CiscoCisco
300-410 · Question #23
300-410 Question #23: Real Exam Question with Answer & Explanation
The correct answer is A: It does not offer protection in environments where IPv6 traffic is tunneled. IPv6 RA Guard is designed to protect against rogue Router Advertisements (RAs) but is ineffective in tunnel environments because the original RA packets are encapsulated and cannot be inspected.
Infrastructure Security
Question
Which statement about IPv6 RA Guard is true?
Options
- AIt does not offer protection in environments where IPv6 traffic is tunneled
- BIt cannot be configured on a switch port interface in the ingress direction.
- CPackets that are dropped by IPv6 RA Guard cannot be spanned.
- DIt is not supported in hardware when TCAM is programmed.
Explanation
IPv6 RA Guard is designed to protect against rogue Router Advertisements (RAs) but is ineffective in tunnel environments because the original RA packets are encapsulated and cannot be inspected.
Common mistakes.
- B. IPv6 RA Guard is specifically designed to be configured on switch port interfaces, usually in the ingress direction, to filter incoming RA messages.
- C. Packets dropped by IPv6 RA Guard can generally still be spanned (mirrored) for analysis using features like SPAN (Switched Port Analyzer) if the spanning occurs before the drop.
- D. IPv6 RA Guard is supported in hardware on many modern Cisco switches, utilizing TCAM for efficient packet filtering and forwarding decisions.
Concept tested. IPv6 RA Guard limitations in tunneled environments
Topics
#IPv6 Security#RA Guard#Layer 2 Protection#Network Tunneling
Community Discussion
No community discussion yet for this question.