CCNA IPV6 Traffic Filter Questions

75 of 76 questions · Page 1/2 · IPV6 Traffic Filter topic · Answers revealed

1
Multi-Selecthard

Which TWO actions will prevent IPv6 traffic with a spoofed source address from being forwarded in a network where BGP is used for routing? (Choose TWO.)

Select 2 answers
A.Apply uRPF loose mode on the customer-facing interface.
B.Configure an inbound IPv6 ACL on the edge interface that denies traffic from reserved or internal source prefixes.
C.Use the 'ipv6 verify unicast source reachable-via any allow-default' command to allow traffic with default route.
D.Apply an outbound IPv6 ACL on the BGP neighbor interface to filter spoofed source addresses.
E.Disable BGP prefix filtering to allow all prefixes, then rely on uRPF only.
AnswersA, B

Correct. uRPF loose mode drops packets if the source address is not in the FIB, which helps prevent spoofing.

Why this answer

To prevent spoofed IPv6 traffic, you can use uRPF on edge interfaces to verify source addresses. Additionally, you can use BGP prefix filtering to ensure that only legitimate prefixes are advertised, reducing the chance of spoofed traffic being routed. Another method is to use an inbound IPv6 ACL on the edge interface to block traffic from private or reserved source addresses.

The question asks for two actions among the options.

2
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 interface gigabitethernet 0/0 | include uRPF IPv6 uRPF: loose mode Based on this output, what is the operational state of uRPF on this interface?

A.uRPF is disabled
B.uRPF is enabled in strict mode
C.uRPF is enabled in loose mode
D.uRPF is enabled but only for IPv4
AnswerC

The output confirms loose mode uRPF.

Why this answer

The command 'show ipv6 interface gigabitethernet 0/0 | include uRPF' returns 'IPv6 uRPF: loose mode', which directly indicates that unicast Reverse Path Forwarding (uRPF) is enabled and operating in loose mode on this interface. Loose mode checks only that a source address exists in the routing table, without requiring that the incoming interface matches the best return path.

Exam trap

Cisco often tests the distinction between 'loose mode' and 'strict mode' by presenting output that clearly states the mode, but candidates may confuse 'loose' with 'disabled' or incorrectly assume that any uRPF output implies strict mode.

How to eliminate wrong answers

Option A is wrong because the output explicitly shows 'IPv6 uRPF: loose mode', which means uRPF is enabled, not disabled. Option B is wrong because the output specifies 'loose mode', not 'strict mode'; strict mode would require both a matching routing table entry and that the incoming interface is the best return path. Option D is wrong because the command is specific to IPv6 (as indicated by 'ipv6 interface'), and the output confirms IPv6 uRPF is active; uRPF for IPv4 is configured separately under the 'ip verify unicast source reachable-via' command.

3
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 interface gigabitethernet 0/0 | include uRPF IPv6 uRPF: strict mode (allow default route) Based on this output, what is the uRPF configuration on this interface?

A.uRPF is disabled
B.uRPF is enabled in strict mode with allow-default
C.uRPF is enabled in loose mode
D.uRPF is enabled but only for multicast
AnswerB

The output confirms strict mode uRPF with the allow-default option.

Why this answer

The command output explicitly shows 'IPv6 uRPF: strict mode (allow default route)', which confirms that uRPF is enabled in strict mode with the allow-default option. This configuration validates that the source address of incoming packets must have a matching route in the FIB pointing back to the same interface, and the allow-default keyword permits the use of a default route as a valid reverse path, which is necessary in scenarios where a default route is the only route to the source.

Exam trap

Cisco often tests the distinction between strict and loose uRPF modes, and the trap here is that candidates may overlook the 'allow default route' phrase and incorrectly assume that strict mode always drops packets matching a default route, or they may confuse strict mode with loose mode when the output explicitly states 'strict'.

How to eliminate wrong answers

Option A is wrong because the output clearly shows 'IPv6 uRPF: strict mode', indicating uRPF is enabled, not disabled. Option C is wrong because the output specifies 'strict mode', not 'loose mode'; loose mode only requires a matching route in the FIB regardless of the incoming interface. Option D is wrong because uRPF is applied to all IPv6 unicast traffic, not only multicast; multicast uRPF is a separate feature and is not indicated in the output.

4
MCQmedium

A network engineer runs the following command to verify IPv6 uRPF on an interface: R1# show ipv6 interface GigabitEthernet0/0 | include verify|suppress IPv6 verify source: strict IPv6 verify source suppress: disabled What does this output indicate?

A.Strict uRPF is enabled, and no suppression is configured, so all incoming packets are subject to strict verification.
B.Loose uRPF is enabled with suppression.
C.uRPF is disabled on this interface.
D.Suppression is enabled, so uRPF checks are bypassed.
AnswerA

Correct. Strict uRPF is active and no exceptions are configured.

Why this answer

The output shows strict uRPF is enabled and the suppress feature is disabled. Suppress allows uRPF to be bypassed for certain traffic (e.g., from known sources).

5
MCQhard

An engineer configures uRPF loose mode on an interface that is part of an IPv6 network with multiple equal-cost paths to the same destination via different interfaces. The router receives traffic from a source that is reachable via one of the paths, but the traffic arrives on a different interface. The traffic is dropped. Which is the most likely explanation?

A.The source address is a link-local address (fe80::), which is not installed in the global routing table, causing uRPF loose mode to drop the packet.
B.The router has 'ipv6 uRPF strict' configured instead of loose, but the show command indicates loose.
C.The equal-cost paths cause the routing table to have multiple entries, and uRPF loose mode requires a single best path.
D.The interface has an IPv6 ACL that denies the traffic before uRPF is applied.
AnswerA

Correct. Link-local addresses are not in the routing table, so uRPF loose mode drops them.

Why this answer

uRPF loose mode checks that the source address has a routing table entry (any interface), but it does not require the incoming interface to match the reverse path. However, if the source address is not in the routing table at all, loose mode drops the packet. In this scenario, the source address is reachable via one interface, so it should be in the routing table.

The edge case: if the routing table has the source prefix but with a different prefix length (e.g., a more specific route), the check may fail. But the most common issue: uRPF loose mode with multiple equal-cost paths still requires that the source address be present in the routing table. If the router has multiple paths, the source address is present.

The traffic should not be dropped. However, a subtle corner case: if the router uses 'ipv6 uRPF loose allow-default' and the source address is only matched by a default route, it is permitted. But without 'allow-default', if the source address is only matched by a default route, it is dropped.

The question says the source is reachable via one of the paths, so it is not a default route. The most likely explanation: the router has 'ipv6 uRPF loose' but the source address is a link-local address, which is not in the routing table, causing the drop.

6
MCQhard

A network engineer is troubleshooting an IPv6 connectivity issue on a router that is using a tunnel interface (IPv6 over IPv4). The engineer notices that traffic is not passing through the tunnel. The engineer checks the tunnel interface and finds an inbound IPv6 ACL that permits only certain IPv6 traffic. The engineer also sees that uRPF is enabled on the tunnel interface in strict mode. The tunnel source and destination are IPv4 addresses. The IPv6 traffic sourced from a network behind the tunnel is being dropped. What is the most likely cause?

A.The uRPF strict mode check fails because the router does not have a route to the source IPv6 network pointing to the tunnel interface.
B.The ACL is blocking the IPv6 traffic because the tunnel interface does not support ACLs.
C.The tunnel is not configured with the correct IPv4 source and destination.
D.The uRPF mode should be loose mode to allow traffic from any source.
AnswerA

Correct because uRPF on a tunnel requires a route to the source via the tunnel interface; without it, the packet is dropped.

Why this answer

The uRPF strict mode check requires that the source IPv6 address of incoming traffic on the tunnel interface must have a route in the routing table pointing back to that same interface. Since the IPv6 traffic is sourced from a network behind the tunnel, the router likely has a route to that source network via a different interface (e.g., the physical LAN interface) or no route at all, causing uRPF to drop the packets. This is the most likely cause because the tunnel interface is the inbound interface for the decapsulated IPv6 packets, and uRPF strict mode validates the source address against the Forwarding Information Base (FIB) entry pointing to the tunnel interface.

Exam trap

Cisco often tests the interaction between uRPF and tunnel interfaces, where candidates mistakenly think the ACL is the issue or that uRPF only checks for the existence of a route, ignoring the strict mode requirement that the route must point back to the same interface the packet arrived on.

How to eliminate wrong answers

Option B is wrong because tunnel interfaces do support ACLs; the ACL is applied inbound and can filter IPv6 traffic, but the question states the ACL permits only certain IPv6 traffic, so it is not the cause of the drop unless the traffic matches a deny entry, which is not indicated. Option C is wrong because the engineer already checked the tunnel interface and found the tunnel source and destination are IPv4 addresses, implying the tunnel is configured correctly; if they were incorrect, the tunnel would not come up or would not encapsulate/decapsulate properly, but the issue is specifically with IPv6 traffic being dropped after decapsulation. Option D is wrong because while loose mode would check only that a route exists to the source network (not necessarily via the inbound interface), the question states uRPF is enabled in strict mode, and changing to loose mode is a potential fix but not the most likely cause; the most likely cause is the strict mode check failing due to missing route via the tunnel interface.

7
MCQhard

An engineer configures uRPF strict mode on an interface that is part of an IPv6 BGP multihoming setup with two upstream providers. The router receives BGP routes from both providers and has equal-cost paths to some destinations. Traffic from the router to those destinations is intermittently dropped. Which is the most likely explanation?

A.ECMP causes asymmetric routing where packets from the same source may arrive on different interfaces, violating uRPF strict mode's single-interface check.
B.BGP routes are not installed in the routing table, so uRPF has no entry to check.
C.The router has 'ipv6 cef' disabled, causing uRPF to fail.
D.The upstream providers are using different AS paths, causing BGP to not install equal-cost paths.
AnswerA

Correct. uRPF strict mode expects symmetric routing; ECMP breaks that assumption.

Why this answer

uRPF strict mode requires that the source address of incoming packets be reachable via the same interface on which the packet arrived. With equal-cost multipath (ECMP), traffic may arrive on a different interface than the one used for the return path (asymmetric routing). uRPF strict mode drops packets that arrive on an interface that is not the best reverse path. This is a classic edge case: ECMP can cause asymmetric flows, breaking uRPF strict mode.

8
MCQmedium

A network engineer is troubleshooting an IPv6 connectivity issue on a router that is receiving routes via EIGRP for IPv6. The engineer notices that some routes are not being installed in the routing table, even though the EIGRP neighbor relationship is established. The engineer checks the interface configuration and finds an inbound IPv6 ACL that permits only certain EIGRP packets. The ACL permits EIGRP hello packets and updates, but not EIGRP queries or replies. What is the most likely cause of the missing routes?

A.The ACL is blocking EIGRP query and reply packets, which are necessary for the EIGRP process to install routes.
B.The EIGRP router ID is not configured.
C.The ACL is applied outbound, blocking the EIGRP updates from being sent.
D.The EIGRP for IPv6 is not enabled on the interface.
AnswerA

Correct because EIGRP queries and replies are used to ensure route consistency and convergence; blocking them can prevent route installation.

