300-410 · topic practice

IPv6 First Hop Security practice questions

Practise Cisco CCNP ENARSI 300-410 IPv6 First Hop Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: IPv6 First Hop Security

What the exam tests

What to know about IPv6 First Hop Security

IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.

IPv6 address types and their scopes (link-local, global unicast, multicast, ULA).

SLAAC vs DHCPv6 vs stateful assignment.

Neighbor Discovery Protocol replacing ARP.

IPv6 routing differences and dual-stack coexistence.

Watch out for

Common IPv6 First Hop Security exam traps

  • Link-local addresses are not routable beyond the local link.
  • SLAAC uses EUI-64 or random interface IDs — not a DHCP server.
  • NDP uses ICMPv6, not ARP.
  • An IPv6 prefix is /64 for most host subnets, not /24.

Practice set

IPv6 First Hop Security questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting an IPv6 neighbor discovery issue on a switch running IOS-XE. Hosts on VLAN 100 are intermittently losing connectivity to the default gateway. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The engineer notices that the switch is dropping valid Router Advertisements from the legitimate router. What is the most likely cause of this issue?

Question 2hardmultiple choice
Read the full DHCP explanation →

An engineer is troubleshooting a network where IPv6 hosts cannot obtain IP addresses via DHCPv6. The switch is configured with DHCPv6 Guard to prevent rogue DHCP servers. The legitimate DHCPv6 server is connected to port GigabitEthernet1/0/1. The engineer sees that DHCPv6 Solicit messages from hosts reach the server, but the server's Advertise and Reply messages are not reaching the hosts. What is the most likely root cause?

Question 3mediummultiple choice
Study the full IPv6 explanation →

A network engineer is troubleshooting an issue where IPv6 traffic is being forwarded incorrectly on a switch. The switch is configured with IPv6 Source Guard on access ports. A legitimate host on port Fa0/1 with IPv6 address 2001:db8:1::10 is unable to send traffic to the default gateway. The engineer checks the IPv6 binding table and sees that the host's entry is missing. What is the most likely cause?

Question 4hardmultiple choice
Open the full VLAN trunking answer →

An engineer is troubleshooting an IPv6 connectivity issue where hosts on VLAN 10 cannot reach the internet. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The legitimate router is connected to port Gi1/0/1. The engineer notices that the router is sending RAs, but hosts are not receiving them. The switch shows that RA Guard is dropping packets on port Gi1/0/1. What is the most likely misconfiguration?

Question 5hardmultiple choice
Study the full IPv6 explanation →

A network engineer is troubleshooting an issue where IPv6 hosts are unable to perform Duplicate Address Detection (DAD) successfully. The switch is configured with IPv6 First Hop Security features including ND Inspection and ND Suppress. The engineer notices that Neighbor Solicitation messages for DAD are being dropped by the switch. What is the most likely cause?

Question 6mediummultiple choice
Open the full VLAN trunking answer →

An engineer is troubleshooting a network where IPv6 hosts on VLAN 20 are unable to communicate with each other. The switch is configured with IPv6 First Hop Security features including Private VLAN (PVLAN) and IPv6 Source Guard. The hosts are in the same VLAN but cannot ping each other. What is the most likely cause?

Question 7mediummultiple choice
Study the full IPv6 explanation →

A network engineer is troubleshooting an issue where IPv6 traffic from a host is being dropped by the switch. The switch has IPv6 Source Guard enabled. The host has a static IPv6 address 2001:db8:2::20. The engineer sees that the binding table does not contain an entry for this host. What should the engineer do to resolve the issue without disabling IPv6 Source Guard?

Question 8hardmultiple choice
Study the full IPv6 explanation →

An engineer is troubleshooting an issue where a rogue IPv6 router is sending false Router Advertisements on the network, causing hosts to use a malicious default gateway. The switch is configured with IPv6 First Hop Security features. The engineer wants to prevent this attack while allowing the legitimate router to send RAs. What is the correct configuration approach?

Question 9mediummultiple choice
Study the full IPv6 explanation →

A network engineer is troubleshooting an issue where IPv6 hosts are receiving multiple Router Advertisements from different routers, causing routing instability. The switch is configured with IPv6 First Hop Security features. The engineer wants to ensure that only the primary router's RAs are accepted by hosts. What is the most effective solution?

Question 10mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 snooping policy
Interface                      Policy                      Role            State

Gi0/0/0 GUARD_POLICY device-guard ACTIVE Gi0/0/1 GUARD_POLICY device-guard ACTIVE Gi0/0/2 (default) host ACTIVE

Based on this output, which statement is correct?

