Exam 300-410 topic 1 question 158 discussion

This is how I see it: For source guard to operate, binding table entries need to exists. So, A or D are required. A) static binding -> yes, or use ipv6 snooping #security-level glean to populate the binding table B) to protect against DDOS -> yes, but not just for service providers (it's rather prefix guard) C) can be configured with validate address or validate prefix (not explicitly needed) D) snooping on L2 access or trunk -> yes, or create static bindings E) not source guard itself, but the snooping feature glean recovers missing binding table entries

According to the Official Cert Guide (page 887) IPv6 Source Guard is a Layer 2 snooping interface feature for validating the source of IPv6 traffic. If the traffic arriving on an interface is from an unknown source (that is not in the binding table), IPv6 Source Guard can block it and drop it. For traffic to be from a known source and allowed, the source must be in the binding table. The source is either learned using ND inspection or IPv6 address gleaning and therefore relies on IPv6 snooping being configured first on Layer 2 access or trunk ports and VLANs. In addition, Source Guard requires validate prefix to be enabled (which it is by default) in the Source Guard policy. So, the correct answers are C and D. C). Requires validate prefix to be enabled (which it is by default) in the Source Guard policy. D). Requires IPv6 snooping being configured first on Layer 2 access or trunk ports and VLANs

Source Guard Does not: Recover Bindings, "validate prefix", prevent DOS Attacks Bindings are recovered by querying the dhcp server and destination host Validate Prefix pertains to Prefix Guard and only Source guard or prefix guard can be enabled, not both Destination guard is the feature that can help prevent DOS attacks AD are the only valid options, since source guard relies on Gleaning , ND and DHCP to building the binding database

A & D are correct A. Requires the user to configure a static binding: IPv6 Source Guard can use static bindings configured by the user to ensure that only traffic from legitimate sources is permitted. D. Requires IPv6 snooping on Layer 2 access or trunk ports: IPv6 snooping is necessary to dynamically learn and maintain the IPv6 address bindings, enabling the enforcement of Source Guard policies on the switch. IPV6 Source Guard only looks at information found in the binding table, and it doesn’t fill the binding table. You need another feature like ND inspection or IPv6 snooping to do this. You can fill the binding table with information from: DHCP NDP (Neighbor Discovery Protocol) Static binding I think C is not correct according to "requires" keyword. https://networklessons.com/cisco/ccie-routing-switching-written/ipv6-source-guard#:~:text=Source%20Guard%20only,Static%20binding

The correct answer is CD. A) static binding -> is one of the ways to install an entry in the binding table. This is NOT a characteristic of IPv6 SA Guard. C) from textbook -> Source Guard requires validate prefix to be enabled (which it is by default) in the Source Guard policy.

CE is the best aExplanation IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s). Reference: https://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html nswer

From ENARSI course: B | Protect against DoS attacks - not only with Service Providers but of course they can use it. D | IPv6 Snooping is a prerequisite for IPv6 to work. Not A: The user REQUIRES is wrong. It is possible fo the admin to configure a static binding. But usually it is learned with DHCPv6 or ND.

IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s). Reference: https://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html Although IPv6 Source Guard looks at information in the binding table and IPv6 snooping can fill this table but IPv6 snooping is not a must to run IPv6 Source Guard. We can use other methods to fill the binding table like static binding or ND inspection -> Answer 'requires IPv6 snooping on Layer 2 access or trunk ports' is not correct. IPv6 Source Guard is used to mitigate attacks from hosts connected to untrusted access interfaces on the switch -> Answer 'used in service provider deployments to protect DDoS attacks' is not correct. Answer 'requires the user to configure a static binding' is not correct as we can use IPv6 Snooping feature to populate the IPv6 binding table.

IPv6 Source Guard is a feature that enhances network security by ensuring that the source IPv6 addresses in incoming packets are valid and legitimate. It helps prevent spoofing attacks and unauthorized address usage. Among the options you've provided, the following are the two correct characteristics of IPv6 Source Guard: A. Requires the user to configure a static binding. This is correct. IPv6 Source Guard can work in conjunction with IPv6 snooping to create a binding table of legitimate IPv6 addresses associated with specific Layer 2 ports. The administrator can manually configure static bindings to explicitly define which IPv6 addresses are allowed to originate from specific ports. D. Requires IPv6 snooping on Layer 2 access or trunk ports. This is correct. IPv6 Source Guard relies on IPv6 snooping to build and maintain a binding table that correlates IPv6 addresses with their corresponding Layer 2 ports. By snooping on Layer 2 traffic, the switch can learn and enforce valid bindings between IPv6 addresses and physical interfaces. The other options (B, C, and E) are not accurate characteristics of IPv6 Source Guard

A and D

It is C and E

Answer is CE

Answer is Correct! IPv6 Source Guard is a "Data-plane" filter --> creates automatically IPv6 PACL to filter sources. This automatic PACL is used ingress on a port. And it uses one or more sources; - IPv6 snooping; - DHCPv6 or NDP RA/RS msgs - Static entries Static entry is required for the attached device who has static IPv6 addresses configured (router/printer/server)

Answer is CE

IPv6 source guard is an interface between the populated binding table and data traffic filtering, and the binding table must be populated with IPv6 prefixes for IPv6 source guard to work. IPv6 Source Guard and IPv6 Prefix Guard are Layer 2 snooping features that validate the source of IPv6 traffic https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-3s/ip6f-xe-3s-book/ip6-src-guard.html

A. requires the user to configure a static binding IPv6 Source Guard relies on DHCP and ND protocols. A static binding can be configured in the snooping table, but it’s not required. Wrong answer. B. used in service provider deployments to protect DDoS attacks Something like Cisco Guard XT. Wrong answer. C. requires that validate prefix be enabled This is IPv6 Prefix Guard configuration: enables IPv6 Source Guard to perform the IPv6 Prefix-Guard operation. Correct answer. D. requires IPv6 snooping on Layer 2 access or trunk ports Wrong answer. E. recovers missing binding table entries This is the IPv6 First-Hop Security Binding Table Recovery Mechanism. Correct answer.

Cisco doc says "When traffic is denied, the IPv6 address glean feature is notified so that it can try to recover the traffic by querying the DHCP server or by using IPv6 ND.".