Why this answer

EIGRP for IPv6 uses multicast address FF02::A for all EIGRP packets, including hello, update, query, and reply. The ACL permits only hello and update packets, blocking query and reply packets. EIGRP requires query and reply packets for the Diffusing Update Algorithm (DUAL) to converge and install routes; without them, the router cannot complete the route installation process, even though the neighbor relationship is established.

Exam trap

Cisco often tests the misconception that only hello and update packets are needed for EIGRP route installation, but the trap here is that query and reply packets are essential for DUAL convergence and route installation, even when neighbors are up.

How to eliminate wrong answers

Option B is wrong because the EIGRP router ID is not required for EIGRP for IPv6; it uses a 32-bit router ID derived from an IPv4 address or manually configured, but its absence does not prevent route installation if neighbors are established. Option C is wrong because the engineer checked the interface configuration and found an inbound ACL, not outbound; an outbound ACL would affect sending updates, not receiving them, and the issue is with missing routes, not updates being sent. Option D is wrong because the neighbor relationship is established, which confirms that EIGRP for IPv6 is enabled on the interface; if it were not enabled, no neighbors would form.

9
MCQhard

An OSPFv3 network has multiple areas. Area 0 includes R1 and R2. Area 1 includes R2 and R3. R2 is an ABR. R1 has an IPv6 ACL applied inbound on the interface to R2 that permits only OSPFv3 and denies all other traffic. R3 advertises a prefix 2001:db8:3::/48 into Area 1. R1's routing table shows the prefix but with a next-hop of R2. R1's uRPF is configured in strict mode on the interface to R2. Traffic from R1 to 2001:db8:3::1 is dropped. R1 shows 'show ipv6 cef 2001:db8:3::/48' points to R2's link-local address. What is the root cause?

A.The source address of the traffic from R1 is not in the FIB as reachable via the interface facing R2, causing uRPF strict mode to drop the packet.
B.The ACL on R1 blocks the return traffic from the destination, causing asymmetric routing.
C.R2's link-local address is not reachable due to OSPFv3 network type mismatch.
D.The prefix 2001:db8:3::/48 is not in the OSPFv3 database on R1 due to area filtering.
AnswerA

uRPF strict requires the source address to be reachable via the incoming interface. If the source is a directly connected subnet that is not in the FIB (e.g., due to filtering), the check fails.

Why this answer

uRPF strict mode checks that the source address of incoming packets is reachable via the same interface. For traffic sourced from R1's own subnet, the return route points to R2 via the same interface. However, if the source address is not in the FIB as reachable via that interface (e.g., because of a summary or default route), uRPF drops the packet.

In this case, the source address is likely a prefix that is not in the FIB or is reachable via a different interface.

10
MCQmedium

According to RFC 2460, what is the correct behavior when an IPv6 router receives a packet with a source address that is a multicast address?

A.The router forwards the packet normally.
B.The router drops the packet silently.
C.The router sends an ICMPv6 error message back to the source.
D.The router rewrites the source address to the link-local address of the interface.
AnswerB

Per RFC 2460, a packet with a multicast source address is invalid and must be discarded.

Why this answer

RFC 2460 specifies that multicast addresses must never be used as source addresses. Routers should drop such packets.

11
Multi-Selecthard

Which THREE symptoms indicate that IPv6 unicast RPF is misconfigured or failing on an interface? (Choose THREE.)

Select 3 answers
A.Traffic from a valid source IP is being dropped on the interface.
B.The router logs 'IPv6 unicast RPF drop' messages.
C.The command 'ipv6 verify unicast source reachable-via any' is present in the running config.
D.High CPU utilization is observed due to RPF processing.
E.The 'show ipv6 interface' output shows an increasing 'RPF drops' counter.
AnswersA, B, E

uRPF drops packets when the source IP is not reachable via the incoming interface, even if the IP is valid.

Why this answer

uRPF drops packets if the source address is not reachable via the incoming interface. A syslog message about uRPF drops confirms this. The 'ipv6 verify unicast source reachable-via any' command is a configuration command, not a symptom.

High CPU due to RPF checks is not typical; RPF is done in hardware (CEF). An increase in the 'ipv6_input' drop counter for 'RPF' indicates drops.

12
Multi-Selecthard

Which TWO statements about IPv6 unicast RPF (uRPF) behavior in Cisco IOS-XE are correct? (Choose TWO.)

Select 2 answers
A.Strict mode uRPF drops packets if the source address is not reachable via the incoming interface.
B.Loose mode uRPF drops packets if the source address is not present in the FIB at all.
C.The default uRPF mode on Cisco IOS-XE is strict mode.
D.IPv6 uRPF can be applied globally using the 'ipv6 unicast-rpf' command.
E.uRPF checks both source and destination addresses in the IPv6 header.
AnswersA, B

Correct. Strict mode requires the source prefix to be reachable via the exact incoming interface.

Why this answer

IPv6 uRPF verifies the source address of incoming packets against the FIB. Strict mode requires the source address to match the FIB entry for the incoming interface and the exact prefix. Loose mode only requires a matching FIB entry, ignoring the interface.

The default is loose mode. The 'ipv6 verify unicast source reachable-via any' command enables loose mode, while 'ipv6 verify unicast source reachable-via rx' enables strict mode. uRPF is applied per interface and does not check the destination address. It can drop packets with legitimate source addresses if asymmetric routing is present.

13
MCQhard

A network engineer runs the following command on Router R1: R1# show ipv6 interface gigabitethernet 0/0 GigabitEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:1:1::1, subnet is 2001:DB8:1:1::/64 Joined group address(es): FF02::1 FF02::2 ICMP redirects are enabled ICMP unreachables are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 1000 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. IPv6 uRPF: strict mode (drop invalid packets) Inbound access list: FILTER-IPv6 Based on this output, which two features are configured on this interface?

A.uRPF in strict mode and inbound IPv6 ACL
B.uRPF in loose mode and outbound IPv6 ACL
C.uRPF disabled and inbound IPv6 ACL
D.uRPF in strict mode and outbound IPv6 ACL
AnswerA

Both are clearly shown in the output.

Why this answer

The output shows 'IPv6 uRPF: strict mode (drop invalid packets)' and 'Inbound access list: FILTER-IPv6', confirming that unicast Reverse Path Forwarding in strict mode and an inbound IPv6 ACL are both configured on the interface. Strict uRPF verifies that the source address of incoming packets has a matching route in the FIB pointing back to the same interface, dropping packets that fail this check. The inbound ACL filters traffic before any routing decision, as indicated by the 'Inbound access list' line.

Exam trap

Cisco often tests the distinction between strict and loose uRPF modes, and the trap here is that candidates may overlook the 'Inbound access list' line and assume the ACL is outbound, or confuse the uRPF mode with the ACL direction.

How to eliminate wrong answers

Option B is wrong because the output explicitly states 'IPv6 uRPF: strict mode', not loose mode, and the ACL is applied inbound, not outbound. Option C is wrong because uRPF is not disabled; it is enabled in strict mode. Option D is wrong because while uRPF is correctly identified as strict mode, the ACL is applied inbound, not outbound.

14
MCQmedium

A network engineer runs the following command to verify IPv6 uRPF operation: R1# show ipv6 interface GigabitEthernet0/0 | include verify IPv6 verify source: strict What does this output indicate?

A.Strict uRPF is enabled, so the router will drop packets if the source address is not in the routing table or if the best return path is not through the receiving interface.
B.Strict uRPF is enabled, but it only checks if the source address is in the routing table, regardless of interface.
C.Loose uRPF is enabled, which only checks if the source address is in the routing table.
D.uRPF is disabled on this interface.
AnswerA

Correct. Strict uRPF requires both a matching route and that the interface used to reach the source is the same as the receiving interface.

Why this answer

The output shows that strict uRPF (unicast Reverse Path Forwarding) is enabled on interface GigabitEthernet0/0. This means the router will check that the source address of incoming IPv6 packets is reachable via the same interface on which the packet arrived.

15
MCQmedium

A network engineer runs the following command to troubleshoot an IPv6 traffic filtering issue: R1# show ipv6 access-list FILTER IPv6 access list FILTER permit ipv6 2001:DB8:1::/48 any sequence 10 deny ipv6 2001:DB8:2::/48 any sequence 20 permit ipv6 any any sequence 30 What does this output indicate?

A.The access list will permit traffic from 2001:DB8:1::/48 and deny traffic from 2001:DB8:2::/48, but permit all other IPv6 traffic.
B.The access list will permit traffic from 2001:DB8:1::/48 and deny traffic from 2001:DB8:2::/48, and implicitly deny all other IPv6 traffic.
C.The access list will deny all traffic because of the deny statement.
D.The access list is invalid because IPv6 access lists require implicit deny at the end.
AnswerA

Correct. Sequence 10 permits the first prefix, sequence 20 denies the second, and sequence 30 permits everything else.

Why this answer

The output shows an IPv6 access-list named FILTER with three entries. The first permits traffic from 2001:DB8:1::/48 to any destination. The second denies traffic from 2001:DB8:2::/48.

The third permits all other IPv6 traffic. This is a typical filtering configuration.

16
MCQeasy

A network engineer runs the following command on Router R1: R1# show ipv6 access-list FILTER-IPv6 IPv6 access list FILTER-IPv6 permit ipv6 2001:DB8:1::/48 any sequence 10 deny ipv6 any any sequence 20 Based on this output, what is the effect of this access list when applied to an interface?

A.It permits all IPv6 traffic
B.It denies all IPv6 traffic from 2001:DB8:1::/48
C.It permits only IPv6 traffic from 2001:DB8:1::/48 and denies everything else
D.It permits all IPv6 traffic except from 2001:DB8:1::/48
AnswerC

Sequence 10 permits the prefix, sequence 20 denies all other traffic.

Why this answer

The access list FILTER-IPv6 has two entries: a permit statement for source 2001:DB8:1::/48 to any destination (sequence 10), followed by an implicit deny all (sequence 20). When applied to an interface, only traffic matching the permit entry is allowed; all other IPv6 traffic is denied by the implicit deny rule at the end of the list. This results in permitting only traffic from the specified prefix and denying everything else.

Exam trap

Cisco often tests the implicit deny all at the end of an access list, and the trap here is that candidates may overlook the deny ipv6 any any entry (sequence 20) or assume it is not present, leading them to incorrectly think the ACL permits all traffic (Option A) or permits all except the specified prefix (Option D).

How to eliminate wrong answers

Option A is wrong because the access list includes an explicit deny ipv6 any any (sequence 20), which blocks all traffic not matching the permit statement, so it does not permit all IPv6 traffic. Option B is wrong because the permit statement allows traffic from 2001:DB8:1::/48, not deny it; the deny statement applies to all other traffic. Option D is wrong because the permit statement allows traffic from 2001:DB8:1::/48, not deny it, and the deny statement blocks all other traffic, so the effect is the opposite of what is described.

17
MCQeasy

What is the default uRPF mode when 'ipv6 verify unicast source reachable-via' is configured without any keyword?

A.Loose mode (any)
B.Strict mode (rx)
C.No uRPF is applied
D.Only default routes are allowed
AnswerB

Without keywords, the router uses strict uRPF, checking the source is reachable via the receiving interface.

Why this answer

If no keyword is specified, the default is strict mode (rx).

