.
AnswerA

The VERIFY state means the device is being validated before becoming active.

Why this answer

The show command displays the device tracking database, showing active and verifying states for devices on interface Fa0/0 with associated policies.

18
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 traffic IPv6 statistics: Rcvd: 1000 total, 800 unicast, 200 multicast Sent: 900 total, 700 unicast, 200 multicast Errors: 0 Dropped: 0 ND statistics: NS: 50 received, 40 sent NA: 30 received, 20 sent RS: 10 received, 5 sent RA: 2 received, 8 sent Redirect: 0 received, 0 sent Based on this output, which statement is correct?

A.The router is not sending any Router Advertisements.
B.The router is receiving more Neighbor Solicitations than it is sending, which is expected.
C.There is a high number of errors in IPv6 traffic.
D.The router is dropping many packets.
AnswerB

NS received (50) vs sent (40) is typical as the router responds to queries.

Why this answer

The ND statistics show that Router Advertisements (RAs) are being sent (8 sent) and received (2 received). This is normal for a router that is advertising itself. The numbers are balanced and indicate proper ND operation.

19
MCQeasy

What is the default role of an interface in IPv6 Neighbor Discovery Inspection when no policy is explicitly applied?

A.Untrusted
B.Trusted
C.Server
D.Host
AnswerA

The default role is untrusted, so ND messages are inspected.

Why this answer

By default, all interfaces are considered untrusted for ND inspection, meaning they are subject to validation checks unless explicitly trusted.

20
MCQmedium

A network engineer runs the following command to troubleshoot DHCPv6 guard: R1# debug ipv6 dhcp guard *Mar 1 00:03:45.678: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 SOLICIT from fe80::3, client DUID 00010001abcd1234 *Mar 1 00:03:45.678: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 SOLICIT from fe80::3 is allowed by policy DHCP-POLICY *Mar 1 00:03:46.901: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 ADVERTISE from fe80::4, server DUID 0001000156789012 *Mar 1 00:03:46.901: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 ADVERTISE from fe80::4 is blocked by policy DHCP-POLICY What does this output indicate?

A.DHCPv6 guard is allowing client messages but blocking server messages from untrusted sources, preventing rogue DHCPv6 servers.
B.DHCPv6 guard is blocking all DHCPv6 messages, indicating a misconfiguration.
C.DHCPv6 guard is allowing all messages but logging them for analysis.
D.DHCPv6 guard is not configured; the debug output is from default DHCPv6 behavior.
AnswerA

The ADVERTISE from fe80::4 is blocked, which is typical for DHCPv6 guard on untrusted ports.

Why this answer

The debug shows DHCPv6 guard filtering DHCPv6 messages. Client SOLICIT is allowed, but server ADVERTISE from fe80::4 is blocked, indicating the source is not a trusted DHCPv6 server.

21
Drag & Dropmedium

Drag and drop the steps to verify and validate IPv6 First Hop Security operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking global IPv6 snooping status. Then display the binding table for learned entries. Verify interface-specific FHS policies.

Check the RA Guard policy counters for drops. Finally, validate the neighbor cache for correct MAC-to-IPv6 mappings.

22
MCQhard

An engineer is troubleshooting an IPv6 connectivity issue where hosts on VLAN 10 cannot reach the internet. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The legitimate router is connected to port Gi1/0/1. The engineer notices that the router is sending RAs, but hosts are not receiving them. The switch shows that RA Guard is dropping packets on port Gi1/0/1. What is the most likely misconfiguration?

A.The RA Guard policy is configured with 'device-role host' on port Gi1/0/1, which causes the switch to drop all RAs received on that port.
B.DHCPv6 Guard is configured on port Gi1/0/1, blocking the router's DHCPv6 server messages.
C.IPv6 Source Guard is enabled on the VLAN, and the router's IPv6 address is not in the binding table.
D.The switch has IPv6 unicast-routing enabled, and it is sending its own RAs, causing a conflict.
AnswerA

Correct because 'device-role host' tells the switch that only hosts are allowed on that port; RAs from a router will be dropped.

Why this answer

RA Guard drops RAs from devices that are not authorized as routers. If the legitimate router's MAC address is not included in the RA Guard policy's allowed list, or if the port is not configured with the correct device-role, the RAs will be dropped.

23
MCQmedium

A network engineer runs the following command to troubleshoot an IPv6 First Hop Security issue: R1# debug ipv6 nd raguard *Mar 1 00:01:23.456: IPv6-ND-RA-Guard: R1, Fa0/0, RA received on port Fa0/0, src fe80::1, dst ff02::1 *Mar 1 00:01:23.456: IPv6-ND-RA-Guard: R1, Fa0/0, RA from fe80::1 is allowed by policy TRUSTED *Mar 1 00:01:24.789: IPv6-ND-RA-Guard: R1, Fa0/0, RA received on port Fa0/0, src fe80::2, dst ff02::1 *Mar 1 00:01:24.789: IPv6-ND-RA-Guard: R1, Fa0/0, RA from fe80::2 is blocked by policy UNTRUSTED What does this output indicate?

A.RA Guard is configured with a policy that trusts fe80::1 and blocks fe80::2, preventing rogue RA attacks.
B.RA Guard is blocking all RAs regardless of source, indicating a misconfiguration.
C.RA Guard is allowing all RAs but logging them for analysis.
D.RA Guard is not configured; the debug output is from default IPv6 ND behavior.
AnswerA

The debug confirms that fe80::1 is allowed by policy TRUSTED and fe80::2 is blocked by policy UNTRUSTED, which is the expected behavior for RA Guard.

Why this answer

The debug output shows RA Guard filtering RAs based on device trust. RAs from trusted sources are allowed, while those from untrusted sources are blocked to prevent rogue RA attacks.

24
MCQmedium

A network engineer runs the following command to verify IPv6 ND inspection policy: R1# show ipv6 nd inspection policy INSPECT Policy: INSPECT Status: Active Device role: node Trusted ports: none Untrusted ports: Fa0/0 ND inspection: enabled Validation: - Source MAC address: verify - Destination MAC address: verify - IPv6 source address: verify - IPv6 destination address: verify - Nonce: disabled - Timestamp: disabled What does this output indicate?

A.The policy INSPECT validates source and destination MAC and IPv6 addresses on untrusted port Fa0/0.
B.The policy INSPECT only validates source MAC addresses on trusted ports.
C.The policy INSPECT disables ND inspection and logs all ND messages.
D.The policy INSPECT is inactive and not applied to any interface.
AnswerA

All four validation checks are enabled, and the port is untrusted.

Why this answer

The show command displays the ND inspection policy. The policy INSPECT is active on untrusted port Fa0/0, with validation of MAC and IPv6 addresses enabled.

25
MCQhard

An engineer is troubleshooting a network where IPv6 hosts cannot obtain IP addresses via DHCPv6. The switch is configured with DHCPv6 Guard to prevent rogue DHCP servers. The legitimate DHCPv6 server is connected to port GigabitEthernet1/0/1. The engineer sees that DHCPv6 Solicit messages from hosts reach the server, but the server's Advertise and Reply messages are not reaching the hosts. What is the most likely root cause?

