Question 876 of 2,152
IPv6 Traffic Filtering and uRPFhardMultiple ChoiceObjective-mapped

300-410 IPv6 Traffic Filtering and uRPF Practice Question

This 300-410 practice question tests your understanding of ipv6 traffic filtering and urpf. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A network engineer runs the following command to debug IPv6 traffic filtering:

R1# debug ipv6 packet access-list FILTER detail

IPv6 packet debugging is on for access list FILTER (detail)

*Mar 1 00:01:23.456: IPv6: source 2001:DB8:2::1 (GigabitEthernet0/0)
*Mar 1 00:01:23.456:   dest 2001:DB8:3::1 (GigabitEthernet0/1)
*Mar 1 00:01:23.456:   traffic class 0, flowlabel 0, hlim 64, next header 6 (TCP)
*Mar 1 00:01:23.456:   denied by access-list FILTER

What does this output indicate?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The packet is denied because the source address 2001:DB8:2::1 matches the deny entry in the access list.

The debug output explicitly states 'denied by access-list FILTER', confirming that the packet was dropped due to a match against a deny entry in the named IPv6 access list. The source address 2001:DB8:2::1 is shown as the matching source, and since the debug includes 'detail', it provides the exact reason for denial. Access lists process entries sequentially, and the first match (permit or deny) determines the action; here, the source matched a deny statement.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The packet is denied because the source address 2001:DB8:2::1 matches the deny entry in the access list.

    Why this is correct

    Correct. The debug clearly states the packet is denied by the access list, which has a deny for that source prefix.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The packet is permitted because it is a TCP packet.

    Why it's wrong here

    Incorrect. The debug shows it is denied regardless of protocol.

  • The packet is denied because of uRPF check failure.

    Why it's wrong here

    Incorrect. The debug explicitly says 'denied by access-list FILTER', not uRPF.

  • The packet is permitted because the destination is not in the access list.

    Why it's wrong here

    Incorrect. The access list filters based on source; the packet is denied.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the misconception that a packet is permitted by default if the destination is not explicitly listed in the access list, but the implicit deny at the end of every IPv6 access list means any unmatched packet is denied, and the debug output here explicitly shows a deny due to a match on the source address.

Trap categories for this question

  • Command / output trap

    Incorrect. The debug shows it is denied regardless of protocol.

Detailed technical explanation

How to think about this question

The 'debug ipv6 packet access-list FILTER detail' command enables detailed logging of IPv6 packets that match the specified access list, showing both permitted and denied packets. Under the hood, Cisco IOS processes IPv6 access lists using a sequential match logic similar to IPv4, where each entry is evaluated in order until a match is found; if no match occurs, an implicit deny all is applied at the end. In real-world scenarios, this debug is invaluable for troubleshooting traffic drops caused by misconfigured ACLs, especially when combined with 'show access-list' to verify hit counts.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

Visual reference

Source Router + ACL permit 10.0.0.0/8 deny any Server 10.0.0.5 ✓ 192.168.1.1 ✗ dropped ACLs evaluate top-down; first match wins — implicit deny all at end

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 300-410 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 300-410 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 300-410 question test?

IPv6 Traffic Filtering and uRPF — This question tests IPv6 Traffic Filtering and uRPF — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The packet is denied because the source address 2001:DB8:2::1 matches the deny entry in the access list. — The debug output explicitly states 'denied by access-list FILTER', confirming that the packet was dropped due to a match against a deny entry in the named IPv6 access list. The source address 2001:DB8:2::1 is shown as the matching source, and since the debug includes 'detail', it provides the exact reason for denial. Access lists process entries sequentially, and the first match (permit or deny) determines the action; here, the source matched a deny statement.

What should I do if I get this 300-410 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 300-410 practice questions

Last reviewed: Jul 4, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 300-410 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 300-410 exam.