18
MCQhard

An engineer configures IPv6 uRPF loose mode on an interface that connects to a DMVPN spoke. The spoke router uses NHRP to register with the hub and establishes a tunnel. Traffic from the spoke to destinations behind the hub is dropped. Which is the most likely explanation?

A.The spoke's tunnel IPv6 address is not in the global routing table because it is only known via NHRP, causing uRPF loose mode to drop packets sourced from that address.
B.The hub has uRPF strict mode configured, which breaks the DMVPN tunnel because of asymmetric routing.
C.The spoke's NHRP registration packets are filtered by the uRPF check because they use multicast destination.
D.The tunnel interface has an IPv6 ACL that denies traffic from the spoke's tunnel address, overriding uRPF.
AnswerA

Correct. uRPF loose mode requires that the source address be present in the routing table (any interface). If the address is only in NHRP cache, not in the routing table, packets are dropped.

Why this answer

In DMVPN Phase 2 or 3, spoke-to-spoke traffic may use direct tunnels. With uRPF loose mode, the router checks that the source address of incoming packets has a routing table entry (any interface). However, if the spoke's tunnel interface uses an IPv6 address that is not advertised via routing protocols (e.g., only NHRP), the source address may not be in the routing table, causing uRPF loose mode to drop the packet.

Additionally, asymmetric routing is common in DMVPN, and uRPF loose mode may still drop if the source address is not reachable at all.

19
Drag & Drophard

Drag and drop the steps to troubleshoot IPv6 traffic filtering and uRPF adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting starts with checking the uRPF configuration on the interface, then verifying the routing table for the source prefix, checking for ACLs that might block traffic, examining uRPF drop counters, and finally using debug ipv6 packet to capture dropped packets.

20
Multi-Selectmedium

Which TWO commands can be used to verify IPv6 unicast RPF operation on an interface? (Choose TWO.)

Select 2 answers
A.show ipv6 interface
B.show ipv6 cef detail
C.show ipv6 access-list
D.show ipv6 route
E.show ipv6 traffic
AnswersA, B

Displays IPv6 interface configuration including uRPF status (e.g., 'ipv6 verify unicast source reachable-via any').

Why this answer

The show ipv6 interface command displays uRPF status per interface, and show ipv6 cef detail reveals CEF forwarding details including RPF checks. show ipv6 access-list is for ACLs, not uRPF; show ipv6 route does not show uRPF; show ipv6 traffic shows packet statistics, not per-interface uRPF status.

21
MCQhard

What is the default metric for an IPv6 static route redistributed into OSPFv3?

A.0
B.1
C.20
D.10
AnswerC

OSPFv3 uses a default metric of 20 for redistributed routes.

Why this answer

The default metric for redistributed routes in OSPFv3 is 20, matching OSPFv2 behavior.

22
MCQeasy

A network engineer is troubleshooting an IPv6 routing issue where a router is not learning routes from an OSPFv3 neighbor. The engineer checks the interface and finds an inbound IPv6 ACL that permits only OSPFv3 packets with a specific area ID in the packet. The ACL is using the 'ospfv3' keyword to match packets. The engineer also notices that the OSPFv3 neighbor is in a different area. What is the most likely cause of the route learning failure?

A.The ACL is dropping OSPFv3 packets from the neighbor because they contain a different area ID than what the ACL permits.
B.The OSPFv3 process is not configured with the correct router ID.
C.The interface is not enabled for OSPFv3.
D.The ACL is applied outbound, blocking the OSPFv3 packets from being sent.
AnswerA

Correct because the ACL permits only packets with a specific area ID, and the neighbor is in a different area, so its packets are dropped.

Why this answer

The ACL uses the 'ospfv3' keyword to match OSPFv3 packets and permits only those with a specific area ID. Since the neighbor is in a different area, its OSPFv3 packets contain a different area ID in the OSPFv3 header, causing the ACL to deny them. This prevents the router from receiving Hello packets and establishing adjacency, so routes are not learned.

Exam trap

Cisco often tests the nuance that the 'ospfv3' ACL keyword can match not only the protocol but also the area ID field, and candidates mistakenly assume the ACL only matches the protocol type (OSPFv3) without considering the area ID filter.

How to eliminate wrong answers

Option B is wrong because an incorrect router ID would affect OSPFv3 operation (e.g., adjacency formation or LSA origination), but the scenario explicitly states the ACL is filtering based on area ID, not router ID. Option C is wrong because if the interface were not enabled for OSPFv3, the router would not even attempt to send or receive OSPFv3 packets, yet the ACL is actively filtering inbound packets, implying OSPFv3 is enabled. Option D is wrong because the engineer checked the interface and found an inbound ACL; applying it outbound would not affect incoming packets, and the issue is with receiving routes, not sending them.

23
MCQhard

A large enterprise network uses OSPFv3 for IPv6 routing. Router R1 and R2 are connected via a multi-access Ethernet link. R1 is configured with 'ipv6 ospf network point-to-point' while R2 uses the default broadcast network type. R1 has an IPv6 ACL applied inbound on its interface that permits only OSPF (89) and denies all other traffic. R2 is unable to form a full OSPF adjacency with R1. R2 shows 'OSPFv3 adjacency state is EXSTART/EXCHANGE' and logs 'Bad LSReq'. What is the root cause?

A.R1's ACL blocks OSPFv3 multicast hello packets (FF02::5), preventing adjacency formation on the broadcast link.
B.R2's OSPFv3 process is configured with a different router-id, causing a DR election conflict.
C.The MTU mismatch between R1 and R2 causes OSPFv3 packet fragmentation, leading to LSReq errors.
D.R2 has a passive interface configured, preventing it from sending OSPFv3 hellos.
AnswerA

On a broadcast network, OSPFv3 sends hellos to FF02::5. R1's ACL permits only OSPF protocol, but the destination address is filtered because the ACL does not explicitly permit multicast. The network type mismatch exacerbates the issue as R1 expects unicast hellos.

Why this answer

The network type mismatch between R1 (point-to-point) and R2 (broadcast) causes different DR/BDR election behavior and LSDB synchronization issues. The ACL on R1 blocks the multicast traffic used for OSPFv3 hello packets (FF02::5) on broadcast networks, but point-to-point uses unicast. The 'Bad LSReq' indicates that the LS Request packets are being filtered or malformed due to the mismatch.

24
MCQhard

A network engineer runs the following command to debug IPv6 uRPF: R1# debug ipv6 verify IPv6 verify debugging is on *Mar 1 00:02:34.567: IPv6 verify: source 2001:DB8:4::1 on GigabitEthernet0/0 *Mar 1 00:02:34.567: no route to source What does this output indicate?

A.The packet will be dropped because uRPF cannot find a route to the source address.
B.The packet will be forwarded because uRPF only checks the destination.
C.The packet will be forwarded because the source is on the same interface.
D.The router will add a route to the source address.
AnswerA

Correct. uRPF requires a route to the source; if none exists, the packet is dropped.

Why this answer

The debug output shows that a packet with source address 2001:DB8:4::1 arrived on GigabitEthernet0/0, but the router has no route to that source address. With uRPF enabled, this packet will be dropped.

25
MCQhard

An enterprise uses VRF-lite with IPv6. VRF A on R1 leaks routes to VRF B using route-target import/export. R1 has an IPv6 ACL applied inbound on the interface in VRF A that permits only OSPFv3 and denies all other traffic. R1's VRF B has a static default route pointing to a next-hop in VRF A. Traffic from VRF B to the internet fails. R1 shows 'ping vrf B 2001:db8:2::1' fails, but 'ping vrf A 2001:db8:2::1' succeeds. What is the root cause?

A.The ACL on the VRF A interface blocks data traffic from VRF B, which is forwarded via the leaked route.
B.Route leaking is not configured correctly; the route-target import/export is missing.
C.The static default route in VRF B has an incorrect next-hop address.
D.uRPF is enabled on the VRF A interface and drops traffic from VRF B due to source address mismatch.
AnswerA

Traffic from VRF B is forwarded into VRF A and hits the inbound ACL, which permits only OSPFv3.

Why this answer

The ACL in VRF A blocks all traffic except OSPFv3. When VRF B sends traffic to the leaked default route, the packet enters VRF A and is subject to the ACL. The ACL drops the data traffic because it is not OSPFv3.

The ping from VRF A works because the source is in VRF A and not filtered by the inbound ACL.

26
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 access-list PERMIT-ONLY IPv6 access list PERMIT-ONLY permit ipv6 2001:DB8:3::/48 any sequence 10 Based on this output, what is the effect of this access list when applied to an interface?

A.It permits all IPv6 traffic
B.It permits only IPv6 traffic from 2001:DB8:3::/48 and denies everything else
C.It denies all IPv6 traffic from 2001:DB8:3::/48
D.It permits all IPv6 traffic except from 2001:DB8:3::/48
AnswerB

The permit statement allows the prefix, and the implicit deny denies all other traffic.

Why this answer

Option B is correct because an IPv6 access list, like its IPv4 counterpart, has an implicit deny all at the end. The single permit entry for source 2001:DB8:3::/48 allows only traffic from that prefix; all other IPv6 traffic is denied by the implicit deny ipv6 any any rule.

Exam trap

Cisco often tests the implicit deny any any behavior in IPv6 ACLs, tricking candidates into thinking that a single permit entry allows all traffic or that the ACL only filters the specified prefix without affecting other traffic.

How to eliminate wrong answers

Option A is wrong because the access list does not permit all IPv6 traffic; it only permits traffic from 2001:DB8:3::/48, and the implicit deny blocks everything else. Option C is wrong because the permit action explicitly allows traffic from 2001:DB8:3::/48, not denies it. Option D is wrong because the access list permits only the specified prefix, not all traffic except that prefix; the implicit deny blocks all other traffic, including traffic from 2001:DB8:3::/48 is permitted, not denied.

27
MCQhard

A network engineer runs the following command to debug IPv6 traffic filtering: R1# debug ipv6 packet access-list FILTER detail IPv6 packet debugging is on for access list FILTER (detail) *Mar 1 00:01:23.456: IPv6: source 2001:DB8:2::1 (GigabitEthernet0/0) *Mar 1 00:01:23.456: dest 2001:DB8:3::1 (GigabitEthernet0/1) *Mar 1 00:01:23.456: traffic class 0, flowlabel 0, hlim 64, next header 6 (TCP) *Mar 1 00:01:23.456: denied by access-list FILTER What does this output indicate?

A.The packet is denied because the source address 2001:DB8:2::1 matches the deny entry in the access list.
B.The packet is permitted because it is a TCP packet.
C.The packet is denied because of uRPF check failure.
D.The packet is permitted because the destination is not in the access list.
AnswerA

Correct. The debug clearly states the packet is denied by the access list, which has a deny for that source prefix.

Why this answer

The debug output shows an IPv6 packet from 2001:DB8:2::1 to 2001:DB8:3::1 being denied by access-list FILTER. This matches the deny statement for the 2001:DB8:2::/48 prefix.

28
Multi-Selecthard

Which THREE commands can be used to verify IPv6 traffic filtering and uRPF operation on a Cisco IOS-XE router? (Choose THREE.)

