300-410 topic 1 question 141

Nice explanation

To block rogue router advertisements in an IPv6 network, you should use option B:

B. PVLANs (Private VLANs) with promiscuous ports associated with route advertisements and isolated ports for nodes.

Private VLANs help in segmenting traffic within a VLAN and provide isolation between devices within the same VLAN. In this context, you can configure a PVLAN such that the promiscuous port (connected to a trusted router) is allowed to send router advertisements, while the isolated ports (connected to end-user devices) are not allowed to send such advertisements. This way, you can prevent rogue router advertisements from unauthorized sources within the same VLAN.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3200.pdf
Mitigating Rogue RA: Host Isolation
Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port)

Agreed with GreatDane, checked the session video from cisco live (min 09:25 to 11:40 aprox) https://www.youtube.com/watch?v=RCxC2gIV4jo

Techincally, you can use VACL to block RA but there are some issues. I haven't tested because GNS3 won't support VACL or private VLAN, I even don't have physical hardware, either. So correct me if I'm wrong:
1. You can use ACL to filter IP or MAC of rouge host generates RA. Downside of this is that if rouge router change IP or MAC, you have to change the ACL as well, which is not scale very well
2. If we choose to filter based on Layer 2 destination MAC, which is multicast , IPV6 do not have broadcast. Then there is a chance that you accidentally block legitimate router RA ,because there is no difference between rouge router and legitimate router that generate RA.
With private VLAN , you just add rouge router on isolated port , legitimate router with promiscuous port , everything will automatically work

It's A because PVlan limits the ability for isolated ports to communicate with other isolated ports at all, not only route advertisements.