A.The DHCPv6 Guard policy is applied globally, and the port connected to the DHCP server is not configured as a trusted port for DHCPv6 server messages.
B.RA Guard is blocking the DHCPv6 server's Router Advertisements, causing hosts to not send Solicit messages.
C.IPv6 Source Guard is filtering the server's responses because the server's IPv6 address is not in the binding table.
D.The switch has DHCP snooping enabled for IPv4, which is interfering with IPv6 DHCPv6 operation.
AnswerA

Correct because DHCPv6 Guard by default blocks server messages on untrusted ports; the server port must be explicitly trusted.

Why this answer

DHCPv6 Guard on the switch port connected to the DHCP server will drop DHCPv6 server messages (Advertise, Reply) unless the port is configured as a trusted DHCPv6 server port. If the port is not trusted, the server's responses are dropped.

26
MCQhard

A network engineer runs the following command to troubleshoot IPv6 ND inspection: R1# debug ipv6 nd inspection *Mar 1 00:02:34.567: IPv6-ND-Inspection: R1, Fa0/0, NS from fe80::1 to ff02::1, target 2001:db8::1, options: SLLA 0011.2233.4455 *Mar 1 00:02:34.567: IPv6-ND-Inspection: R1, Fa0/0, NS from fe80::1 to ff02::1, target 2001:db8::1, SLLA 0011.2233.4455 is allowed by policy INSPECT *Mar 1 00:02:35.890: IPv6-ND-Inspection: R1, Fa0/0, NA from fe80::2 to fe80::1, target 2001:db8::2, options: TLLA 00aa.bbcc.ddee *Mar 1 00:02:35.890: IPv6-ND-Inspection: R1, Fa0/0, NA from fe80::2 to fe80::1, target 2001:db8::2, TLLA 00aa.bbcc.ddee is blocked by policy INSPECT What does this output indicate?

A.ND inspection is allowing NS messages but blocking NA messages from fe80::2, likely due to a MAC address mismatch or policy violation.
B.ND inspection is blocking all NS and NA messages, indicating a misconfiguration.
C.ND inspection is allowing all messages but logging them for analysis.
D.ND inspection is not configured; the debug output is from default ND behavior.
AnswerA

The NA is blocked, which could be due to the source MAC not matching the TLLA or policy rules.

Why this answer

The debug shows ND inspection processing NS and NA messages. The NS from fe80::1 is allowed, but the NA from fe80::2 is blocked, indicating a possible spoofing attempt or policy violation.

27
MCQhard

A large enterprise network is experiencing intermittent IPv6 connectivity loss for hosts on VLAN 100. Router R1 has the following relevant configuration: interface GigabitEthernet0/0.100 encapsulation dot1Q 100 ipv6 address 2001:DB8:1:100::1/64 ipv6 nd raguard ipv6 nd prefix default ipv6 dhcp relay destination 2001:DB8:1:200::1 ! Router R2 shows: debug ipv6 dhcp relay output indicates that DHCPv6 requests from VLAN 100 are being relayed, but the server never receives the SOLICIT messages. What is the root cause?

A.The 'ipv6 nd raguard' command on the interface filters DHCPv6 SOLICIT messages, preventing relay.
B.The DHCPv6 relay destination is in a different VRF, and the relay is not configured to use that VRF.
C.An IPv6 ACL applied to GigabitEthernet0/0.100 has an implicit deny that blocks the relayed DHCPv6 traffic.
D.The DHCPv6 server is not configured to accept relayed messages from this relay agent.
AnswerC

The implicit deny at the end of an IPv6 ACL can block DHCPv6 relay packets if no explicit permit statement exists for the relay destination.

Why this answer

The issue is that the DHCPv6 relay agent is configured with 'ipv6 nd raguard' which filters Router Advertisement messages but does not affect DHCPv6 relay. However, the relay destination is unreachable due to a missing route or ACL. The correct answer identifies that an implicit deny in an IPv6 ACL applied to the relay interface is blocking the relayed traffic, a common oversight when combining First Hop Security features with ACLs.

28
Multi-Selecthard

Which THREE commands can be used to verify IPv6 First Hop Security (FHS) bindings or operations? (Choose THREE.)

Select 3 answers
A.show ipv6 neighbors
B.show ipv6 dhcp snooping binding
C.show ipv6 route
D.show ipv6 source-guard
E.show ipv6 traffic
AnswersA, B, D

Correct. This command displays the IPv6 neighbor discovery cache, which includes bindings used by FHS features like ND inspection.

Why this answer

Various show commands are used to verify FHS features. 'show ipv6 neighbors' displays the ND cache, which includes bindings learned via ND snooping. 'show ipv6 dhcp snooping binding' displays DHCPv6 snooping bindings. 'show ipv6 source-guard' shows Source Guard policy and statistics. Option A is correct: 'show ipv6 neighbors' shows ND entries that FHS uses. Option B is correct: 'show ipv6 dhcp snooping binding' shows DHCPv6 bindings used by Source Guard.

Option D is correct: 'show ipv6 source-guard' displays Source Guard configuration and drops. Option C is incorrect: 'show ipv6 route' shows routing table, not FHS bindings. Option E is incorrect: 'show ipv6 traffic' shows packet statistics, not FHS-specific bindings.

29
MCQhard

A network engineer is troubleshooting IPv6 routing issues between two routers connected via a serial link. Router R1 and Router R2 are running OSPFv3. The OSPFv3 adjacency is not forming. Router R1 has the following relevant configuration: interface Serial0/0 ipv6 address 2001:DB8:1::1/64 ipv6 ospf 1 area 0 ! Router R2 shows: debug ipv6 ospf hello output indicates that R2 is receiving Hello packets from R1, but the neighbor state remains INIT. What is the root cause?

A.The OSPFv3 process ID does not match between R1 and R2.
B.The serial interface has a mismatched network type, such as point-to-multipoint, which prevents adjacency formation on a point-to-point link.
C.The IPv6 address on the serial interface is not in the same subnet as R2's address.
D.The OSPFv3 hello interval is set to a non-default value that is not supported on serial links.
AnswerB

A network type mismatch can cause Hello packets to be ignored or not processed correctly, leading to INIT state.

Why this answer

On point-to-point serial links, OSPFv3 uses link-local addresses for neighbor discovery. If the link-local address is not properly formed or if there is a mismatch in the OSPFv3 network type, the adjacency may not progress. The correct answer identifies that the serial interface is configured with a non-default network type (e.g., point-to-multipoint) that requires additional configuration, causing the INIT state to persist.

30
Drag & Dropmedium

Drag and drop the steps to configure IPv6 RA Guard on a switch into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, globally enable IPv6 snooping. Then define an RA Guard policy with the trusted or untrusted role. Apply the policy to the desired interface.

Verify the configuration with show commands. Finally, test the RA Guard operation by sending RAs from unauthorized ports.

31
MCQmedium

A network engineer runs the following command to verify DHCPv6 guard policy: R1# show ipv6 dhcp guard policy DHCP-POLICY Policy: DHCP-POLICY Status: Active Device role: dhcp-client Trusted ports: none Untrusted ports: Fa0/0 DHCPv6 guard: enabled DHCPv6 guard action: block DHCPv6 server validation: enabled DHCPv6 server list: 2001:db8::10 What does this output indicate?

