A network engineer is troubleshooting an IPv6 neighbor discovery issue on a switch running IOS-XE. Hosts on VLAN 100 are intermittently losing connectivity to the default gateway. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The engineer notices that the switch is dropping valid Router Advertisements from the legitimate router. What is the most likely cause of this issue?
Trap 1: DHCPv6 Guard is blocking DHCPv6 Advertise messages from the router,…
Incorrect because DHCPv6 Guard blocks DHCPv6 server messages, not RAs; the symptom is about RA loss, not DHCP.
Trap 2: IPv6 Source Guard is dropping packets from the router because the…
Incorrect because IPv6 Source Guard filters traffic based on source IPv6 address and MAC, but RAs are multicast and typically not filtered by Source Guard.
Trap 3: The switch has IPv6 unicast-routing enabled, causing it to send its…
Incorrect because the switch would send RAs only if it is configured as a router; the issue is about dropping RAs, not sending conflicting ones.
- A
The RA Guard policy is configured with 'device-role router' on the port connected to the legitimate router, but the router's MAC address is not in the allowed list.
Correct because RA Guard requires explicit authorization of routers; if the legitimate router's MAC is not allowed, its RAs are dropped.
- B
DHCPv6 Guard is blocking DHCPv6 Advertise messages from the router, preventing hosts from obtaining IPv6 addresses.
Why wrong: Incorrect because DHCPv6 Guard blocks DHCPv6 server messages, not RAs; the symptom is about RA loss, not DHCP.
- C
IPv6 Source Guard is dropping packets from the router because the router's IPv6 address is not in the binding table.
Why wrong: Incorrect because IPv6 Source Guard filters traffic based on source IPv6 address and MAC, but RAs are multicast and typically not filtered by Source Guard.
- D
The switch has IPv6 unicast-routing enabled, causing it to send its own RAs and override the legitimate router.
Why wrong: Incorrect because the switch would send RAs only if it is configured as a router; the issue is about dropping RAs, not sending conflicting ones.