Select 3 answers
A.show ipv6 interface
B.show ipv6 access-list
C.show ipv6 route
D.show ipv6 traffic
E.show ipv6 neighbors
AnswersA, B, C

Correct. This command shows whether an IPv6 access-group or uRPF is applied on the interface, including packet statistics.

Why this answer

Verification commands for IPv6 filtering include 'show ipv6 interface' (displays access-group and uRPF status), 'show ipv6 access-list' (displays hit counts), and 'show ipv6 route' (checks FIB for uRPF). 'show ipv6 traffic' shows packet statistics but not filtering details. 'show ipv6 neighbors' shows ND cache, not filtering.

29
MCQeasy

A network engineer runs the following command on Router R1: R1# show ipv6 access-list DENY-REMOTE IPv6 access list DENY-REMOTE deny ipv6 2001:DB8:2::/48 any sequence 10 permit ipv6 any any sequence 20 Based on this output, what is the effect of this access list when applied to an interface?

A.It permits all IPv6 traffic
B.It denies all IPv6 traffic from 2001:DB8:2::/48 and permits everything else
C.It permits only IPv6 traffic from 2001:DB8:2::/48
D.It denies all IPv6 traffic
AnswerB

Sequence 10 denies the prefix, sequence 20 permits all other traffic.

Why this answer

The access list DENY-REMOTE explicitly denies IPv6 traffic sourced from the prefix 2001:DB8:2::/48 (sequence 10) and then permits all other IPv6 traffic (sequence 20). When applied to an interface, this results in only traffic from that specific prefix being blocked, while all other IPv6 traffic is allowed. This matches option B.

Exam trap

Cisco often tests the concept that an ACL with an explicit permit any any at the end overrides the implicit deny, so candidates mistakenly think the ACL only denies or only permits based on the first line, ignoring the sequence of entries.

How to eliminate wrong answers

Option A is wrong because the access list does not permit all IPv6 traffic; it specifically denies traffic from 2001:DB8:2::/48. Option C is wrong because the access list denies, not permits, traffic from 2001:DB8:2::/48. Option D is wrong because the access list does not deny all IPv6 traffic; it only denies traffic from the specified prefix and permits everything else.

30
MCQhard

An enterprise uses EIGRP for IPv6 with route summarization. Router R1 has a summary route 2001:db8:1::/48 via Null0 redistributed into EIGRP. Router R2 receives this summary and has a more specific route 2001:db8:1:1::/64 learned via a different interface. R2's IPv6 uRPF is configured in strict mode on the interface facing R1. Traffic from a host behind R2 destined to 2001:db8:1:2::1 is being dropped. R2 shows 'ipv6 cef' indicates the summary route points to R1, but uRPF checks fail. What is the root cause?

A.The summary route 2001:db8:1::/48 on R1 causes R2 to have a less specific route pointing to R1, making uRPF think the source address is not reachable via the incoming interface.
B.R2's uRPF is configured in loose mode, which requires a matching route in the FIB, but the summary route is not installed.
C.EIGRP redistribution of the summary route creates a routing loop, causing uRPF to fail.
D.The host behind R2 has an incorrect source address, causing uRPF to drop all traffic.
AnswerA

uRPF strict mode requires the source address to be reachable via the same interface. The summary route points to R1, but the source is directly connected, causing a mismatch.

Why this answer

uRPF strict mode checks that the source address of incoming packets is reachable via the same interface. For traffic sourced from R2's subnet (e.g., 2001:db8:1:1::/64), the return route via the summary points to R1, but the source is directly connected. This asymmetry causes uRPF to drop the packet because the source is not reachable via the incoming interface.

31
MCQmedium

A network engineer is troubleshooting a scenario where a router is dropping IPv6 packets that are destined for a server on a directly connected network. The engineer checks the interface and finds that uRPF is enabled in loose mode. The router has a default route pointing to an upstream router. The source address of the packets is 2001:db8:100::1, which is not in the routing table (the router has no route to that prefix). What is the most likely cause of the packet drops?

A.The uRPF loose mode check fails because there is no route to the source address in the routing table.
B.The uRPF loose mode check fails because the source address is not reachable via the same interface.
C.The router has an ACL that blocks traffic from that source.
D.The uRPF mode should be strict mode to allow the traffic.
AnswerA

Correct because loose mode requires at least one route to the source address in the FIB; if no route exists, the packet is dropped.

Why this answer

With uRPF loose mode enabled, the router checks whether a route to the source address exists in the routing table, but it does not verify that the incoming interface matches the reverse path. Since the source address 2001:db8:100::1 is not present in the routing table, the loose mode check fails and the packets are dropped. The presence of a default route does not help because uRPF requires an exact match for the source prefix, not a default route.

Exam trap

Cisco often tests the misconception that a default route satisfies uRPF loose mode, but in reality, uRPF requires a route to the specific source prefix, not a default route.

How to eliminate wrong answers

Option B is wrong because loose mode does not check that the source address is reachable via the same interface; that behavior is specific to strict mode. Option C is wrong because the question provides no evidence of an ACL, and the described behavior is consistent with uRPF dropping packets, not an ACL. Option D is wrong because strict mode would impose an additional interface check and would also fail if there is no route to the source; the issue here is the missing route, not the mode.

32
MCQeasy

What is the default hello interval for OSPFv3 on a broadcast network type in Cisco IOS-XE?

A.10 seconds
B.30 seconds
C.40 seconds
D.5 seconds
AnswerA

Default hello interval for OSPFv3 on broadcast networks is 10 seconds.

Why this answer

OSPFv3 uses the same default hello interval as OSPFv2: 10 seconds on broadcast and point-to-point networks.

33
MCQmedium

A network engineer runs the following command to verify IPv6 uRPF drops: R1# show ipv6 traffic | include verify 0 verify source drops, 0 verify source suppressed drops What does this output indicate?

A.No IPv6 packets have been dropped by uRPF checks.
B.uRPF is not configured on any interface.
C.uRPF is dropping all packets.
D.The router is not processing IPv6 traffic.
AnswerA

Correct. Zero drops indicate that all packets passed uRPF verification.

Why this answer

The output shows counters for uRPF drops. Both counters are zero, indicating no packets have been dropped due to uRPF verification.

34
MCQmedium

Consider the following configuration: ipv6 access-list FILTER permit ipv6 2001:db8:3::/48 any deny ipv6 any any interface GigabitEthernet0/5 ipv6 traffic-filter FILTER in ipv6 verify unicast source reachable-via rx A packet arrives on GigabitEthernet0/5 with source 2001:db8:3::100 and destination 2001:db8:4::1. The route for 2001:db8:3::/48 points out interface GigabitEthernet0/6. What happens?

A.The packet is permitted because the ACL matches and uRPF is not applied.
B.The packet is dropped by uRPF because strict mode requires the source to be reachable via the receiving interface.
C.The packet is dropped by the ACL because the deny statement blocks all traffic.
D.The packet is permitted because uRPF only checks destination addresses.
AnswerB

Strict uRPF (rx) fails because the return route uses a different interface.

Why this answer

The ACL permits the packet (source matches prefix). However, uRPF in strict mode (rx) checks that the source is reachable via the same interface the packet arrived on. Since the route points to a different interface, uRPF drops the packet.

35
MCQmedium

Which IPv6 access-list entry will deny traffic from any source to the destination prefix 2001:db8:1::/48?

A.deny ipv6 any 2001:db8:1::/48
B.deny ipv6 2001:db8:1::/48 any
C.deny ipv6 any host 2001:db8:1::1
D.deny ipv6 2001:db8:1::/48 2001:db8:1::/48
AnswerA

This correctly denies all IPv6 traffic from any source to the specified destination prefix.

Why this answer

The 'any' keyword matches any source, and the destination prefix is specified after the deny keyword.

36
MCQhard

An engineer applies an IPv6 ACL to filter traffic between two VLANs on a switch using a router-on-a-stick configuration. The ACL is applied inbound on the subinterface. Traffic from VLAN 10 to VLAN 20 is permitted, but return traffic from VLAN 20 to VLAN 10 is dropped. Which is the most likely explanation?

A.The ACL is applied only on the VLAN 10 subinterface, so return traffic from VLAN 20 is not filtered but the ACL on VLAN 10 drops it because the source address matches a deny entry.
B.The ACL on the VLAN 20 subinterface is missing a permit entry for the return traffic, or the ACL is applied outbound on VLAN 10, which does not affect incoming return traffic.
C.The router has 'ipv6 unicast-routing' disabled, preventing inter-VLAN routing.
D.The ACL uses 'deny ipv6 any any' which blocks all traffic, but the permit statement for VLAN 10 to VLAN 20 is placed after the deny, causing it to be ignored.
AnswerB

Correct. The return traffic must be permitted by the ACL on the VLAN 20 subinterface (inbound) or on the VLAN 10 subinterface (outbound). If missing, traffic is dropped.

Why this answer

In router-on-a-stick, each VLAN has a separate subinterface. If the ACL is applied inbound on the subinterface for VLAN 10, it filters traffic entering that subinterface from VLAN 10. Return traffic from VLAN 20 enters the subinterface for VLAN 20, not VLAN 10.

The ACL on VLAN 10 subinterface does not affect traffic from VLAN 20. The issue is likely that the ACL on the VLAN 20 subinterface is missing or configured incorrectly, or the engineer applied the ACL only on one subinterface. The edge case: engineers often apply ACLs only on one side, forgetting that traffic is bidirectional and each subinterface needs its own ACL.

37
MCQhard

What is the default dead interval multiplier for OSPFv3?

A.3
B.4
C.5
D.2
AnswerB

The default dead interval multiplier is 4, resulting in a dead interval of 40 seconds on broadcast networks.

Why this answer

The dead interval is calculated as the hello interval multiplied by the dead interval multiplier, which defaults to 4.

39
MCQmedium

Consider the following configuration: ipv6 access-list BLOCK-ICMP deny icmp any any echo-request deny icmp any any echo-reply permit ipv6 any any interface GigabitEthernet0/2 ipv6 traffic-filter BLOCK-ICMP in Which statement is true?

A.The ACL blocks ICMP echo-request and echo-reply, but permits all other IPv6 traffic inbound.
B.The ACL blocks all ICMPv6 traffic because the deny statements are too broad.
C.The ACL must be applied outbound to filter echo-request.
D.The ACL is missing the 'log' keyword to be effective.
AnswerA

The deny statements match the specified ICMP types; the final permit allows everything else.

Why this answer

Option A is correct because the IPv6 ACL explicitly denies ICMPv6 echo-request and echo-reply messages (types 128 and 129) while the final permit ipv6 any any statement allows all other IPv6 traffic. The ipv6 traffic-filter command applied inbound on GigabitEthernet0/2 filters traffic as it enters the interface, so only the specified ICMP types are blocked, and all other IPv6 traffic is permitted.

Exam trap

Cisco often tests the misconception that an ACL applied inbound cannot block echo-reply because it is a response, but in IPv6, echo-reply is a separate ICMP type that can be filtered inbound on the interface where it arrives.

