Exam 300-410 topic 1 question 141 discussion

The answer is not D, as this is regarding IPv6. The answer would be B. You would configure the switch with PVLANs, configure the switchport where you would expect to see RAs as a promiscuous port, and configure the client ports as isolated ports. With this configuration if any rogue RAs came in on an isolated port it would not be able to offer SLAAC addresses to any other client on the other isolated ports.

Based on Chatgpt the correct answer is C. Although none of the options directly match the functionality of IPv6 Router Advertisement Guard, using PVLANs with community ports and isolated ports can help isolate traffic and control communication, making it more difficult for rogue RAs to reach unauthorized nodes. This setup is an indirect but potential method of mitigating rogue RAs without using RA Guard.

B is correct

Private VLANs can be used a security feature to partition ports into separate broadcast domains. Configure the port that will be receiving router advertisements as promiscuous because promiscuous ports can communicate with community and isolated private VLANS. If you configured the port that receives router advertisements in a community private VLAN, it wouldn't be able to forward traffic to isolated ports, only to other ports in its community VLAN

To block rogue router advertisements in an IPv6 network, you should use option B: B. PVLANs (Private VLANs) with promiscuous ports associated with route advertisements and isolated ports for nodes. Private VLANs help in segmenting traffic within a VLAN and provide isolation between devices within the same VLAN. In this context, you can configure a PVLAN such that the promiscuous port (connected to a trusted router) is allowed to send router advertisements, while the isolated ports (connected to end-user devices) are not allowed to send such advertisements. This way, you can prevent rogue router advertisements from unauthorized sources within the same VLAN.

B option: https://www.exam-answer.com/which-configuration-feature-blocks-rogue-router-advertisements-ipv6

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3200.pdf Mitigating Rogue RA: Host Isolation Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port)

Ref: Advanced IPv6 Security Threats and Mitigation – Cisco “LAN Security with First Hop Security (FHS) … Mitigating Rogue RA: Host Isolation Prevent Node-Node Layer-2 communication by using: • Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port) …” A. VACL blocking broadcast frames from nonauthorized hosts Wrong answer. B. PVLANs with promiscuous ports associated to route advertisements and isolated ports for nodes Correct answer. C. PVLANs with community ports associated to route advertisements and isolated ports for nodes Wrong answer. D. IPv4 ACL blocking route advertisements from nonauthorized hosts Wrong answer.

promiscuous ports and isolated ports can communicate, right?

Techincally, you can use VACL to block RA but there are some issues. I haven't tested because GNS3 won't support VACL or private VLAN, I even don't have physical hardware, either. So correct me if I'm wrong: 1. You can use ACL to filter IP or MAC of rouge host generates RA. Downside of this is that if rouge router change IP or MAC, you have to change the ACL as well, which is not scale very well 2. If we choose to filter based on Layer 2 destination MAC, which is multicast , IPV6 do not have broadcast. Then there is a chance that you accidentally block legitimate router RA ,because there is no difference between rouge router and legitimate router that generate RA. With private VLAN , you just add rouge router on isolated port , legitimate router with promiscuous port , everything will automatically work

Answer should A,https://www.geeksforgeeks.org/vlan-acl-vacl/

Certain switch platforms can already implement some level of rogue RA filtering by the administrator configuring Access Control Lists (ACLs) that block RA ICMP messages that might be inbound on "user" ports. https://datatracker.ietf.org/doc/html/rfc6104#section-3.3

The answer should be D