A.The policy blocks DHCPv6 server messages on Fa0/0 except from server 2001:db8::10.
B.The policy allows all DHCPv6 messages on Fa0/0 without any filtering.
C.The policy only applies to DHCPv6 client messages and ignores server messages.
D.The policy is inactive and not applied to any interface.
AnswerA

The action is block, and server validation is enabled with a specific server list.

Why this answer

The show command displays the DHCPv6 guard policy. The policy blocks DHCPv6 server messages on untrusted port Fa0/0, except from the listed server 2001:db8::10.

32
MCQmedium

A network engineer is troubleshooting an issue where IPv6 hosts are receiving multiple Router Advertisements from different routers, causing routing instability. The switch is configured with IPv6 First Hop Security features. The engineer wants to ensure that only the primary router's RAs are accepted by hosts. What is the most effective solution?

A.Configure RA Guard with a policy that includes the primary router's MAC address in the allowed list and apply it to all ports.
B.Enable DHCPv6 Guard to block DHCPv6 messages from the secondary router.
C.Use IPv6 Source Guard to filter traffic from the secondary router.
D.Configure the switch to act as a router and send its own RAs with a higher priority to override the secondary router.
AnswerA

Correct because RA Guard will drop RAs from any router not in the allowed list, preventing multiple routers from sending RAs.

Why this answer

RA Guard can be used to allow only authorized routers to send RAs. By configuring an RA Guard policy that permits only the primary router's MAC address, RAs from other routers will be dropped, ensuring stability.

33
Multi-Selecthard

Which TWO statements about IPv6 First Hop Security (FHS) RA Guard are true? (Choose TWO.)

Select 2 answers
A.The default RA Guard policy action is to block Router Advertisements from unauthorized ports.
B.RA Guard validates the source MAC address of Router Advertisements against the IPv6 source address.
C.The default RA Guard policy action is to log Router Advertisements from unauthorized ports.
D.RA Guard can be applied on a per-interface or per-VLAN basis using a policy map.
E.RA Guard is typically enabled on trunk ports to protect against rogue RAs from other VLANs.
AnswersA, D

Correct. The default action for an RA Guard policy is 'block', which drops unauthorized RAs.

Why this answer

RA Guard is a feature that blocks unauthorized Router Advertisement messages. It relies on policy enforcement based on port and VLAN, not on source MAC or a trust boundary per se. The default policy action is 'block', and the feature can be applied globally or per interface.

Option A is correct because the default action is to block RAs from unauthorized ports. Option D is correct because RA Guard operates on Layer 2 interfaces and can be applied to a range of VLANs. Option B is incorrect because the feature does not validate source MAC; it checks the router preference and hop limit.

Option C is incorrect because the default policy action is 'block', not 'log'. Option E is incorrect because RA Guard is typically applied on access ports, not trunk ports, and trunk ports often carry multiple VLANs where RA Guard might interfere with legitimate routers.

34
MCQmedium

In IPv6 FHS, what is the default action for 'RA Guard' when a rogue RA is detected on a switch port?

A.Forward the RA to the CPU for inspection
B.Drop the RA and generate a syslog message
C.Shut down the port
D.Send a notification to the network management system
AnswerB

Correct. The default action is to drop the RA and log the event.

Why this answer

The default action for RA Guard on Cisco IOS-XE is to 'drop' the offending RA message and optionally log the event. This is configured via the 'ipv6 nd raguard' command.

35
MCQmedium

Consider the following partial configuration: ipv6 nd inspection policy ND_INSPECT device-role host trusted-port interface GigabitEthernet0/4 ipv6 nd inspection policy ND_INSPECT What is the effect of the 'trusted-port' command in this policy?

A.The interface is trusted, so Neighbor Discovery messages are not inspected.
B.The interface only allows Neighbor Advertisements from trusted sources.
C.The interface drops all Neighbor Discovery messages.
D.The interface requires a valid binding for each ND message.
AnswerA

Trusted ports bypass ND inspection checks.

Why this answer

The 'trusted-port' command marks the interface as trusted for Neighbor Discovery inspection, meaning ND messages are not validated. This is often used on ports connecting to other routers or switches.

36
MCQhard

A network engineer configures 'ipv6 snooping' globally on a switch and applies 'ipv6 verify source' on a port connected to a router running OSPFv3. The router's OSPFv3 neighborship with another router across the switch fails. The switch logs show that OSPFv3 packets are being dropped. The engineer checks the binding table and sees no entries for the router's link-local address. What is the most likely reason?

A.Source Guard does not learn link-local addresses via ND snooping, so OSPFv3 packets are dropped.
B.OSPFv3 uses multicast addresses that are blocked by Source Guard.
C.The router must be configured as a static binding for its link-local address.
D.The switch must have 'ipv6 snooping' enabled on the VLAN, not globally.
AnswerA

Link-local addresses are not populated in the binding table by default.

Why this answer

IPv6 Snooping and Source Guard typically rely on ND snooping to populate the binding table. However, OSPFv3 uses link-local addresses for communication, and link-local addresses are not learned via ND snooping because they are derived from the interface MAC address and are not advertised in NAs. The switch does not create binding entries for link-local addresses unless explicitly configured.

Therefore, Source Guard drops OSPFv3 packets because the source link-local address is not in the binding table. The edge case is that IPv6 First Hop Security features often overlook link-local addresses, causing routing protocol failures.

37
MCQmedium

A network engineer runs the following command to verify IPv6 First Hop Security operation: R1# show ipv6 nd raguard policy TRUSTED Policy: TRUSTED Status: Active Device role: host Trusted ports: Fa0/1 Untrusted ports: none RA Guard: enabled RA Guard policy: allow ND inspection: enabled ND inspection policy: INSPECT What does this output indicate?

A.The policy TRUSTED allows RAs on Fa0/1 and performs ND inspection using policy INSPECT.
B.The policy TRUSTED blocks all RAs on Fa0/1 and disables ND inspection.
C.The policy TRUSTED only applies to untrusted ports and has no effect on Fa0/1.
D.The policy TRUSTED is inactive and not applied to any interface.
AnswerA

The output shows RA Guard is enabled with allow action, and ND inspection is enabled with policy INSPECT on the trusted port.

Why this answer

The show command displays the RA Guard policy configuration. The policy TRUSTED is active, applied to port Fa0/1 as trusted, with RA Guard allowing RAs and ND inspection enabled.

38
MCQhard

A network engineer is troubleshooting IPv6 redistribution between EIGRP and OSPFv3 on Router R1. Routes from OSPFv3 are being redistributed into EIGRP, but they are not appearing in the EIGRP topology table. Router R1 has the following relevant configuration: router eigrp Test address-family ipv6 unicast redistribute ospf 1 metric 10000 100 255 1 1500 ! Router R2 shows: show ipv6 eigrp topology output does not include any OSPF-derived routes. What is the root cause?