How to eliminate wrong answers

Option B is wrong because the ACL does not block all ICMPv6 traffic; it only denies two specific ICMPv6 message types (echo-request and echo-reply), and the permit ipv6 any any statement allows all other ICMPv6 types and all other IPv6 traffic. Option C is wrong because the ACL can filter echo-request and echo-reply when applied inbound; ICMP echo-request is typically sent from a source to a destination, so applying the ACL inbound on the destination interface will block the incoming echo-request, and echo-reply is also blocked inbound on the source interface if needed. Option D is wrong because the 'log' keyword is optional and not required for the ACL to be effective; the ACL will deny or permit traffic based on the configured entries without logging.

40
Multi-Selecthard

Which TWO configuration changes will prevent IPv6 traffic from being forwarded from a specific source prefix in a BGP environment without using a prefix list? (Choose TWO.)

Select 2 answers
A.Apply an inbound IPv6 access-list on the interface that denies traffic from the source prefix.
B.Configure a route map that matches the source prefix and sets a BGP community, then apply it inbound on the BGP neighbor to filter the prefix from being advertised.
C.Use the 'ipv6 route' command to install a discard route for the source prefix.
D.Apply an outbound IPv6 access-list on the interface to block traffic from the source prefix.
E.Configure uRPF strict mode on the interface to drop packets from the source prefix if the prefix is not in the FIB.
AnswersA, B

Correct. An IPv6 access-list applied inbound on an interface can filter traffic based on source prefix.

Why this answer

To block IPv6 traffic from a source prefix, you can use an inbound IPv6 access-list on the interface or leverage BGP path filtering with a route map that matches the source prefix and sets a community that is denied. Another method is to use a route policy to filter the prefix from being installed in the routing table, but that affects routing, not traffic filtering. The question asks for traffic filtering without a prefix list (but an access-list is allowed).

Using 'ipv6 access-list' and applying it inbound is valid. Also, using BGP community-based filtering can block traffic at the edge.

41
Drag & Dropmedium

Drag and drop the steps to verify and validate IPv6 traffic filtering and uRPF operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Validation begins with checking the uRPF configuration on the interface, then verifying the interface status, inspecting uRPF statistics, testing connectivity with ping, and finally confirming the routing table for expected routes.

42
MCQhard

A network engineer is troubleshooting an IPv6 multicast issue on a router. The router is receiving multicast traffic from a source, but the traffic is not being forwarded to downstream receivers. The engineer checks the interface and finds an inbound IPv6 ACL that permits only certain multicast groups. The ACL permits the group address FF1E::1, but the source address is 2001:db8:1::1. The engineer also notices that uRPF is enabled on the interface in strict mode. The router has a route to the source's network via a different interface. What is the most likely cause of the multicast forwarding failure?

A.The uRPF strict mode check fails because the route to the source's network points out a different interface than the one on which the multicast packet was received.
B.The ACL is blocking the multicast traffic because the source address is not permitted.
C.The multicast routing is not enabled globally.
D.The downstream receivers are not in the multicast group.
AnswerA

Correct because multicast uRPF requires the source address to be reachable via the receiving interface; otherwise, the packet is dropped to prevent spoofing.

Why this answer

The correct answer is A. With uRPF strict mode enabled, the router checks that the source address of the incoming packet is reachable via the same interface on which the packet was received. Since the route to 2001:db8:1::1 points out a different interface, the uRPF check fails and the packet is dropped before any multicast forwarding can occur.

This explains why the multicast traffic is not forwarded to downstream receivers despite the ACL permitting the group address.

Exam trap

The trap here is that candidates often focus on the ACL or multicast configuration and overlook the uRPF strict mode check, which silently drops packets before multicast forwarding logic is applied.

How to eliminate wrong answers

Option B is wrong because the ACL permits the group address FF1E::1, and IPv6 multicast ACLs filter on the destination (group) address, not the source address; the source address 2001:db8:1::1 is irrelevant to the ACL match. Option C is wrong because if multicast routing were not enabled globally, the router would not be receiving multicast traffic at all, and the engineer would likely see no multicast routes or PIM neighbors. Option D is wrong because the downstream receivers' membership in the multicast group is irrelevant to the forwarding failure; the issue is that the router drops the packet due to uRPF before it can even consult the multicast forwarding table.

43
MCQeasy

In IPv6, what is the default action for an access-list entry that does not specify a protocol?

A.The ACE defaults to 'permit ipv6'.
B.The ACE is invalid and ignored.
C.The ACE defaults to 'deny ipv6'.
D.The ACE matches all IPv6 traffic.
AnswerB

Cisco IOS requires a protocol in each IPv6 ACL entry; without it, the entry is invalid.

Why this answer

IPv6 ACLs require a protocol keyword (e.g., tcp, udp, icmp, ipv6). If omitted, the ACE is invalid and ignored.

44
MCQmedium

A network engineer runs the following command to verify IPv6 access-list hits: R1# show ipv6 access-list FILTER | include matches permit ipv6 2001:DB8:1::/48 any sequence 10 (10 matches) deny ipv6 2001:DB8:2::/48 any sequence 20 (5 matches) permit ipv6 any any sequence 30 (100 matches) What does this output indicate?

A.5 packets from 2001:DB8:2::/48 have been denied, and 110 packets have been permitted.
B.All packets from 2001:DB8:2::/48 have been permitted.
C.The access list has been applied to an interface but not used.
D.The access list is invalid because of the order of entries.
AnswerA

Correct. 5 matches on the deny entry, and 10+100=110 matches on permit entries.

Why this answer

The output shows the number of packets matching each entry. Sequence 10 has 10 matches, sequence 20 has 5 matches (denied), and sequence 30 has 100 matches (permitted).

45
MCQhard

Which IPv6 traffic filter can be used to match traffic based on the Flow Label field?

A.IPv6 access-list with the 'flow-label' option
B.IPv6 prefix-list
C.IPv6 route-map with match ipv6 address
D.IPv6 uRPF
AnswerA

The 'flow-label' keyword allows matching the 20-bit Flow Label field in the IPv6 header.

Why this answer

IPv6 access-lists support matching on the flow label using the 'flow-label' keyword.

46
MCQhard

An engineer configures IPv6 uRPF strict mode on an interface of a router that participates in OSPFv3. The router starts dropping OSPFv3 Hello packets received on that interface, causing the OSPFv3 neighbor adjacency to fail. Which is the most likely explanation?

A.The OSPFv3 Hello packets have a source IPv6 address that is not in the routing table, causing uRPF strict mode to drop them.
B.The OSPFv3 Hello packets are multicast to ff02::5, and uRPF strict mode drops all multicast traffic by default.
C.The OSPFv3 Hello packets have a hop limit of 1, and uRPF strict mode requires a hop limit of at least 2.
D.The interface has IPv6 unicast-routing disabled, which prevents uRPF from functioning correctly.
AnswerA

Correct. OSPFv3 uses link-local source addresses, which are not globally routable and not present in the routing table, so uRPF strict mode drops them.

Why this answer

OSPFv3 uses link-local addresses (fe80::) for neighbor communication. uRPF strict mode checks that the source address of incoming packets is reachable via the incoming interface in the routing table. Link-local addresses are not typically installed in the global routing table, so uRPF strict mode drops them, breaking OSPFv3 adjacency.

47
MCQmedium

Which statement about IPv6 uRPF loose mode is true?

A.It requires the source address to be reachable via the same interface.
B.It only verifies that the source address exists in the FIB.
C.It drops packets with link-local source addresses.
D.It is enabled by default on all interfaces.
AnswerB

Loose mode checks for any route to the source address.

Why this answer

Loose mode only checks that the source address is present in the routing table, regardless of the incoming interface.

48
MCQmedium

Which statement correctly describes the behavior of IPv6 Unicast Reverse Path Forwarding (uRPF) in strict mode?

A.It verifies that the source address is in the routing table, but does not check the incoming interface.
B.It checks that the source address is reachable via the same interface and that the route is a connected route.
C.It verifies that the source address is reachable via the same interface and that the route points back to that interface.
D.It only checks that the source address is not a multicast or link-local address.
AnswerC

This is the definition of strict mode uRPF.

Why this answer

Strict mode uRPF checks that the source address of an incoming packet is reachable via the same interface it arrived on, and that the route points back to that interface.

49
MCQhard

A network engineer is troubleshooting a BGP IPv6 peering issue between two routers, R1 and R2, connected via a point-to-point link. The engineer notices that the BGP session is flapping with error 'BGP Notification sent: 3/2 (Update malformed)'. The engineer checks the IPv6 ACL applied to the interface on R1 and sees an inbound ACL that permits only TCP port 179 from the neighbor's link-local address. The BGP peering uses the global unicast addresses of the interfaces. What is the most likely cause of the BGP session failure?

A.The ACL is blocking TCP packets from the neighbor's global unicast address because it only permits traffic from the link-local address.
B.The BGP update is malformed because the neighbor does not have the correct route-map applied.
C.The ACL is missing a permit statement for ICMPv6 neighbor discovery messages.
D.The BGP session is using link-local addresses, but the ACL permits global addresses.
AnswerA

Correct because BGP uses TCP, and the ACL permits only traffic from the link-local address, but the BGP session is established using global addresses, causing the TCP handshake to fail.

Why this answer

The BGP session is flapping because the inbound ACL on R1 permits only TCP port 179 traffic sourced from the neighbor's link-local address, but the BGP peering is configured using global unicast addresses. Therefore, TCP packets from R2's global unicast address are dropped by the ACL, causing the BGP session to fail with a 'Notification sent: 3/2 (Update malformed)' error, as the TCP connection cannot be established or maintained.

Exam trap

Cisco often tests the misconception that ACLs for BGP peering should permit the neighbor's link-local address when using IPv6, but the trap here is that the BGP session is configured with global unicast addresses, so the ACL must permit the global unicast address, not the link-local address.

How to eliminate wrong answers

Option B is wrong because a malformed update error (code 3, subcode 2) is not caused by a missing route-map; route-maps affect route filtering or attribute manipulation, not the TCP transport or session establishment. Option C is wrong because ICMPv6 neighbor discovery messages (e.g., Neighbor Solicitation/Advertisement) are used for IPv6 address resolution and are not required for BGP session establishment over a point-to-point link; the ACL blocking TCP from the global address is the direct cause. Option D is wrong because the BGP session is using global unicast addresses, not link-local addresses, and the ACL permits traffic from the link-local address, which would not match the actual source address of the BGP packets.

50
Multi-Selectmedium

Which TWO configuration steps are required to implement IPv6 traffic filtering using a named ACL on a Cisco router? (Choose TWO.)

Select 2 answers
A.Create the ACL using the ipv6 access-list command.
B.Apply the ACL to the interface using the ipv6 traffic-filter command.
C.Create the ACL using the access-list command.
D.Apply the ACL to the interface using the ip access-group command.
E.Apply the ACL to the interface using the ipv6 access-group command.
AnswersA, B

Correct: 'ipv6 access-list NAME' enters IPv6 ACL configuration mode.

Why this answer

You must first create the ACL with 'ipv6 access-list' and then apply it to an interface with 'ipv6 traffic-filter'. The 'access-list' command is for IPv4, 'ip access-group' is for IPv4 ACL application, and 'ipv6 access-group' does not exist.

51
MCQhard

An engineer configures an IPv6 ACL to permit BGP traffic (TCP port 179) between two routers and deny all other traffic. The ACL is applied inbound on the interface facing the BGP neighbor. BGP session establishes, but the routers cannot exchange IPv6 routes. Which is the most likely explanation?

