nerdexam
Exams352-001Questions#423
Cisco

352-001 · Question #423

352-001 Question #423: Real Exam Question with Answer & Explanation

The correct answer is C: Rogue DHCPv6 servers cannot assign IPv6 addresses to clients.. DHCPv6 Guard is a first-hop security feature that blocks DHCPv6 server messages on untrusted ports, preventing rogue servers from assigning addresses.

Question

Which statement about DHCPv6 Guard features design is true?

Options

  • AA certificate must be installed on the DHCPv6 server and relay agent.
  • BDHCPv6 client requests can be rate-limited to protect the control plane.
  • CRogue DHCPv6 servers cannot assign IPv6 addresses to clients.
  • DDHCPv6 client requests can be filtered to protect the data plane.

Explanation

DHCPv6 Guard is a first-hop security feature that blocks DHCPv6 server messages on untrusted ports, preventing rogue servers from assigning addresses.

Common mistakes.

  • A. DHCPv6 Guard is a port-based filtering mechanism and requires no certificate infrastructure on either the server or relay agent.
  • B. Rate-limiting client requests is a function of control-plane policing (CoPP), not DHCPv6 Guard, which focuses on filtering server-originated messages.
  • D. DHCPv6 Guard operates on control-plane messaging (DHCPv6 signaling), not on the data plane, and it filters server responses rather than client requests.

Concept tested. DHCPv6 Guard rogue server prevention on untrusted ports

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16/ip6f-xe-16-book/ip6-dhcpv6-guard.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 352-001 Practice