A.The EIGRP metric values are too high, causing the routes to be considered unreachable.
B.The OSPFv3 process ID in the redistribute command does not match the actual OSPFv3 process ID running on the router.
C.The routes from OSPFv3 are external, and EIGRP does not redistribute external OSPF routes by default.
D.The EIGRP address-family is not configured with a router ID, preventing redistribution.
AnswerB

If the process ID is wrong, the redistribution command does not match any OSPFv3 process, and no routes are redistributed.

Why this answer

The 'redistribute ospf 1' command under EIGRP IPv6 address-family requires that the OSPFv3 process is correctly specified and that the metrics are appropriate. However, a common issue is that the OSPFv3 process is not running or that the routes are not in the OSPFv3 database. The correct answer identifies that the OSPFv3 process ID is missing or incorrect, causing redistribution to fail silently.

39
MCQhard

A network engineer is troubleshooting an issue where IPv6 hosts are unable to perform Duplicate Address Detection (DAD) successfully. The switch is configured with IPv6 First Hop Security features including ND Inspection and ND Suppress. The engineer notices that Neighbor Solicitation messages for DAD are being dropped by the switch. What is the most likely cause?

A.ND Inspection is configured to drop Neighbor Solicitations with an unspecified source address (::) because it has no binding for that address.
B.RA Guard is configured to drop all multicast traffic, including Neighbor Solicitations.
C.DHCPv6 Guard is blocking the DAD messages because they are considered DHCPv6 traffic.
D.IPv6 Source Guard is dropping the DAD messages because the source address :: is not in the binding table.
AnswerA

Correct because ND Inspection typically requires a valid binding for the source address; DAD uses :: as source, which is not in the binding table, causing drops.

Why this answer

ND Suppress is a feature that suppresses Neighbor Advertisements for addresses that are in the binding table. However, if ND Inspection is misconfigured, it may drop Neighbor Solicitations that are part of DAD because the source address is the unspecified address (::) and the switch may not have a binding for it.

40
MCQmedium

An engineer is troubleshooting a network where IPv6 hosts on VLAN 20 are unable to communicate with each other. The switch is configured with IPv6 First Hop Security features including Private VLAN (PVLAN) and IPv6 Source Guard. The hosts are in the same VLAN but cannot ping each other. What is the most likely cause?

A.The switch has Private VLAN configured on VLAN 20, and the hosts are on isolated ports, which prevents direct communication.
B.IPv6 Source Guard is blocking inter-host traffic because the hosts' bindings are not in the binding table.
C.RA Guard is blocking Neighbor Advertisements between hosts.
D.DHCPv6 Guard is blocking DHCPv6 messages between hosts.
AnswerA

Correct because PVLAN isolates traffic between hosts on isolated ports within the same VLAN.

Why this answer

Private VLAN (PVLAN) isolates ports within the same VLAN, preventing communication between hosts unless they are in the same community or are promiscuous ports. If the switch has PVLAN configured, hosts on isolated ports cannot communicate directly.

41
MCQmedium

What is the default value of the Router Advertisement (RA) interval in IPv6 First Hop Security (FHS) when using the 'ipv6 nd ra-interval' command on an IOS-XE interface?

A.100 seconds
B.200 seconds
C.600 seconds
D.300 seconds
AnswerB

Correct. The default RA interval on Cisco IOS-XE is 200 seconds.

Why this answer

The default RA interval on Cisco IOS-XE is 200 seconds, as per RFC 4861, but Cisco defaults to a lower value for faster convergence. The default is actually 600 seconds for the maximum RA interval, but the 'ipv6 nd ra-interval' command defaults to 200 seconds when not specified.

42
MCQhard

What is the default value of the 'limit' parameter in the 'ipv6 nd prefix' command for the number of prefixes advertised in RA messages?

A.8
B.16
C.32
D.64
AnswerB

Correct. The default limit is 16 prefixes.

Why this answer

The default limit for the number of IPv6 prefixes advertised in RA messages on Cisco IOS-XE is 16. This is a Cisco-specific default, not defined in RFC 4861.

43
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 snooping binding IPv6 Address MAC Address VLAN Interface State 2001:DB8:1::100 aaaa.bbbb.cccc 10 Gi0/0/0 ACTIVE 2001:DB8:1::101 aaaa.bbbb.cccd 10 Gi0/0/0 ACTIVE 2001:DB8:1::102 aaaa.bbbb.ccce 10 Gi0/0/1 ACTIVE 2001:DB8:1::103 aaaa.bbbb.cccf 10 Gi0/0/1 ACTIVE Based on this output, which statement is correct?

A.All entries are in the ACTIVE state, meaning they are valid bindings.
B.The binding for 2001:DB8:1::103 is invalid.
C.The table shows only IPv6 addresses from SLAAC.
D.There are no entries for VLAN 10.
AnswerA

ACTIVE state indicates the binding is valid and being used.

Why this answer

The snooping binding table shows the IPv6 addresses and corresponding MAC addresses for devices on VLAN 10. All entries are ACTIVE, meaning they have been validated. This is used for source guard and other first-hop security features.

44
MCQmedium

Examine the following partial IPv6 DHCP guard configuration: ipv6 dhcp guard policy DHCP_GUARD device-role server match server access-list SERVER_ACL interface GigabitEthernet0/2 ipv6 dhcp guard policy DHCP_GUARD Which statement is true about this configuration?

A.The interface will allow DHCP server messages only from sources matching SERVER_ACL.
B.The interface will block all DHCP server messages.
C.The interface will allow all DHCP client messages.
D.The interface will drop all DHCP messages.
AnswerA

The 'match server' clause restricts which servers are trusted, and the policy is applied to the interface.

Why this answer

DHCP guard policy with device-role server allows DHCP server messages only if they match the access-list. The interface applies the policy to filter DHCP messages.

45
MCQmedium

Interface GigabitEthernet0/1 is configured as shown: interface GigabitEthernet0/1 ipv6 address 2001:db8:1::1/64 ipv6 nd raguard ipv6 nd prefix default no-autoconfig What is the effect of this configuration?

A.The interface drops all incoming Router Advertisements from other routers.
B.The interface sends RAs with the autonomous flag set to allow SLAAC.
C.The interface only allows RAs from a specific authorized router.
D.The interface drops all Neighbor Solicitations.
AnswerA

The 'ipv6 nd raguard' command blocks RAs received on this interface, enforcing first-hop security.

Why this answer

The 'ipv6 nd raguard' command enables Router Advertisement guard on the interface, which filters RAs. The 'ipv6 nd prefix default no-autoconfig' suppresses the autonomous address configuration flag in RAs, preventing hosts from using SLAAC.

46
MCQmedium

A network engineer runs the following command to troubleshoot IPv6 source guard: R1# debug ipv6 source-guard *Mar 1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, IPv6 packet from 2001:db8::5, src MAC 0011.2233.4455, dst 2001:db8::1 *Mar 1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, Binding lookup: 2001:db8::5 not found in binding table *Mar 1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, Packet dropped: source 2001:db8::5 not allowed What does this output indicate?

A.IPv6 source guard is dropping packets from sources not in the binding table, preventing spoofing.
B.IPv6 source guard is allowing the packet because the source MAC matches.
C.IPv6 source guard is not configured; the debug output is from default IPv6 forwarding.
D.IPv6 source guard is learning the binding from the packet and will allow future packets.
AnswerA

The packet is dropped because the source address is not found in the binding table.