A.The ACL permits only TCP packets with destination port 179, but BGP updates are sent from source port 179 to an ephemeral destination port, so they are not matched and are dropped.
B.The ACL must also permit ICMPv6 for PMTUD, but the BGP session establishes, so PMTUD is not needed.
C.The ACL is applied outbound, not inbound, causing the BGP updates to be filtered.
D.The router has BGP authentication configured, which changes the TCP port number.
AnswerA

Correct. BGP uses source port 179 for outgoing updates; the destination port is ephemeral. The ACL must permit both directions or use 'tcp any any eq 179' for incoming updates, but for outgoing updates, the router needs to permit 'tcp any any' or specify the correct direction.

Why this answer

BGP uses TCP port 179. The ACL permits TCP port 179, which allows the BGP session to establish. However, BGP updates are sent over the same TCP connection, so they should be permitted.

The issue may be that the ACL also needs to permit the BGP keepalives and notifications, but they use the same port. A more subtle edge case: if the ACL permits only TCP port 179, it may inadvertently block ICMPv6 packets needed for PMTUD or neighbor discovery, but the BGP session establishes. The most likely explanation: the ACL is applied inbound and the BGP updates are sent from a source port of 179 (or ephemeral), but the ACL might be matching only destination port 179.

If the ACL permits only 'tcp any any eq 179', it matches packets with destination port 179. BGP updates are sent from the BGP router's source port 179 to the neighbor's ephemeral port, so the destination port is not 179. Thus, the updates are dropped.

52
Multi-Selecthard

Which TWO statements about the interaction between IPv6 ACLs and uRPF are correct? (Choose TWO.)

Select 2 answers
A.When both uRPF and an inbound IPv6 ACL are configured on the same interface, uRPF is processed first.
B.An IPv6 ACL can be used to permit traffic that would otherwise be dropped by uRPF strict mode due to asymmetric routing.
C.uRPF can be configured to ignore IPv6 ACLs on the same interface.
D.An outbound IPv6 ACL can be used to filter traffic before uRPF checks.
E.If uRPF drops a packet, the inbound ACL is still evaluated for logging purposes.
AnswersA, B

Correct. uRPF checks occur before ACL processing in the input path.

Why this answer

IPv6 ACLs and uRPF can be applied together on the same interface. uRPF processes packets before inbound ACLs in the input path. If uRPF drops a packet, the ACL is not evaluated. Conversely, if uRPF passes the packet, the ACL then filters it.

ACLs can be used to permit traffic that uRPF would otherwise drop (e.g., for asymmetric routing), but that requires careful design. uRPF does not override ACLs; they work sequentially.

53
MCQhard

An MPLS network uses LDP for label distribution with IPv6. Router R1 and R2 are LDP peers. R1 has an IPv6 ACL applied inbound on the interface facing R2 that permits only TCP port 646 (LDP) and denies all other traffic. R2 shows 'show mpls ldp neighbor' indicates the neighbor is up, but 'show mpls forwarding-table' shows no labels for IPv6 prefixes. R1's 'show mpls ldp bindings' shows labels for all prefixes. What is the root cause?

A.The ACL blocks UDP port 646, which is used for LDP label advertisement messages, preventing label distribution.
B.LDP session is established but the routers have mismatched label ranges, causing no label bindings.
C.IPv6 CEF is not enabled on R1, preventing label imposition.
D.R2 has an outbound ACL blocking LDP packets, causing asymmetric filtering.
AnswerA

LDP uses TCP for session but UDP for initial discovery and some label advertisements. Blocking UDP 646 stops label exchange.

Why this answer

LDP uses UDP for discovery (hello) and TCP for session. The ACL permits TCP 646, so the session is established. However, LDP also uses UDP for targeted hellos or link hellos, and the ACL blocks UDP 646, preventing proper label exchange.

The bindings exist but are not advertised because the UDP-based label advertisement is blocked.

54
MCQmedium

A network engineer is troubleshooting an IPv6 routing issue on a router that is receiving OSPFv3 routes from multiple neighbors. The engineer notices that some routes are missing from the routing table. The engineer checks the interface configuration and finds an inbound IPv6 ACL applied to the interface that permits only specific prefixes. The engineer also notices that the missing routes are from a neighbor that is sending routes with a prefix length of /48, while the ACL permits only /64 prefixes. What is the most likely cause of the missing routes?

A.The ACL is filtering the OSPFv3 routes based on prefix length, and the /48 routes are not permitted.
B.The OSPFv3 neighbor relationship is down due to a mismatched area ID.
C.The router has a route-map that is denying the /48 routes before they are installed.
D.The IPv6 ACL is applied outbound, blocking the routes from being sent.
AnswerA

Correct because the ACL permits only /64 prefixes, so /48 routes are dropped, preventing them from being installed in the routing table.

Why this answer

The inbound IPv6 ACL on the interface is filtering OSPFv3 routes based on prefix length. Since the ACL permits only /64 prefixes, any routes with a /48 prefix length are denied and not installed in the routing table. This is the most likely cause of the missing routes.

Exam trap

The trap here is that candidates may overlook that an inbound ACL on an interface can filter OSPFv3 route updates based on prefix length, assuming ACLs only filter data-plane traffic, not routing protocol updates.

How to eliminate wrong answers

Option B is wrong because a mismatched area ID would prevent the OSPFv3 neighbor relationship from forming entirely, not cause selective route filtering; the engineer already confirmed the router is receiving routes from multiple neighbors, so the neighbor relationship is up. Option C is wrong because the engineer specifically identified an ACL as the filtering mechanism, and there is no mention of a route-map; a route-map would be a separate configuration applied under the OSPFv3 process or redistribution, not on the interface. Option D is wrong because the engineer explicitly states the ACL is applied inbound, not outbound; an outbound ACL would affect routes being sent, not received.

55
MCQmedium

Examine this configuration: interface GigabitEthernet0/4 ipv6 address 2001:db8:2::1/64 ipv6 verify unicast source reachable-via any What is the effect of the 'ipv6 verify unicast source reachable-via any' command?

A.The router performs strict uRPF: the source address must be reachable via the same interface the packet arrived on.
B.The router performs loose uRPF: the source address must be reachable via any route in the FIB.
C.The router drops all packets with source addresses not in the same subnet as the interface.
D.The command is invalid because 'ipv6 verify unicast' requires a route-map.
AnswerB

Loose mode only requires a route to the source, not necessarily via the receiving interface.

Why this answer

This enables uRPF (unicast Reverse Path Forwarding) in loose mode. It checks that the source address of incoming packets is reachable via any route in the FIB, but does not require the exact interface.

56
MCQhard

An engineer configures an IPv6 ACL to filter OSPFv3 traffic on a router interface. The ACL includes a deny entry for OSPFv3 (protocol 89) followed by a permit ipv6 any any. However, OSPFv3 adjacencies still fail to form over that interface. Which is the most likely explanation?

A.The ACL is applied outbound, but OSPFv3 packets are generated locally and are not subject to outbound ACL filtering.
B.The ACL uses 'deny ospf' but OSPFv3 uses protocol 89, which is not matched by 'deny ospf' in IPv6 ACLs.
C.The ACL must include a permit entry for the link-local address of the neighbor, otherwise OSPFv3 packets are dropped.
D.The ACL is applied to the interface but the router has 'ipv6 ospf authentication' configured, which changes the packet format and bypasses ACL filtering.
AnswerA

Correct. Outbound ACLs do not filter locally generated packets, including OSPFv3 Hellos. The ACL must be applied inbound to filter incoming OSPFv3 packets.

Why this answer

OSPFv3 uses IPv6 multicast addresses ff02::5 (all OSPF routers) and ff02::6 (all DR/BDR routers). Even if an ACL permits OSPFv3 protocol, the multicast destination may be filtered by other mechanisms or the ACL may not be applied correctly. However, a common edge case is that the ACL is applied inbound and OSPFv3 packets are sourced from link-local addresses, which may not match the ACL source entry if not specified correctly.

But the key point: OSPFv3 uses protocol 89 in the IPv6 header, but the ACL must match the protocol number, not the next header field in IPv6. In IOS, the 'ipv6 access-list' uses 'deny ospf' to match OSPFv3, but if the engineer uses 'deny 89' incorrectly, it may not match. The most likely issue: the ACL is applied outbound instead of inbound, or the deny entry incorrectly matches the OSPFv3 packets before the permit.

57
MCQmedium

Review this configuration: route-map RMAP permit 10 match ipv6 address prefix-list PREFIX set interface null0 ! ipv6 prefix-list PREFIX seq 5 permit 2001:db8:5::/48 ! interface GigabitEthernet0/6 ipv6 verify unicast source reachable-via any allow-default What is the purpose of the 'allow-default' keyword?

A.It allows uRPF to use the default route as a valid path for source reachability.
B.It allows the router to accept packets with source addresses from the default prefix.
C.It disables uRPF for packets matching the default route.
D.It is used to allow multicast traffic through uRPF.
AnswerA

Normally, loose uRPF ignores default routes; 'allow-default' includes them.

Why this answer

The 'allow-default' keyword permits packets whose source address is reachable via a default route. Without it, loose uRPF would drop packets with sources matching only a default route.

58
MCQmedium

Review the following configuration: ipv6 access-list FILTER permit tcp 2001:db8:1::/48 any eq 80 permit tcp 2001:db8:1::/48 any eq 443 deny ipv6 any any interface GigabitEthernet0/3 ipv6 traffic-filter FILTER out What is the effect of this configuration?

A.Only HTTP and HTTPS traffic from 2001:db8:1::/48 is permitted outbound; all other traffic is denied.
B.All traffic from 2001:db8:1::/48 is permitted because the ACL does not specify destination prefix.
C.The ACL is misconfigured because 'out' should be 'in' for source-based filtering.
D.The ACL permits all traffic because the deny statement is implicit.
AnswerA

The permit statements match source prefix and destination ports; the implicit deny blocks everything else.

Why this answer

Option A is correct because the IPv6 ACL named FILTER explicitly permits TCP traffic from source prefix 2001:db8:1::/48 to any destination on ports 80 (HTTP) and 443 (HTTPS), and then denies all other IPv6 traffic. Applied as an outbound traffic filter on GigabitEthernet0/3, this configuration restricts outbound traffic to only HTTP and HTTPS sessions originating from the specified prefix.

Exam trap

Cisco often tests the misconception that an ACL without a destination prefix permits all traffic from the source, but in reality, the permit statement still requires the specified protocol and ports to match, and the explicit deny blocks everything else.

How to eliminate wrong answers

Option B is wrong because the ACL does not permit all traffic from 2001:db8:1::/48; it only permits TCP traffic to ports 80 and 443, and the explicit deny ipv6 any any blocks all other traffic. Option C is wrong because applying the ACL outbound is valid for filtering traffic leaving the interface; the direction 'out' is appropriate when the source prefix is the local network, and there is no requirement to use 'in' for source-based filtering. Option D is wrong because the ACL includes an explicit deny ipv6 any any statement, so the implicit deny at the end of the ACL is redundant but does not permit all traffic; the explicit deny still blocks everything not matched by the permit statements.

