Exam 300-410 topic 1 question 316 discussion

the question is asking about L2 domains that's why B isn't qualified

Another of those questions..... In this case as Hungarian Dish is saying we need the first FOUR! IPv6 FHS is composed of the following IPv6 security features: IPv6 Snooping, IPv6 Neighbor DiscoveryInspection IPv6 Router Advertisement Guard , IPv6 DHCP Guard, IPv6 Source Guard, IPv6 Prefix Guard, IPv6 Destination Guard. Link based on the manual regarding configs of C9300 switches (brand new) https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-13/configuration_guide/sec/b_1713_sec_9300_cg/configuring_ipv6_first_hop_security.pdf

ACD are more suitable i think B is out because IPv6 Source Guard requires IPv6 snooping on Layer 2 anyway. look at question 158

A == correct B == correct c == correct d == incorrect Cisco term == "DHCPv6 snooping" https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst_pon/software/configuration_guide/olt_ntw/b-gpon-config-olt-network/m-gpon-olt-nw-dhcpv6-snooping.pdf E. Not correct Can be used in addition to FHS features, but are not adding security on their own(https://networklessons.com/ipv6/ipv6-source-guard) Still i think the FHS requires DHCPv6 or ND inspection to work well, but at their own they do not add security. SO my best guess == A + B + C

"IPv6 FHS features enable a better IPv6 link security and management over the layer 2 links. These are the features supported: • IPv6 Snooping • IPv6 Router Advertisement Guard • IPv6 - Destination Guard • Binding Table Recovery • DHCPv6 Guard • IPv6 Source Guard • IPv6 Prefix Guard • Data Gleaning" However: "The configuration of IPv6 Snooping is a prerequisite for IPv6 Source Guard." - therefore skip B https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/IPv6_Security.pdf

A, C, D : Correct: https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/102x/configuration/Security/cisco-nexus-9000-nx-os-security-configuration-guide-102x/m-configuring-ipv6-first-hop-security.html

I think A, B, and C are correct.Because "The IPv6 Snooping Policy feature is deprecated and the Switch Integrated Security Feature (SISF)-based device tracking feature replaces it and offers the same capabilities." https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-1/configuration_guide/sec/b_171_sec_9300_cg/configuring_ipv6_first_hop_security.html#:~:text=The%20IPv6%20Snooping%20Policy%20feature%20is%20deprecated%20and%20the%20Switch%20Integrated%20Security%20Feature%20(SISF)%2Dbased%20device%20tracking%20feature%20replaces%20it%20and%20offers%20the%20same%20capabilities.

A,B,C,D!!! RA Guard, DHCPv6 Guard, Source Guard, IPv6 ND snooping = device-tracking https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKSEC-3200.pdf https://networklessons.com/cisco/ccie-routing-switching-written/ipv6-first-hop-security-features https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/IPv6_Security.html

Source Guard is also part of the FHS features, however, it needs IPv6 Snooping to be enabled... I would not know why you should not pick that one as well, but i guess it's save to use the given answer here... So A, C, and D seem to be correct.

Given answer is correct "https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/IPv6_Security.html"