Why this answer

The debug shows IPv6 source guard dropping a packet because the source address 2001:db8::5 is not in the binding table, indicating an unauthorized source.

47
Multi-Selectmedium

Which THREE symptoms indicate that IPv6 First Hop Security features are misconfigured or not functioning correctly? (Choose THREE.)

Select 3 answers
A.IPv6 hosts on a segment are unable to obtain a global unicast address via SLAAC, even though a legitimate router is present.
B.A newly connected switch causes existing hosts to lose IPv6 connectivity to the default gateway.
C.Hosts on a VLAN receive Router Advertisements but do not update their default gateway.
D.IPv6 pings between two hosts on the same VLAN succeed, but pings to the router fail.
E.The switch logs show frequent 'IPv6 address collision' messages.
AnswersA, B, C

This could be due to RA Guard blocking the router's Router Advertisements, preventing SLAAC.

Why this answer

These three symptoms are direct indicators of FHS issues: devices failing to obtain addresses suggests DHCPv6 Guard blocking, connectivity loss after a new switch suggests ND Inspection or Source Guard issues, and RA Guard misconfiguration can cause hosts to ignore RAs. The other options are not specific to FHS or are normal behavior.

48
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 nd raguard policy Interface Policy Role State Gi0/0/0 RA_GUARD router ACTIVE Gi0/0/1 RA_GUARD host ACTIVE Gi0/0/2 (default) host ACTIVE Based on this output, which statement is correct?

A.Interface Gi0/0/0 is allowed to send Router Advertisements.
B.Interface Gi0/0/1 is allowed to send Router Advertisements.
C.Interface Gi0/0/2 is allowed to send Router Advertisements.
D.All interfaces are blocked from sending Router Advertisements.
AnswerA

Role 'router' under RA guard permits sending RAs.

Why this answer

The output shows that Gi0/0/0 is configured with role 'router' under the RA_GUARD policy, meaning it is trusted to send Router Advertisements. Gi0/0/1 and Gi0/0/2 have role 'host', meaning they are not allowed to send RAs. The default policy on Gi0/0/2 still blocks RAs from that interface.

49
MCQhard

What is the default value of the 'hold-down' timer in IPv6 FHS's ND Snooping feature on Cisco IOS-XE?

A.5 seconds
B.10 seconds
C.15 seconds
D.20 seconds
AnswerB

Correct. The default hold-down timer is 10 seconds.

Why this answer

The hold-down timer in ND Snooping is used to suppress further ND messages after a DAD attempt. The default value is 10 seconds on Cisco IOS-XE, as per the implementation guide.

50
MCQeasy

Which RFC defines the IPv6 Neighbor Discovery Protocol that is the basis for many First Hop Security features?

A.RFC 4861
B.RFC 2460
C.RFC 4291
D.RFC 4443
AnswerA

RFC 4861 is the standard for IPv6 Neighbor Discovery.

Why this answer

RFC 4861 defines the Neighbor Discovery Protocol for IPv6, which includes Neighbor Solicitations, Advertisements, Router Solicitations, and Advertisements.

51
MCQhard

A network engineer is troubleshooting IPv6 BGP path selection on Router R1. Router R1 is receiving a prefix from two different BGP peers, but it is not selecting the expected best path. Router R1 has the following relevant configuration: router bgp 65000 address-family ipv6 unicast neighbor 2001:DB8:1::2 route-map SET_LOCAL_PREF in neighbor 2001:DB8:2::2 route-map SET_MED in ! route-map SET_LOCAL_PREF permit 10 set local-preference 200 ! route-map SET_MED permit 10 set metric 50 ! Router R2 shows: show bgp ipv6 unicast 2001:DB8:3::/64 output indicates that the path from 2001:DB8:1::2 has local preference 200, but the path from 2001:DB8:2::2 is selected. What is the root cause?

A.The route-map SET_LOCAL_PREF is applied outbound instead of inbound, so it does not affect the received prefix.
B.The MED value of 50 is lower than the default, causing it to be preferred over local preference.
C.The prefix is not being advertised by the neighbor with the higher local preference route-map.
D.The BGP table has a route from an iBGP peer with a lower IGP metric to the next-hop, overriding the local preference.
AnswerA

If the route-map is applied outbound, it modifies routes sent to the neighbor, not received from it, so the local preference is not set.

Why this answer

BGP path selection first compares local preference; the path with higher local preference should win. If the path with lower local preference is selected, there may be an issue with the route-map application or the neighbor configuration. The correct answer identifies that the route-map SET_LOCAL_PREF is not applied inbound to the correct neighbor, or the neighbor is not sending the prefix, causing the path with lower local preference to be the only path available.

52
Multi-Selecthard

Which TWO statements about IPv6 First Hop Security (FHS) Device Tracking are true? (Choose TWO.)

Select 2 answers
A.Device Tracking uses Neighbor Discovery (ND) probes to determine if a host is still reachable.
B.Device Tracking relies on DHCPv6 lease expiration to remove stale bindings.
C.Device Tracking creates binding entries for hosts that are discovered via ND.
D.Device Tracking can be enabled on a per-interface basis using the 'ipv6 device-track' command.
E.Device Tracking only supports IPv6 hosts.
AnswersA, D

Correct. Device Tracking sends ND probes to verify host reachability and updates the binding table accordingly.

Why this answer

Device Tracking monitors the presence of IPv6 hosts by tracking their reachability. It can be used to update the binding table when a host goes offline. Option A is correct: Device Tracking uses ND and ARP probes to verify host reachability.

Option D is correct: it can be enabled per interface or globally. Option B is incorrect: Device Tracking does not use DHCPv6 lease times; it uses probes. Option C is incorrect: it does not create bindings; it updates existing ones.

Option E is incorrect: Device Tracking is used for both IPv4 and IPv6 hosts.

53
MCQhard

A network engineer notices that IPv6 hosts on a segment are not receiving Router Advertisements, even though Router R1 has IPv6 unicast-routing enabled and an IPv6 address on the interface. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ipv6 address 2001:DB8:1::1/64 ipv6 nd suppress-ra ! Router R2, connected to the same segment, shows: no IPv6 neighbors in the neighbor cache for R1's link-local address. What is the root cause?

A.The interface is in a down state due to a Layer 1 issue, preventing RA generation.
B.The 'ipv6 nd suppress-ra' command is configured, which prevents Router Advertisements from being sent.
C.Router R2 has IPv6 routing disabled, so it cannot process RAs from R1.
D.The IPv6 address on R1 is not in the same subnet as the hosts, causing RA filtering.
AnswerB

This command suppresses all RAs, so hosts cannot autoconfigure or learn the default router.

Why this answer

The 'ipv6 nd suppress-ra' command suppresses Router Advertisements, which prevents hosts from learning the prefix and default route. This is a common misconfiguration when an administrator intends to use DHCPv6 for address assignment but forgets that hosts still need RAs for default gateway discovery. The correct answer identifies this suppression as the root cause.

54
MCQmedium

An engineer applies the following configuration to an interface: interface GigabitEthernet0/5 ipv6 dhcp guard attach-policy DHCP_GUARD ipv6 snooping database file nvram:ipv6-snoop.db Which statement is true?