59
MCQhard

A dual-stack network uses BGP for IPv6 between AS 100 and AS 200. Router R1 (AS 100) has an inbound route-map that sets local preference to 200 for routes from R2 (AS 200). R1 also has an IPv6 ACL applied inbound that permits only BGP (TCP 179) and denies ICMPv6. R2 advertises a prefix 2001:db8:1::/48. R1's BGP table shows the prefix with local preference 200, but 'show ipv6 route' does not install it. R1 has uRPF strict mode on the interface facing R2. What is the root cause?

A.The ACL blocks ICMPv6, which is required for IPv6 neighbor discovery. Without ND, the next-hop address of the BGP route is unresolved, preventing route installation.
B.uRPF strict mode drops the BGP updates because the source address is not in the FIB.
C.The route-map sets local preference incorrectly, causing the route to be suppressed.
D.R1's BGP process has 'soft-reconfiguration inbound' enabled, causing the route to be hidden.
AnswerA

BGP uses TCP, but the next-hop must be reachable via ND. Blocking ICMPv6 prevents ND, so the route is not installed.

Why this answer

uRPF strict mode checks the source address of incoming packets. For BGP updates, the source is R2's IP. But the ACL denies ICMPv6, which is used for neighbor discovery (ND).

If ND fails, the next-hop address of the BGP route may be unreachable, causing the route to not be installed. Alternatively, uRPF may drop the BGP packets if the source is not reachable via that interface.

60
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 interface tunnel 0 Tunnel0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:2::1, subnet is 2001:DB8:2::/64 Joined group address(es): FF02::1 FF02::2 ICMP redirects are enabled ICMP unreachables are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds IPv6 uRPF: loose mode (allow default route) Based on this output, what is the uRPF configuration on this interface?

A.uRPF is disabled
B.uRPF is enabled in strict mode
C.uRPF is enabled in loose mode
D.uRPF is enabled but only for IPv4
AnswerC

The output confirms loose mode uRPF.

Why this answer

The output explicitly shows 'IPv6 uRPF: loose mode (allow default route)', which confirms that unicast Reverse Path Forwarding (uRPF) is enabled in loose mode. In loose mode, the router checks that the source address of an incoming packet has a matching entry in the routing table, but it does not require the incoming interface to match the best return path. This is distinct from strict mode, which requires both a routing table entry and that the incoming interface is the same as the outgoing interface for the return route.

Exam trap

Cisco often tests the distinction between uRPF strict and loose modes by showing output that includes 'loose mode' or 'allow default route', and the trap here is that candidates may confuse 'loose mode' with 'disabled' or incorrectly assume that uRPF only applies to IPv4, ignoring the IPv6-specific output.

How to eliminate wrong answers

Option A is wrong because the output clearly states 'IPv6 uRPF: loose mode', which means uRPF is enabled, not disabled. Option B is wrong because the output specifies 'loose mode', not 'strict mode'; strict mode would require the incoming interface to match the best return path, which is not indicated here. Option D is wrong because the command 'show ipv6 interface tunnel 0' displays IPv6-specific information, and the output explicitly shows 'IPv6 uRPF: loose mode', confirming that uRPF is configured for IPv6, not only for IPv4.

61
MCQhard

A network engineer runs the following command to debug IPv6 uRPF with detailed information: R1# debug ipv6 verify detail IPv6 verify debugging is on (detail) *Mar 1 00:03:45.678: IPv6 verify: source 2001:DB8:5::1 on GigabitEthernet0/0 *Mar 1 00:03:45.678: route to source via GigabitEthernet0/1, not same as input interface What does this output indicate?

A.The packet will be dropped because strict uRPF requires the return path to be through the same interface.
B.The packet will be forwarded because a route exists.
C.The packet will be forwarded because uRPF is loose.
D.The router will change the route to use GigabitEthernet0/0.
AnswerA

Correct. Strict uRPF checks that the best route to the source uses the same interface as the packet arrived on.

Why this answer

The debug output shows that a packet from source 2001:DB8:5::1 arrived on GigabitEthernet0/0, but the route to that source points out GigabitEthernet0/1. With strict uRPF, this packet will be dropped because the return path is not through the receiving interface.

62
MCQmedium

A network engineer runs the following command to verify IPv6 traffic filtering with logging: R1# show logging | include FILTER *Mar 1 00:04:56.789: %IPV6_ACL-6-ACCESSLOGDP: list FILTER denied tcp 2001:DB8:2::1(12345) -> 2001:DB8:3::1(80), 1 packet What does this output indicate?

A.A TCP packet from 2001:DB8:2::1 to destination 2001:DB8:3::1 port 80 was denied by the access list.
B.A TCP packet was permitted by the access list.
C.The access list is not applied to any interface.
D.The packet was dropped due to uRPF.
AnswerA

Correct. The log clearly indicates the denied packet details.

Why this answer

The log message shows that a TCP packet from 2001:DB8:2::1 to 2001:DB8:3::1 was denied by the access-list FILTER. This is consistent with the deny entry for 2001:DB8:2::/48.

63
MCQhard

An engineer configures IPv6 uRPF strict mode on an interface that is used for both IPv6 traffic and OSPFv3 routing. The router is an ABR with multiple areas. OSPFv3 adjacencies form correctly, but some IPv6 data traffic is dropped. The show ipv6 interface command shows uRPF is enabled. Which is the most likely explanation?

A.The router has a default route pointing to a different interface, and uRPF strict mode without 'allow-default' drops packets whose source address is reachable via the default route.
B.OSPFv3 adjacencies use link-local addresses, which are not checked by uRPF, but data traffic uses global addresses that are incorrectly filtered by the OSPFv3 process.
C.The router has 'ipv6 uRPF allow-default' configured, but the default route is not installed, causing all traffic to be dropped.
D.The interface has an IPv6 ACL that denies traffic from certain prefixes, overriding uRPF.
AnswerA

Correct. uRPF strict mode checks the specific route, not the default. If the source address is only matched by a default route via another interface, the packet is dropped.

Why this answer

uRPF strict mode checks the source address of incoming packets against the routing table. For a router that is an ABR, some routes may be learned via OSPFv3 inter-area or external routes. If the routing table has multiple paths, the reverse path may not be via the incoming interface.

Additionally, OSPFv3 uses link-local addresses for adjacencies, which are not affected because uRPF is not applied to OSPFv3 packets if the router uses 'ipv6 uRPF' but OSPFv3 packets are sourced from link-local addresses that are not in the routing table, but the engineer may have configured 'allow-default' or not. The edge case: uRPF strict mode can drop traffic that arrives on a different interface than the best reverse path, especially if the router has multiple interfaces in the same area or different areas. However, a more subtle issue: if the router has a default route via another interface, uRPF strict mode without 'allow-default' will drop packets whose source address matches the default route because the default route points to a different interface.

64
MCQhard

An engineer configures an IPv6 ACL on a router interface to permit only specific ICMPv6 types (e.g., echo request and echo reply) and deny all other IPv6 traffic. After applying the ACL inbound, the router stops forming IPv6 neighbor discoveries (ND) and the interface loses IPv6 connectivity. Which is the most likely explanation?

A.The ACL denies ICMPv6 types 133-137, which are required for Neighbor Discovery, causing the router to fail to resolve neighbors.
B.The ACL must be applied outbound, not inbound, to allow ND packets to be sent.
C.The router needs to have 'ipv6 nd suppress' configured to bypass ACL filtering for ND packets.
D.The ACL should use 'permit ipv6 any any' before the deny statements to allow ND, but the engineer placed it after.
AnswerA

Correct. ND uses ICMPv6 types 133-137; denying them breaks IPv6 connectivity.

Why this answer

IPv6 Neighbor Discovery (ND) uses ICMPv6 types 133-137 (router solicitation, router advertisement, neighbor solicitation, neighbor advertisement, redirect). If the ACL denies all ICMPv6 types except echo, ND packets are dropped, preventing address resolution and neighbor reachability. This is a common misconfiguration: engineers forget that ND is essential for IPv6 operation and must be permitted.

65
MCQhard

A DMVPN network uses IPv6 with EIGRP as the routing protocol. Spoke routers R2 and R3 are behind NAT and use mGRE tunnels. The hub R1 has an IPv6 ACL applied inbound on the tunnel interface that permits only EIGRP and denies all other IPv6 traffic. Spoke-to-spoke traffic fails even though direct tunnels are established. R2 shows 'ping 2001:db8:3::1 source loopback0' fails, but 'ping 2001:db8:1::1' (hub) succeeds. What is the root cause?

A.R1's inbound ACL on the tunnel interface permits only EIGRP, dropping all other traffic including spoke-to-spoke data packets.
B.NAT traversal is broken for spoke-to-spoke traffic due to IPsec encryption issues.
C.EIGRP is not advertising spoke loopbacks to other spokes, causing no route.
D.The mGRE tunnel on R2 does not have a destination for R3, preventing direct communication.
AnswerA

Spoke-to-spoke traffic is forwarded through the hub if the routing table points to the hub. The ACL on the hub's tunnel interface filters this traffic.

Why this answer

The ACL on R1's tunnel interface blocks spoke-to-spoke traffic because it is not sourced from the hub. Even though the spokes have a direct tunnel, the traffic still traverses the hub's tunnel interface if the routing is not optimized. The ACL permits only EIGRP, so data traffic is dropped.

66
MCQhard

A dual-stack network uses BGP for IPv6 between two ISPs. R1 (AS 100) receives a full BGP table from R2 (AS 200). R1 has an IPv6 ACL applied inbound on the interface to R2 that permits only BGP (TCP 179) and denies all other traffic. R1 also has uRPF configured in strict mode on the same interface. R1's BGP table has a route to 2001:db8:1::/48 with next-hop 2001:db8:2::2. R1's routing table shows the route, but traffic from R1 to 2001:db8:1::1 fails. R1 shows 'show ipv6 cef 2001:db8:1::/48' points to 2001:db8:2::2 via the interface to R2. What is the root cause?

A.The ACL on R1 blocks the return traffic from the destination, which is not BGP, causing the ping to fail.
B.uRPF strict mode drops the outgoing traffic because the source address is not reachable via the interface.
C.The next-hop 2001:db8:2::2 is not reachable due to a missing ND entry.
D.BGP next-hop resolution fails because the next-hop is not in the FIB.
AnswerA

The ACL permits only BGP. Return traffic (ICMPv6 echo reply) is blocked, so the ping fails.

Why this answer

uRPF strict mode checks the source address of outgoing packets? No, it checks incoming packets. For traffic from R1 to the destination, the source is R1's own address. When the return traffic comes back, uRPF checks the source of the return packet.

But the issue is that the ACL blocks all traffic except BGP. When R1 sends data to the destination, the return traffic is blocked by the ACL because it is not BGP. The uRPF is not the issue; the ACL is blocking the return traffic.

67
Drag & Dropmedium

Drag and drop the steps to configure uRPF in strict mode on an edge router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with entering global configuration mode, then configuring the interface, enabling IPv6 on the interface, applying uRPF strict mode, and finally verifying the configuration with a show command.

69
MCQmedium

Examine the following IPv6 ACL applied to an interface: ipv6 access-list FILTER permit ipv6 any any fragments deny ipv6 any any interface GigabitEthernet0/1 ipv6 traffic-filter FILTER in What is the effect of this configuration?

