First-Hop Security (FHS) is a set of features to optimize IPv6 link operation, and help with scale in large L2 domains. Which of the following are valid First-Hop Security features supported by Cisco? (Choose three.)
First-Hop Security (FHS) is a set of features to optimize IPv6 link operation, and help with scale in large L2 domains. Which of the following are valid First-Hop Security features supported by Cisco? (Choose three.)
First-Hop Security (FHS) features are designed to optimize IPv6 link operation and enhance security within large L2 domains. The valid FHS features supported by Cisco include IPv6 RA Guard, which helps in guarding against rogue Router Advertisements; IPv6 Source Guard, which mitigates risks by ensuring that IPv6 source addresses conform to a binding table; and DHCPv6 Guard, which protects against rogue DHCPv6 servers. While other options may provide related functions, these three are among the key FHS features developed and supported by Cisco for securing IPv6 networks.
the question is asking about L2 domains that's why B isn't qualified
The question says that FHS features improve large scale L2 domains. It does eventually just ask IPv6 FHS features, IPv6 Source Guard is actually one of them. Low quality question, but for sore a good one to get you thinking.
A,B,C,D!!! RA Guard, DHCPv6 Guard, Source Guard, IPv6 ND snooping = device-tracking https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKSEC-3200.pdf https://networklessons.com/cisco/ccie-routing-switching-written/ipv6-first-hop-security-features https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/IPv6_Security.html
I agree fully, also https://networklessons.com/ipv6/ipv6-first-hop-security-features adds "Source guard" as a FHS feature.
Source Guard is also part of the FHS features, however, it needs IPv6 Snooping to be enabled... I would not know why you should not pick that one as well, but i guess it's save to use the given answer here... So A, C, and D seem to be correct.
A == correct B == correct c == correct d == incorrect Cisco term == "DHCPv6 snooping" https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst_pon/software/configuration_guide/olt_ntw/b-gpon-config-olt-network/m-gpon-olt-nw-dhcpv6-snooping.pdf E. Not correct Can be used in addition to FHS features, but are not adding security on their own(https://networklessons.com/ipv6/ipv6-source-guard) Still i think the FHS requires DHCPv6 or ND inspection to work well, but at their own they do not add security. SO my best guess == A + B + C
"IPv6 FHS features enable a better IPv6 link security and management over the layer 2 links. These are the features supported: • IPv6 Snooping • IPv6 Router Advertisement Guard • IPv6 - Destination Guard • Binding Table Recovery • DHCPv6 Guard • IPv6 Source Guard • IPv6 Prefix Guard • Data Gleaning" However: "The configuration of IPv6 Snooping is a prerequisite for IPv6 Source Guard." - therefore skip B https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/IPv6_Security.pdf
A, C, D : Correct: https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/102x/configuration/Security/cisco-nexus-9000-nx-os-security-configuration-guide-102x/m-configuring-ipv6-first-hop-security.html
I think A, B, and C are correct.Because "The IPv6 Snooping Policy feature is deprecated and the Switch Integrated Security Feature (SISF)-based device tracking feature replaces it and offers the same capabilities." https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-1/configuration_guide/sec/b_171_sec_9300_cg/configuring_ipv6_first_hop_security.html#:~:text=The%20IPv6%20Snooping%20Policy%20feature%20is%20deprecated%20and%20the%20Switch%20Integrated%20Security%20Feature%20(SISF)%2Dbased%20device%20tracking%20feature%20replaces%20it%20and%20offers%20the%20same%20capabilities.
Given answer is correct "https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/IPv6_Security.html"