Which configuration feature should be used to block rogue router advertisements instead of using the IPv6 Router Advertisement Guard feature?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The IPv6 Router Advertisement Guard feature is designed to protect against rogue Router Advertisements (RAs) on an IPv6 network. These RAs are used by routers to announce their presence on the network and to provide network configuration information to IPv6 hosts. However, if an attacker sends a rogue RA, it can cause a variety of problems, including network disruption, data leakage, and security breaches.
If for some reason you cannot use the IPv6 Router Advertisement Guard feature, there are other options to consider. The answers provided in the exam question offer a few potential alternatives. Here is a detailed explanation of each option:
A. VACL blocking broadcast frames from nonauthorized hosts: A VLAN Access Control List (VACL) is a security feature that can be used to filter traffic within a VLAN. By creating a VACL that blocks broadcast frames from nonauthorized hosts, you can prevent rogue RAs from reaching other hosts on the same VLAN. However, this approach requires that you have a good understanding of which hosts are authorized to send RAs and which are not. Additionally, if a rogue RA originates from a host on a different VLAN, this solution would not be effective.
B. PVLANs with promiscuous ports associated to route advertisements and isolated ports for nodes: A Private VLAN (PVLAN) is a type of VLAN that allows you to further subdivide a VLAN into smaller groups. By creating a PVLAN that isolates nodes from one another, you can prevent rogue RAs from reaching hosts that are not authorized to receive them. This approach involves configuring the PVLAN with promiscuous ports that are associated with RAs and isolated ports that are associated with nodes. However, this solution can be complex to implement and manage, particularly in large networks with many VLANs.
C. PVLANs with community ports associated to route advertisements and isolated ports for nodes: This option is similar to the previous one, but instead of using promiscuous ports, it involves using community ports that are associated with RAs. Community ports are used to connect devices that are authorized to communicate with one another within a PVLAN. This solution can be simpler to implement than the previous option, but it still requires a good understanding of PVLANs and their configuration.
D. IPv4 ACL blocking route advertisements from nonauthorized hosts: This option is not directly related to the question, as it involves blocking IPv4 RAs instead of IPv6 RAs. However, it is still worth considering. An IPv4 Access Control List (ACL) is a security feature that can be used to filter traffic based on various criteria, such as source or destination IP address, protocol type, or port number. By creating an ACL that blocks RAs from nonauthorized hosts, you can prevent rogue RAs from reaching other hosts on the network. However, this approach would only be effective for IPv4 networks, and it would not address the problem of rogue IPv6 RAs.
In conclusion, if you cannot use the IPv6 Router Advertisement Guard feature, there are alternative options available. The best solution will depend on the specific requirements and constraints of your network. It is important to carefully consider the pros and cons of each option before implementing any changes.