A.The DHCP guard policy is applied to the interface, and the snooping database is stored in NVRAM.
B.The DHCP guard policy is applied only if the snooping database is present.
C.The interface will not forward any DHCP messages until the database is populated.
D.The snooping database is used to validate DHCP server messages.
AnswerA

Both commands are independent; the guard policy filters DHCP, and the database stores bindings.

Why this answer

The 'ipv6 snooping database file' command configures the location for the IPv6 snooping binding database, but it is not directly tied to the DHCP guard policy. The attach-policy applies the guard.

55
MCQhard

An engineer enables 'ipv6 destination guard' on a switch to prevent IPv6 address spoofing. After configuration, a legitimate host on a port is unable to receive traffic from the network, although it can send traffic. The host has a global unicast address. The switch logs show that destination guard is dropping packets destined to that host. What is the most likely cause?

A.The host uses IPv6 privacy extensions and changes its address frequently, but the binding table only has the original address.
B.Destination Guard blocks all global unicast addresses by default.
C.The switch port is not configured as 'trusted' for destination guard.
D.The host is using a link-local address, which destination guard does not support.
AnswerA

Destination Guard relies on static bindings; privacy addresses are not learned.

Why this answer

IPv6 Destination Guard validates destination addresses against the binding table. If the host's address is not in the binding table (e.g., because the host did not send an NA or the binding timed out), the switch drops packets destined to that address. The edge case is that Destination Guard requires the binding to be in 'REACHABLE' state.

If the host is silent for a long time, the binding may become 'STALE' and eventually 'DELAY' or 'PROBE', but Destination Guard still accepts traffic as long as the binding exists. However, if the binding is removed due to a timeout or if the host's address was never learned (e.g., the host uses privacy extensions and changes its address frequently), Destination Guard will drop traffic. The most likely oversight is that the host uses temporary addresses (privacy extensions) that are not registered in the binding table because the switch only learns the initial address from the first NA.

56
Multi-Selectmedium

Which TWO commands can be used to verify the operation of IPv6 First Hop Security features such as RA Guard and DHCPv6 Guard on a Cisco IOS-XE switch? (Choose TWO.)

Select 2 answers
A.show ipv6 snooping
B.show ipv6 dhcp guard
C.show ipv6 nd raguard
D.show ipv6 dhcp binding
E.show ipv6 source guard
AnswersA, B

This command displays the operational status of IPv6 snooping features, including RA Guard and DHCPv6 Guard, and is a primary verification tool.

Why this answer

The correct commands directly display the operational state and statistics of IPv6 FHS features. 'show ipv6 snooping' provides a summary of all snooping features, and 'show ipv6 dhcp guard' shows the DHCPv6 Guard policy and its application. The incorrect options are either for different features or do not exist.

57
MCQhard

An engineer configures 'ipv6 verify source' with 'allow-default' on a switch port connected to a router that uses a default route via a static route. The router's traffic is being dropped by Source Guard. The engineer sees that the router's source address is in the binding table. What is the most likely cause?

A.The 'allow-default' option only permits traffic with source address matching the default route entry, not all traffic.
B.The router's source address is a link-local address, which is not supported by Source Guard.
C.The 'allow-default' option requires the router to send an NA for the default route.
D.The switch port must be configured as 'trusted' for Source Guard to work with routers.
AnswerA

It allows traffic from the default prefix, not all sources.

Why this answer

The 'allow-default' option in 'ipv6 verify source' allows traffic with a source address that matches the default route (::/0) in the binding table. However, this option only works if the binding table has an entry for the default prefix (::/0). If the router's traffic is being dropped, it might be because the router is using a global unicast source address that is not the default route.

The edge case is that 'allow-default' is often misunderstood: it does not allow all traffic; it only allows traffic whose source address matches a binding entry for the default route. If the router's source address is a specific global address, that address must be in the binding table individually. The engineer likely thought 'allow-default' would permit all traffic, but it only permits traffic from the default prefix.

58
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 dhcp guard policy Interface Policy Role State Gi0/0/0 DHCP_GUARD server ACTIVE Gi0/0/1 DHCP_GUARD client ACTIVE Gi0/0/2 (default) client ACTIVE Based on this output, which statement is correct?

A.Interface Gi0/0/0 is trusted to send DHCPv6 replies.
B.Interface Gi0/0/1 is trusted to send DHCPv6 replies.
C.Interface Gi0/0/2 is trusted to send DHCPv6 replies.
D.All interfaces are blocked from sending DHCPv6 replies.
AnswerA

Role 'server' allows sending DHCP replies.

Why this answer

The output shows Gi0/0/0 is configured as a DHCP server (trusted to send DHCP replies), while Gi0/0/1 and Gi0/0/2 are clients (not trusted to send DHCP replies). This is typical for DHCP guard to prevent rogue DHCP servers.

59
MCQhard

A network engineer is troubleshooting IPv6 neighbor discovery issues on a VLAN. Router R1 is configured with IPv6 First Hop Security features. Hosts are unable to communicate with each other, even though they have valid IPv6 addresses. Router R1 has the following relevant configuration: interface Vlan100 ipv6 address 2001:DB8:1:100::1/64 ipv6 nd raguard ipv6 dhcp guard ipv6 source guard ! Router R2 shows: debug ipv6 nd output indicates that Neighbor Solicitations from hosts are being dropped. What is the root cause?

A.RA Guard is blocking Neighbor Solicitations because they are mistaken for RAs.
B.DHCP Guard is dropping Neighbor Solicitations because they contain DHCP options.
C.IPv6 Source Guard is dropping Neighbor Solicitations because the source address is not in the binding table.
D.The VLAN interface is not in a state to forward ND messages due to a spanning tree issue.
AnswerC

Source Guard validates source addresses against the binding table; if the host is not bound, the NS is dropped.

Why this answer

The combination of RA Guard, DHCP Guard, and Source Guard can create complex filtering. In this scenario, IPv6 Source Guard is likely dropping Neighbor Solicitations because the hosts' IPv6 addresses are not in the binding table. This is a common issue when DHCPv6 is not used or when static bindings are missing, causing legitimate ND traffic to be filtered.

60
MCQmedium

A network engineer runs the following command to verify IPv6 binding table: R1# show ipv6 neighbors binding IPv6 Address Age Link-layer Addr State Interface VLAN Policy 2001:db8::1 10 0011.2233.4455 REACH Fa0/1 10 TRUSTED 2001:db8::2 5 00aa.bbcc.ddee STALE Fa0/0 10 INSPECT 2001:db8::3 0 1111.2222.3333 INCOMP Fa0/0 10 - What does this output indicate?

A.The binding table shows three entries: one reachable on trusted port, one stale on untrusted port, and one incomplete, indicating active ND learning.
B.The binding table is empty, indicating no ND activity.
C.The binding table shows all entries as reachable, indicating stable neighbor relationships.
D.The binding table is only for DHCPv6-learned addresses.
AnswerA

The output correctly shows the state and policy for each entry.

Why this answer

The show command displays the IPv6 binding table with entries learned via ND. The table shows reachable, stale, and incomplete entries with associated policies.

