352-001 · Question #714
Company ABC uses IPv4-only. Recently, they started deploying new endpoint devices. For operational reasons, IPv6 cannot be disabled on these new endpoint devices. Which security measure prevents the n
The correct answer is B. Router Advertisement Guard. Router Advertisement Guard blocks unauthorized IPv6 Router Advertisement messages on switch ports, preventing hosts from learning IPv6 prefixes from rogue sources without touching the endpoints.
Question
Company ABC uses IPv4-only. Recently, they started deploying new endpoint devices. For operational reasons, IPv6 cannot be disabled on these new endpoint devices. Which security measure prevents the new endpoint from learning an IPv6 prefix from an attacker?
Options
- ASecure Neighbor Discovery
- BRouter Advertisement Guard
- CPrefix Guard
- DSource Guard and Prefix Guard
How the community answered
(50 responses)- A6% (3)
- B76% (38)
- C14% (7)
- D4% (2)
Why each option
Router Advertisement Guard blocks unauthorized IPv6 Router Advertisement messages on switch ports, preventing hosts from learning IPv6 prefixes from rogue sources without touching the endpoints.
Secure Neighbor Discovery (SEND) uses cryptographic certificates to authenticate NDP messages, but it requires PKI infrastructure and client-side support on every endpoint, making it impractical for simply blocking rogue RA messages in this scenario.
RA Guard is an IPv6 first-hop security feature implemented on Layer 2 switches that inspects and drops IPv6 Router Advertisement messages arriving on ports not designated as router-facing. Since endpoints learn their IPv6 prefix and default gateway from RA messages, blocking rogue RAs at the switch level prevents an attacker from injecting fake prefixes into the segment. This targeted control operates transparently to the endpoint devices, which is critical when IPv6 cannot be disabled on them.
Prefix Guard is not a standalone standard IPv6 security feature - it is a component within DHCPv6 Guard and related mechanisms, and it does not independently prevent endpoints from learning prefixes from rogue Router Advertisements.
Source Guard filters traffic based on validated source IP and MAC bindings from DHCP snooping tables and does not address the threat of rogue Router Advertisement messages assigning unauthorized IPv6 prefixes to endpoints.
Concept tested: IPv6 RA Guard blocking rogue Router Advertisements
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16/ip6f-xe-16-book/ip6-ra-guard.html
Topics
Community Discussion
No community discussion yet for this question.