Question 11mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 nd raguard policy
Interface                      Policy                      Role            State

Gi0/0/0 RA_GUARD router ACTIVE Gi0/0/1 RA_GUARD host ACTIVE Gi0/0/2 (default) host ACTIVE

Based on this output, which statement is correct?

Question 12mediummultiple choice
Read the full DHCP explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 dhcp guard policy
Interface                      Policy                      Role            State

Gi0/0/0 DHCP_GUARD server ACTIVE Gi0/0/1 DHCP_GUARD client ACTIVE Gi0/0/2 (default) client ACTIVE

Based on this output, which statement is correct?

Question 13mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 source-guard policy
Interface                      Policy                      Role            State

Gi0/0/0 SRC_GUARD host ACTIVE Gi0/0/1 SRC_GUARD host ACTIVE Gi0/0/2 (default) host ACTIVE

Based on this output, which statement is correct?

Question 14mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 neighbors

IPv6 Address Age Link-layer Addr State Interface 2001:DB8:1::1 0 aaaa.bbbb.cccc REACH Gi0/0/0 2001:DB8:1::2 10 aaaa.bbbb.cccd STALE Gi0/0/0 2001:DB8:1::3 - aaaa.bbbb.ccce DELAY Gi0/0/1 FE80::1 0 aaaa.bbbb.cccf REACH Gi0/0/0

Based on this output, which statement is correct?

Question 15mediummultiple choice
Read the full DHCP explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 dhcp binding

Client: FE80::1 DUID: 0003000100AABBCCDDEE

Username: unknown

IA NA: IA ID 0x00010001, T1 302400, T2 483840 Address: 2001:DB8:1::100/128 Preferred lifetime 604800, valid lifetime 2592000 Expires at Sep 15 2024 12:00 PM (2592000 seconds)

Based on this output, which statement is correct?

Question 16mediummultiple choice
Read the full DHCP explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 dhcp interface Gi0/0/0

Gi0/0/0 is in server mode Uses prefix 2001:DB8:1::/64 Rapid-Commit is disabled Preference value: 0 Information refresh option: 86400 DNS server: 2001:DB8::1 Domain name: example.com Active clients: 5 Pool: DHCP_POOL

Based on this output, which statement is correct?

Question 17mediummultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command on Router R1:

R1# show ipv6 traffic

IPv6 statistics: Rcvd: 1000 total, 800 unicast, 200 multicast Sent: 900 total, 700 unicast, 200 multicast Errors: 0 Dropped: 0 ND statistics: NS: 50 received, 40 sent NA: 30 received, 20 sent RS: 10 received, 5 sent RA: 2 received, 8 sent Redirect: 0 received, 0 sent

Based on this output, which statement is correct?

Question 18mediummultiple choice
Open the full VLAN trunking answer →

A network engineer runs the following command on Router R1:

R1# show ipv6 snooping binding

IPv6 Address MAC Address VLAN Interface State 2001:DB8:1::100 aaaa.bbbb.cccc 10 Gi0/0/0 ACTIVE 2001:DB8:1::101 aaaa.bbbb.cccd 10 Gi0/0/0 ACTIVE 2001:DB8:1::102 aaaa.bbbb.ccce 10 Gi0/0/1 ACTIVE 2001:DB8:1::103 aaaa.bbbb.cccf 10 Gi0/0/1 ACTIVE

Based on this output, which statement is correct?

Question 19mediummultiple choice
Study the full IPv6 explanation →
Interface GigabitEthernet0/1 is configured as shown:

interface GigabitEthernet0/1

ipv6 address 2001:db8:1::1/64 ipv6 nd raguard ipv6 nd prefix default no-autoconfig

What is the effect of this configuration?

Question 20mediummultiple choice
Read the full DHCP explanation →

Examine the following partial IPv6 DHCP guard configuration:

ipv6 dhcp guard policy DHCP_GUARD device-role server match server access-list SERVER_ACL

interface GigabitEthernet0/2

ipv6 dhcp guard policy DHCP_GUARD

Which statement is true about this configuration?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused IPv6 First Hop Security sessions

Start a IPv6 First Hop Security only practice session

Every question in these sessions is drawn from the IPv6 First Hop Security domain — nothing else.

Related practice questions

Related 300-410 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 300-410 exam test about IPv6 First Hop Security?
IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just IPv6 First Hop Security questions in a focused session?
Yes — the session launcher on this page draws every question from the IPv6 First Hop Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 300-410 topics?
Use the topic links above to move to related areas, or go back to the 300-410 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 300-410 exam covers. They are not copied from any real exam or dump site.