What are two characteristics of IPv6 Source Guard? (Choose two.)
What are two characteristics of IPv6 Source Guard? (Choose two.)
IPv6 Source Guard is an interface feature designed to validate the source of IPv6 traffic at Layer 2. It requires the configuration of IPv6 snooping on Layer 2 access or trunk ports to build and maintain a binding table of legitimate IPv6 addresses, allowing it to filter out traffic from unknown sources. Additionally, it necessitates that the 'validate prefix' feature be enabled by default within the Source Guard policy to perform validation checks, ensuring the source traffic is coming from a recognized and authorized address.
This is how I see it: For source guard to operate, binding table entries need to exists. So, A or D are required. A) static binding -> yes, or use ipv6 snooping #security-level glean to populate the binding table B) to protect against DDOS -> yes, but not just for service providers (it's rather prefix guard) C) can be configured with validate address or validate prefix (not explicitly needed) D) snooping on L2 access or trunk -> yes, or create static bindings E) not source guard itself, but the snooping feature glean recovers missing binding table entries
A. requires the user to configure a static binding IPv6 Source Guard relies on DHCP and ND protocols. A static binding can be configured in the snooping table, but it’s not required. Wrong answer. B. used in service provider deployments to protect DDoS attacks Something like Cisco Guard XT. Wrong answer. C. requires that validate prefix be enabled This is IPv6 Prefix Guard configuration: enables IPv6 Source Guard to perform the IPv6 Prefix-Guard operation. Correct answer. D. requires IPv6 snooping on Layer 2 access or trunk ports Wrong answer. E. recovers missing binding table entries This is the IPv6 First-Hop Security Binding Table Recovery Mechanism. Correct answer.
I will follow this explanation for this question
According to the Official Cert Guide (page 887) IPv6 Source Guard is a Layer 2 snooping interface feature for validating the source of IPv6 traffic. If the traffic arriving on an interface is from an unknown source (that is not in the binding table), IPv6 Source Guard can block it and drop it. For traffic to be from a known source and allowed, the source must be in the binding table. The source is either learned using ND inspection or IPv6 address gleaning and therefore relies on IPv6 snooping being configured first on Layer 2 access or trunk ports and VLANs. In addition, Source Guard requires validate prefix to be enabled (which it is by default) in the Source Guard policy. So, the correct answers are C and D. C). Requires validate prefix to be enabled (which it is by default) in the Source Guard policy. D). Requires IPv6 snooping being configured first on Layer 2 access or trunk ports and VLANs
From ENARSI course: B | Protect against DoS attacks - not only with Service Providers but of course they can use it. D | IPv6 Snooping is a prerequisite for IPv6 to work. Not A: The user REQUIRES is wrong. It is possible fo the admin to configure a static binding. But usually it is learned with DHCPv6 or ND.
I actually agree here the "requires" is wrong. Anyway, i think if you look at this question, the "requires" in answer D is also wrong. A better way of saying: "needs a binding table entry, that could be statically configured", "needs a binding table entry, that can by dynamically configured using snooping on L2 access or trunk". Concluding, i still think A and D is best, B could be accurate, but i don't work for any provider, they could rely on different technologies also to filter inbound traffic on correct source.
Answer is Correct! IPv6 Source Guard is a "Data-plane" filter --> creates automatically IPv6 PACL to filter sources. This automatic PACL is used ingress on a port. And it uses one or more sources; - IPv6 snooping; - DHCPv6 or NDP RA/RS msgs - Static entries Static entry is required for the attached device who has static IPv6 addresses configured (router/printer/server)
IPv6 Source Guard is a feature that enhances network security by ensuring that the source IPv6 addresses in incoming packets are valid and legitimate. It helps prevent spoofing attacks and unauthorized address usage. Among the options you've provided, the following are the two correct characteristics of IPv6 Source Guard: A. Requires the user to configure a static binding. This is correct. IPv6 Source Guard can work in conjunction with IPv6 snooping to create a binding table of legitimate IPv6 addresses associated with specific Layer 2 ports. The administrator can manually configure static bindings to explicitly define which IPv6 addresses are allowed to originate from specific ports. D. Requires IPv6 snooping on Layer 2 access or trunk ports. This is correct. IPv6 Source Guard relies on IPv6 snooping to build and maintain a binding table that correlates IPv6 addresses with their corresponding Layer 2 ports. By snooping on Layer 2 traffic, the switch can learn and enforce valid bindings between IPv6 addresses and physical interfaces. The other options (B, C, and E) are not accurate characteristics of IPv6 Source Guard
A and D
Answer is CE
The correct answer is CD. A) static binding -> is one of the ways to install an entry in the binding table. This is NOT a characteristic of IPv6 SA Guard. C) from textbook -> Source Guard requires validate prefix to be enabled (which it is by default) in the Source Guard policy.
CE is the best aExplanation IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s). Reference: https://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html nswer
IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s). Reference: https://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html Although IPv6 Source Guard looks at information in the binding table and IPv6 snooping can fill this table but IPv6 snooping is not a must to run IPv6 Source Guard. We can use other methods to fill the binding table like static binding or ND inspection -> Answer 'requires IPv6 snooping on Layer 2 access or trunk ports' is not correct. IPv6 Source Guard is used to mitigate attacks from hosts connected to untrusted access interfaces on the switch -> Answer 'used in service provider deployments to protect DDoS attacks' is not correct. Answer 'requires the user to configure a static binding' is not correct as we can use IPv6 Snooping feature to populate the IPv6 binding table.
i mean c & e
It is C and E
Answer is CE
IPv6 source guard is an interface between the populated binding table and data traffic filtering, and the binding table must be populated with IPv6 prefixes for IPv6 source guard to work. IPv6 Source Guard and IPv6 Prefix Guard are Layer 2 snooping features that validate the source of IPv6 traffic https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-3s/ip6f-xe-3s-book/ip6-src-guard.html
Cisco doc says "When traffic is denied, the IPv6 address glean feature is notified so that it can try to recover the traffic by querying the DHCP server or by using IPv6 ND.".
Confirmed in Cisco docs.
The correct answer is: C E
It's not E. Source Guard only looks at information found in the binding table, and it doesn’t fill the binding table. You need another feature like ND inspection or IPv6 snooping to do this.