61
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 snooping policy Interface Policy Role State Gi0/0/0 GUARD_POLICY device-guard ACTIVE Gi0/0/1 GUARD_POLICY device-guard ACTIVE Gi0/0/2 (default) host ACTIVE Based on this output, which statement is correct?

A.Interface Gi0/0/2 is protected by the GUARD_POLICY policy.
B.Interface Gi0/0/2 is not protected by the custom guard policy and may be vulnerable to spoofing attacks.
C.All interfaces are equally protected by the same policy.
D.The role 'host' means Gi0/0/2 is acting as a device-guard.
AnswerB

The default policy provides minimal protection; the custom GUARD_POLICY is not applied to Gi0/0/2.

Why this answer

The output shows that interface Gi0/0/2 is using the default policy with role 'host', while Gi0/0/0 and Gi0/0/1 are configured with a specific policy named GUARD_POLICY and role 'device-guard'. This indicates that Gi0/0/2 is not protected by the custom guard policy, which could allow rogue DHCPv6 or ND messages on that interface.

62
MCQhard

An engineer configures 'ipv6 nd suppress' on a switch port to prevent the switch from sending Router Advertisements. However, after this configuration, hosts on that port cannot obtain IPv6 addresses via SLAAC, even though a router on another port is sending RAs. What is the most likely explanation?

A.The 'ipv6 nd suppress' command blocks all RA traffic on the port, including RAs forwarded from other ports.
B.The router's RAs are being filtered by an ACL on the switch.
C.The hosts must be configured to use DHCPv6 instead of SLAAC.
D.The switch port is in a different VLAN than the router.
AnswerA

Suppress prevents any RA from being sent or forwarded on that port.

Why this answer

The 'ipv6 nd suppress' command on a switch port prevents the switch from sending RAs, but it does not forward RAs from other routers. In fact, on some platforms, 'ipv6 nd suppress' also blocks the forwarding of RAs received on other ports to that port, because the switch treats the port as a host port. This is an edge case where the command is misunderstood: it suppresses all RA traffic on that port, both outgoing and incoming (forwarded).

The hosts never receive the router's RAs.

63
MCQhard

A network engineer is troubleshooting IPv6 connectivity issues on a multi-access segment where Router R1 and Router R2 are both acting as default routers. Hosts on the segment are not using R1 as a preferred router, even though R1 has a higher router preference. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ipv6 address 2001:DB8:1::1/64 ipv6 nd router-preference high ! Router R2 shows: debug ipv6 nd output indicates that R2 is sending RAs with default preference (medium). What is the root cause?

A.Router R1's RA interval is set too high, causing hosts to prefer R2's more frequent RAs.
B.An IPv6 ACL applied to the interface is blocking Router Advertisements from R1.
C.Router R2 is configured with 'ipv6 nd router-preference high' as well, overriding R1's preference.
D.Hosts are configured to ignore router preference due to a security policy.
AnswerB

An ACL with an implicit deny can block RAs, even if the router is configured to send them with high preference.

Why this answer

The 'ipv6 nd router-preference high' command sets the preference in RAs, but if the host's operating system or implementation does not support RFC 4191 (Default Router Preferences), it may ignore the preference field. However, the more common issue is that R1's RAs are being suppressed or filtered. The correct answer identifies that R1 has an IPv6 ACL blocking outgoing RAs, a subtle interaction between First Hop Security and ACLs.

64
MCQmedium

In IPv6 First Hop Security, what is the purpose of the 'device-role' command in a DHCP guard policy?

A.It specifies whether the interface is a server, client, or relay for DHCP filtering.
B.It sets the trust level for ND inspection.
C.It defines the VLAN membership for the interface.
D.It enables IPv6 routing on the interface.
AnswerA

The role dictates the expected DHCP message types on that interface.

Why this answer

The 'device-role' command defines whether the interface is a DHCP server, client, or relay. This determines which DHCP messages are allowed.

65
MCQhard

A network engineer is troubleshooting IPv6 MPLS LDP neighbor discovery on a link between Router R1 and Router R2. The LDP session is not forming. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ipv6 address 2001:DB8:1::1/64 mpls ip mpls ldp discovery transport-address interface ! Router R2 shows: debug mpls ldp discovery output indicates that R2 is receiving Hello packets from R1, but the LDP session remains in INIT state. What is the root cause?

A.The 'mpls ldp discovery transport-address interface' command on R1 causes the transport address to be the link-local address, which is not routable.
B.The MPLS LDP label distribution is disabled on the interface, preventing session establishment.
C.The LDP hello interval is mismatched between R1 and R2, causing the session to fail.
D.Router R2 has a firewall blocking TCP port 646, preventing the LDP session.
AnswerA

Link-local addresses are not routable, so R2 cannot establish a TCP session to R1's transport address.

Why this answer

LDP uses transport addresses for session establishment. If the transport address is not reachable or if there is a mismatch in the LDP hello parameters, the session may not form. The correct answer identifies that the transport address on R1 is set to the interface address, but R2 expects a different transport address (e.g., loopback), causing a mismatch that prevents the TCP session from establishing.

66
MCQhard

What is the default value of the 'reachable time' in IPv6 Neighbor Discovery (ND) on Cisco IOS-XE?

A.0 milliseconds (unspecified)
B.30,000 milliseconds
C.60,000 milliseconds
D.10,000 milliseconds
AnswerA

Correct. The default reachable time in the 'ipv6 nd reachable-time' command is 0, meaning no override is sent in RAs.

Why this answer

The default reachable time in ND is 30,000 milliseconds (30 seconds) as per RFC 4861, but Cisco IOS-XE uses a default of 0 (unspecified) in RA messages, meaning hosts use their own default (typically 30 seconds). However, the default for the 'ipv6 nd reachable-time' command is 0, indicating no override.

67
MCQhard

A network administrator configures 'ipv6 dhcp guard' on a switch and sets the policy to 'allow only' for a specific DHCPv6 server. However, clients are still receiving DHCPv6 replies from a rogue server on the same VLAN. The engineer verifies that the rogue server's port is not trusted. What is the most likely reason the rogue server's advertisements are not being blocked?

A.IPv6 snooping is not enabled globally, so DHCPv6 Guard cannot inspect DHCPv6 messages.
B.The rogue server is using a different UDP port for DHCPv6.
C.The 'allow only' policy only works for DHCPv6 requests, not replies.
D.The rogue server is on a trunk port, and DHCPv6 Guard does not apply to trunk ports.
AnswerA

DHCPv6 Guard depends on IPv6 snooping for packet inspection.

Why this answer

DHCPv6 Guard works by intercepting DHCPv6 server messages (Advertise and Reply) and checking them against the policy. However, if the switch does not have 'ipv6 snooping' enabled globally, DHCPv6 Guard may not be able to inspect the packets because it relies on the snooping database. The edge case is that DHCPv6 Guard requires IPv6 snooping to be enabled to function properly; without it, the guard may not be applied or may not filter correctly.

Many engineers forget to enable 'ipv6 snooping' globally.

68
MCQmedium

Which configuration is missing to properly implement IPv6 First Hop Security on an access switch port that should only allow traffic from a single host with a static IPv6 address 2001:db8:1::10?