A.All IPv6 traffic is permitted because the permit statement matches any packet.
B.Only fragmented IPv6 packets are permitted; all other IPv6 traffic is denied.
C.The ACL is invalid because 'fragments' cannot be used with 'any any'.
D.The interface command is missing the 'ipv6 enable' prerequisite.
AnswerB

The first ACE permits only fragments; the second denies everything else, so only fragments pass.

Why this answer

Option B is correct because the ACL explicitly permits only fragmented IPv6 packets via the 'permit ipv6 any any fragments' statement, while the subsequent 'deny ipv6 any any' statement denies all other IPv6 traffic. Since ACLs are processed sequentially, the permit for fragments is evaluated first, allowing only fragmented packets; all non-fragmented packets are then denied by the second entry.

Exam trap

Cisco often tests the misconception that 'permit ipv6 any any' without the 'fragments' keyword matches all packets, but here the 'fragments' keyword narrows the match, causing candidates to overlook the sequential processing of ACL entries and incorrectly assume all traffic is permitted.

How to eliminate wrong answers

Option A is wrong because the permit statement includes the 'fragments' keyword, which restricts the match to only fragmented IPv6 packets, not all IPv6 traffic; thus, non-fragmented packets are denied by the subsequent deny statement. Option C is wrong because the 'fragments' keyword is fully valid with 'any any' in an IPv6 ACL; it simply limits the match to fragmented packets, and the ACL is syntactically correct. Option D is wrong because the 'ipv6 traffic-filter' command does not require the 'ipv6 enable' interface command as a prerequisite; IPv6 traffic filtering works independently as long as IPv6 is configured on the interface.

70
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 interface gigabitethernet 0/0 GigabitEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:1:1::1, subnet is 2001:DB8:1:1::/64 Joined group address(es): FF02::1 FF02::2 ICMP redirects are enabled ICMP unreachables are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 1000 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. IPv6 uRPF: strict mode (drop invalid packets) Based on this output, what is the operational state of uRPF on this interface?

A.uRPF is disabled
B.uRPF is enabled in strict mode
C.uRPF is enabled in loose mode
D.uRPF is enabled but only for multicast
AnswerB

The output confirms strict mode uRPF is active.

Why this answer

The output explicitly states 'IPv6 uRPF: strict mode (drop invalid packets)', which confirms that unicast Reverse Path Forwarding (uRPF) is enabled on the interface and operating in strict mode. In strict mode, the router verifies that the source address of an incoming packet matches a route in the FIB pointing back to the same interface; if not, the packet is dropped. This is a direct read of the operational state from the show command.

Exam trap

Cisco often tests the ability to read the exact operational state from the 'show ipv6 interface' output, where candidates may overlook the explicit 'strict mode' line and instead assume uRPF is disabled or confuse it with loose mode based on incomplete knowledge of the command syntax.

How to eliminate wrong answers

Option A is wrong because the output clearly shows 'IPv6 uRPF: strict mode', indicating uRPF is enabled, not disabled. Option C is wrong because the output specifies 'strict mode', not 'loose mode'; loose mode would only require a matching route in the FIB regardless of the incoming interface. Option D is wrong because uRPF operates on unicast traffic, not multicast; the output makes no mention of multicast filtering, and uRPF is not designed for multicast.

71
MCQmedium

A network engineer is troubleshooting a connectivity issue between two routers R1 and R2 connected via GigabitEthernet0/0. The engineer notices that R1 can ping its own IPv6 address 2001:db8:1::1/64, but cannot ping R2's interface address 2001:db8:1::2/64. The output of 'show ipv6 interface GigabitEthernet0/0' on R1 indicates that IPv6 is enabled and the interface is up/up. The engineer checks the access list applied to the interface and sees an inbound IPv6 ACL that permits only ICMPv6 echo requests from a specific source. What is the most likely cause of the ping failure?

A.The ACL is applied inbound on R1 and does not permit ICMPv6 echo replies from R2.
B.The ACL is applied outbound on R1 and blocks the echo request.
C.IPv6 unicast-routing is not enabled on R1.
D.The ACL is missing a permit statement for IPv6 neighbor discovery (ND) messages.
AnswerA

Correct because ICMPv6 echo replies are sourced from the destination address (R2) and must be permitted inbound on R1 for the ping to succeed.

Why this answer

The inbound ACL on R1 is blocking the ICMPv6 echo reply from R2, because the ACL only permits echo requests from a specific source, not replies. For a successful ping, both the echo request and echo reply must be permitted. The reply is sourced from R2's address, which is not matched by the permit statement.

72
MCQhard

A network engineer is troubleshooting a connectivity issue where a host on VLAN 10 cannot reach a server on VLAN 20. Both VLANs are on the same switch, which is running IPv6. The engineer checks the switch and finds that uRPF (unicast Reverse Path Forwarding) is enabled in strict mode on the VLAN 20 interface. The host's IPv6 address is 2001:db8:10::100/64, and the server's address is 2001:db8:20::200/64. The switch has a default route pointing to a next-hop router. The host sends traffic to the server, but the switch drops the packets. What is the most likely cause?

A.The uRPF strict mode check fails because the switch does not have a specific route to the host's subnet pointing back to the VLAN 10 interface.
B.The uRPF mode should be loose mode to allow traffic from any source as long as there is a route in the FIB.
C.The host's IPv6 address is not in the switch's neighbor cache.
D.The switch has an ACL that blocks traffic between VLANs.
AnswerA

Correct because uRPF strict mode requires a matching route in the FIB that points to the same interface on which the packet was received; a default route does not satisfy this requirement.

Why this answer

With uRPF strict mode enabled on the VLAN 20 interface, the switch checks that the source IP address of incoming packets (2001:db8:10::100) is reachable via the same interface on which the packet arrived. Since the switch only has a default route pointing to a next-hop router and no specific route for the 2001:db8:10::/64 subnet pointing back to the VLAN 10 interface, the FIB lookup for the source address fails the strict uRPF check, causing the switch to drop the packet.

Exam trap

Cisco often tests the distinction between strict and loose uRPF modes, and the trap here is that candidates assume a default route is sufficient for strict mode, not realizing that strict mode requires a specific route pointing back to the source's ingress interface.

How to eliminate wrong answers

Option B is wrong because loose mode only requires that a route exists in the FIB for the source address, not that it points back to the incoming interface; while that would allow the traffic, it is not the most likely cause given that strict mode is already enabled and failing. Option C is wrong because the neighbor cache is used for Layer 2 address resolution (NDP), not for uRPF validation; uRPF checks the FIB for a matching route, not the neighbor cache. Option D is wrong because the question states that uRPF is enabled and the symptom matches a uRPF failure; an ACL would produce a different drop reason (e.g., 'denied by ACL') and is not indicated as the cause.

73
Multi-Selectmedium

A network engineer is troubleshooting IPv6 traffic filtering on a Cisco router. Which TWO statements about IPv6 ACLs are true? (Choose TWO.)

Select 2 answers
A.IPv6 ACLs are applied to interfaces using the ipv6 traffic-filter command.
B.IPv6 ACLs use wildcard masks similar to IPv4 ACLs.
C.The implicit deny at the end of an IPv6 ACL also blocks ICMPv6 neighbor discovery messages.
D.IPv6 ACLs automatically permit ICMPv6 neighbor discovery traffic by default.
E.IPv6 ACLs support the remark keyword for documentation.
AnswersA, C

Correct: The command is 'ipv6 traffic-filter' in interface configuration mode.

Why this answer

Option A is correct because the `ipv6 traffic-filter` command is the Cisco IOS command used to apply an IPv6 ACL to an interface for filtering inbound or outbound traffic. This is the direct IPv6 equivalent of the `ip access-group` command used for IPv4 ACLs, and it is the only valid method for applying IPv6 ACLs to filter traffic on a Cisco router interface.

Exam trap

The trap here is that candidates often assume IPv6 ACLs behave like IPv4 ACLs in supporting wildcard masks and remarks, or that they automatically permit essential control-plane traffic like ICMPv6 neighbor discovery, leading to incorrect selections of options B, D, or E.

74
MCQhard

An enterprise uses EIGRP for IPv6 with route redistribution from a static route. R1 has a static route 2001:db8:0::/32 via Null0 redistributed into EIGRP. R2 receives this route and has a more specific route 2001:db8:1::/32 via a different interface. R2 has an IPv6 ACL applied inbound on the interface facing R1 that permits only EIGRP and denies all other traffic. R2's uRPF is configured in loose mode. Traffic from R2 to 2001:db8:2::1 fails. R2 shows 'show ipv6 route' has both routes, but 'show ipv6 cef' shows the summary route for 2001:db8:2::1 pointing to R1. What is the root cause?

A.The summary route 2001:db8:0::/32 on R1 points to Null0, causing traffic to be dropped at R1.
B.The ACL on R2 blocks the return traffic from R1, causing asymmetric routing.
C.uRPF loose mode drops the packet because the source address is not in the FIB.
D.EIGRP redistribution of the static route creates a routing loop between R1 and R2.
AnswerA

R2 forwards traffic to R1 based on the summary route, but R1's static route to Null0 drops it. The ACL is irrelevant to this failure.

Why this answer

The ACL on R2 blocks the data traffic from R2 to the destination because the traffic is sent out the interface facing R1 (due to the summary route), but the ACL is inbound on that interface. However, uRPF loose mode only checks if a route exists in the FIB, not the interface. The issue is that the ACL is blocking the outbound traffic? Actually, the ACL is inbound, so it filters incoming traffic.

The traffic from R2 to the destination is outbound, so the ACL does not affect it. The real issue is that the summary route points to R1, but the destination is not reachable via R1 because R1's Null0 route drops it. The ACL is a red herring; the root cause is the summary route causing blackholing.

75
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 interface gigabitethernet 0/0 | include uRPF IPv6 uRPF: strict mode Based on this output, which statement is true?

A.uRPF is disabled
B.uRPF is enabled in strict mode
C.uRPF is enabled in loose mode
D.uRPF is enabled but only for multicast
AnswerB

The output confirms strict mode uRPF.

Why this answer

The command output explicitly shows 'IPv6 uRPF: strict mode', which confirms that unicast Reverse Path Forwarding (uRPF) is enabled and operating in strict mode. In strict mode, the router verifies that the source address of an incoming packet matches a route in the FIB and that the incoming interface is the same as the outgoing interface for that route. This prevents spoofed traffic from entering the network.

Exam trap

Cisco often tests the distinction between strict and loose uRPF modes, and the trap here is that candidates might confuse the 'strict mode' output with 'loose mode' or assume uRPF is disabled when the output line is present.

How to eliminate wrong answers

Option A is wrong because the output clearly states 'strict mode', which indicates uRPF is enabled, not disabled. Option C is wrong because the output specifies 'strict mode', not 'loose mode'; loose mode only checks that a route exists for the source address, regardless of the incoming interface. Option D is wrong because uRPF applies to unicast traffic, not multicast; multicast uses Reverse Path Forwarding (RPF) as part of protocols like PIM, but uRPF is specifically for unicast source address verification.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only IPV6 Traffic Filter questions.