IPv6 RA Guard

A.

IPv6 Router Advertisement (RA) Guard is a feature used to protect against rogue router advertisements (RAs) in IPv6 networks. It is designed to prevent an attacker from sending false RAs and spoofing the IPv6 default gateway, which could lead to traffic being redirected to a malicious node.

Here is a detailed explanation of each answer choice:

A. It does not offer protection in environments where IPv6 traffic is tunneled. This statement is true. IPv6 RA Guard only protects against rogue RAs on directly connected links, and it does not provide protection when IPv6 traffic is tunneled through a network. In tunneling scenarios, additional security mechanisms such as IPsec or virtual private networks ( VPNs) may be necessary to ensure the integrity of the traffic.

B. It cannot be configured on a switch port interface in the ingress direction. This statement is false. IPv6 RA Guard can be configured on a switch port interface in both the ingress and egress directions. In the ingress direction, it checks incoming RAs for validity, while in the egress direction, it filters outgoing RAs to ensure that only authorized devices are allowed to send them.

C. Packets that are dropped by IPv6 RA Guard cannot be spanned. This statement is true. When IPv6 RA Guard drops a packet, it does not generate a log message or span the packet to a monitoring device. This is because the feature is designed to drop packets silently, without alerting the attacker.

D. It is not supported in hardware when TCAM is programmed. This statement is false. IPv6 RA Guard is supported in hardware when the ternary content-addressable memory (TCAM) is programmed. TCAM is a type of memory used for high-speed packet matching in network devices, and it is commonly used to implement security features such as access control lists (ACLs) and firewalls.

In summary, the correct answer is A. IPv6 RA Guard does not offer protection in environments where IPv6 traffic is tunneled.