A.The interface needs 'ipv6 verify source' and a static binding entry 'ipv6 source binding 2001:db8:1::10 interface GigabitEthernet0/6'.
B.The interface needs 'ipv6 nd raguard' to block RAs.
C.The interface needs 'ipv6 dhcp guard' to block DHCP messages.
D.The interface needs 'ipv6 nd inspection' to validate ND messages.
AnswerA

IPv6 Source Guard with a static binding ensures only that source address is allowed.

Why this answer

To restrict traffic to a single host, you need IPv6 Source Guard with a static binding or a PACL. The missing piece is often the static binding or the source guard configuration.

69
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface 2001:DB8:1::1 0 aaaa.bbbb.cccc REACH Gi0/0/0 2001:DB8:1::2 10 aaaa.bbbb.cccd STALE Gi0/0/0 2001:DB8:1::3 - aaaa.bbbb.ccce DELAY Gi0/0/1 FE80::1 0 aaaa.bbbb.cccf REACH Gi0/0/0 Based on this output, which statement is correct?

A.All neighbors are in a stable state.
B.The neighbor 2001:DB8:1::3 is in DELAY state, meaning a Neighbor Solicitation will be sent soon.
C.The neighbor 2001:DB8:1::2 is unreachable.
D.The link-local address FE80::1 is not valid.
AnswerB

DELAY state means a NS is pending after a delay timer.

Why this answer

The neighbor table shows IPv6 neighbors with different states. The entry for 2001:DB8:1::3 has no age (indicated by '-') and is in DELAY state, which means it is waiting for a Neighbor Solicitation to be sent. This could indicate a potential issue with neighbor reachability or a spoofing attempt if the MAC address is unexpected.

70
MCQhard

A network administrator configures 'ipv6 nd raguard' on a switch port connected to a router. The router is sending Router Advertisements with a non-zero Router Lifetime. The switch logs indicate that RAs are being dropped, and the port goes into err-disable state. The engineer checks the RA Guard policy and sees that the default policy is applied. What is the most likely reason for the drops?

A.The RA has a hop-limit less than 255, which RA Guard treats as invalid and drops.
B.The RA Guard policy is configured to block all RAs regardless of source.
C.The router is using a multicast MAC address that is not allowed by RA Guard.
D.The switch port is in access mode, and RA Guard only works on trunk ports.
AnswerA

RA Guard expects hop-limit of 255 for locally generated RAs.

Why this answer

RA Guard by default uses a policy that blocks RAs from all ports except those explicitly configured as 'trusted'. Even if the router is legitimate, the port must be trusted. However, the edge case here is that the default RA Guard policy also checks the 'hop-limit' field in the RA.

If the router sends RAs with a hop-limit other than 255 (the default for locally generated packets), RA Guard will drop them. This can happen if the router is multiple hops away or if the RA is forwarded (e.g., via a tunnel). The most common misconfiguration is that the router's RA has a hop-limit less than 255, which is considered invalid by RA Guard.

71
MCQmedium

In IPv6 FHS, which protocol is used to secure Neighbor Discovery messages with cryptographic authentication?

A.IPsec
B.SEND
C.SSL/TLS
D.MACsec
AnswerB

Correct. SEND (Secure Neighbor Discovery) uses CGAs and RSA signatures to authenticate ND messages.

Why this answer

Secure Neighbor Discovery (SEND) is defined in RFC 3971 and uses Cryptographically Generated Addresses (CGAs) to authenticate ND messages. It is an IPv6 FHS mechanism to prevent ND spoofing.

72
MCQeasy

Which IPv6 FHS feature uses a 'device tracking' database to maintain reachability information for hosts?

A.RA Guard
B.DHCPv6 Guard
C.Device Tracking
D.PACL
AnswerC

Correct. Device Tracking maintains a database of IPv6 addresses and their reachability.

Why this answer

Device Tracking is an IPv6 FHS feature that maintains a database of IPv6 addresses and their reachability status on a per-interface basis. It is used by other FHS features like ND Snooping and Source Guard.

73
Multi-Selectmedium

Which TWO statements about IPv6 Neighbor Discovery (ND) Inspection are true? (Choose TWO.)

Select 2 answers
A.It validates Neighbor Solicitation and Neighbor Advertisement messages against the IPv6 snooping binding table.
B.It can be configured to rate-limit ND packets on a per-interface basis.
C.It prevents rogue DHCPv6 servers from assigning malicious addresses.
D.It uses a prefix list to determine which source addresses are allowed.
E.It is enabled globally and cannot be applied on a per-interface basis.
AnswersA, B

ND Inspection checks NS and NA messages against the binding table to prevent spoofing attacks.

Why this answer

ND Inspection is a security feature that validates ND messages against a binding table. It drops invalid messages and can rate-limit ND packets. The other statements are incorrect: ND Inspection does not protect against DHCPv6 attacks, and it does not use a prefix list by default.

74
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 dhcp binding Client: FE80::1 DUID: 0003000100AABBCCDDEE Username: unknown IA NA: IA ID 0x00010001, T1 302400, T2 483840 Address: 2001:DB8:1::100/128 Preferred lifetime 604800, valid lifetime 2592000 Expires at Sep 15 2024 12:00 PM (2592000 seconds) Based on this output, which statement is correct?

A.The client has been assigned an IPv6 address via DHCPv6.
B.The client is using SLAAC instead of DHCPv6.
C.The client's lease has expired.
D.The client is not authorized.
AnswerA

The binding shows an IA NA with an assigned address.

Why this answer

The output shows a DHCPv6 binding for a client with link-local address FE80::1, DUID, and an assigned IPv6 address 2001:DB8:1::100/128 with valid lifetime. This indicates that DHCPv6 is functioning and the client has a valid lease.

75
MCQhard

A network engineer is troubleshooting IPv6 DMVPN phase 2 spoke-to-spoke tunnel failures. Spoke routers are able to communicate with the hub, but direct spoke-to-spoke traffic is not working. Router R1 (spoke) has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ipv6 nhrp network-id 1 ipv6 nhrp nhs 2001:DB8:1::2 ipv6 nhrp map multicast dynamic ! Router R2 (hub) shows: show ipv6 nhrp brief output indicates that both spokes are registered. What is the root cause?

A.The tunnel mode is multipoint, but the spokes need to be configured with 'tunnel mode gre ip' for direct communication.
B.The hub is missing the 'ipv6 nhrp redirect' command, and the spokes are missing 'ipv6 nhrp shortcut'.
C.The spokes have different NHRP network IDs, preventing registration.
D.The IPv6 addresses on the tunnel interfaces are in different subnets.
AnswerB

Without redirect and shortcut, spokes do not learn each other's NHRP mappings and send traffic through the hub.

Why this answer

In DMVPN phase 2, spoke-to-spoke tunnels require that NHRP redirect and shortcut are enabled. Without these, spokes send traffic through the hub. The correct answer identifies that the hub is not configured with 'ipv6 nhrp redirect' and spokes are not configured with 'ipv6 nhrp shortcut', preventing dynamic spoke-to-spoke tunnel establishment.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only IPv6 First Hop Security questions.