Question 1,991 of 2,152
IPv6 Traffic Filtering and uRPFhardMultiple ChoiceObjective-mapped

Traffic to BGP Route Fails: ACL Blocks Non-BGP Return Packets

This 300-410 practice question tests your understanding of ipv6 traffic filtering and urpf. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A dual-stack network uses BGP for IPv6 between two ISPs. R1 (AS 100) receives a full BGP table from R2 (AS 200). R1 has an IPv6 ACL applied inbound on the interface to R2 that permits only BGP (TCP 179) and denies all other traffic. R1 also has uRPF configured in strict mode on the same interface. R1's BGP table has a route to 2001:db8:1::/48 with next-hop 2001:db8:2::2. R1's routing table shows the route, but traffic from R1 to 2001:db8:1::1 fails. R1 shows 'show ipv6 cef 2001:db8:1::/48' points to 2001:db8:2::2 via the interface to R2. What is the root cause?

Quick Answer

The answer is the inbound IPv6 ACL blocking non-BGP return traffic, not uRPF. When R1 sends traffic to 2001:db8:1::1, the destination sends back ICMP echo replies, but the ACL applied inbound on R1’s interface to R2 permits only TCP port 179, so these return packets are dropped. Strict mode uRPF checks the source address of incoming packets against the FIB, but here the return traffic’s source (2001:db8:1::1) is reachable via the BGP-learned route, so uRPF would pass it—the ACL is the sole culprit. On the CCNP ENARSI 300-410 exam, this tests your ability to distinguish ACL filtering from uRPF behavior, a common trap where candidates blame reverse path forwarding instead of the access list. Remember: an inbound ACL filters what enters the interface, so even legitimate return traffic from a BGP-learned destination is blocked unless explicitly permitted. Memory tip: “ACL first, uRPF second—if the ACL drops it, uRPF never sees it.”

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The ACL on R1 blocks the return traffic from the destination, which is not BGP, causing the ping to fail.

The IPv6 ACL on R1 permits only BGP (TCP port 179) inbound from R2. When R1 sends a ping to 2001:db8:1::1, the return ICMPv6 echo-reply traffic from the destination (via R2) is not BGP and is therefore denied by the inbound ACL, causing the ping to fail. The BGP table and routing table are correct, but the ACL blocks the non-BGP return traffic.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The ACL on R1 blocks the return traffic from the destination, which is not BGP, causing the ping to fail.

    Why this is correct

    The ACL permits only BGP. Return traffic (ICMPv6 echo reply) is blocked, so the ping fails.

    Related concept

    Read the scenario before looking for a memorised answer.

  • uRPF strict mode drops the outgoing traffic because the source address is not reachable via the interface.

    Why it's wrong here

    uRPF checks incoming traffic, not outgoing.

  • The next-hop 2001:db8:2::2 is not reachable due to a missing ND entry.

    Why it's wrong here

    If ND were missing, the route would not be installed in CEF.

  • BGP next-hop resolution fails because the next-hop is not in the FIB.

    Why it's wrong here

    The route is installed, so next-hop resolution succeeded.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the directional nature of ACLs—candidates assume an inbound ACL only affects traffic initiated from the remote side, forgetting that return traffic for locally initiated sessions is also subject to the inbound ACL.

Detailed technical explanation

How to think about this question

Inbound ACLs on a router filter traffic entering the interface, including return traffic from a remote destination. Even though the outbound ping packet is permitted (no outbound ACL), the return ICMPv6 echo-reply must traverse the inbound ACL on R1's interface to R2. Since the ACL only permits TCP port 179, ICMPv6 is denied. This is a common misconfiguration where engineers forget that ACLs are directional and that return traffic must also be permitted.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

Visual reference

Source Router + ACL permit 10.0.0.0/8 deny any Server 10.0.0.5 ✓ 192.168.1.1 ✗ dropped ACLs evaluate top-down; first match wins — implicit deny all at end

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 300-410 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 300-410 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 300-410 question test?

IPv6 Traffic Filtering and uRPF — This question tests IPv6 Traffic Filtering and uRPF — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The ACL on R1 blocks the return traffic from the destination, which is not BGP, causing the ping to fail. — The IPv6 ACL on R1 permits only BGP (TCP port 179) inbound from R2. When R1 sends a ping to 2001:db8:1::1, the return ICMPv6 echo-reply traffic from the destination (via R2) is not BGP and is therefore denied by the inbound ACL, causing the ping to fail. The BGP table and routing table are correct, but the ACL blocks the non-BGP return traffic.

What should I do if I get this 300-410 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 300-410 practice questions

Last reviewed: Jul 4, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 300-410 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 300-410 exam.