352-001 · Question #721
Your customer wants to migrate their network from IPv4 to IPv6. They currently have Control Plane Policing deployed to protect their network devices from illegitimate ICMP traffic flooding. How do you
The correct answer is B. The customer must pay special attention to the ICMPv6 rate limiting policy because it has. ICMPv6 still requires Control Plane Policing, but the rate-limiting policy must be carefully tuned because ICMPv6 carries critical LAN control functions absent in ICMPv4.
Question
Your customer wants to migrate their network from IPv4 to IPv6. They currently have Control Plane Policing deployed to protect their network devices from illegitimate ICMP traffic flooding. How do you adjust Control Plane Policing for ICMPv6 traffic, if it should be adjusted at all?
Options
- AUnlike ICMPv4, ICMPv6 must never be policed because it has additional functionality in the LAN
- BThe customer must pay special attention to the ICMPv6 rate limiting policy because it has
- CICMPv6 must be policed to the ICMPv4 lower value because the ICMPv6 packet size is bigger
- DThe policy must remain the same for ICMPv4 and ICMPv6
How the community answered
(24 responses)- A8% (2)
- B67% (16)
- C4% (1)
- D21% (5)
Why each option
ICMPv6 still requires Control Plane Policing, but the rate-limiting policy must be carefully tuned because ICMPv6 carries critical LAN control functions absent in ICMPv4.
ICMPv6 must still be policed to protect the control plane from flooding attacks; the expanded LAN functionality is a reason to tune carefully, not a justification to omit policing entirely.
ICMPv6 serves expanded roles compared to ICMPv4, including Neighbor Discovery Protocol (NDP, which replaces ARP) and Multicast Listener Discovery (MLD, which replaces IGMP). If the CoPP rate limit is set too aggressively, these essential control-plane functions can be disrupted and break IPv6 connectivity; if too permissive, the device remains exposed to floods. The policy must be carefully tuned to protect the control plane while allowing sufficient ICMPv6 for NDP and MLD to function correctly.
No standard guidance mandates policing ICMPv6 at a lower absolute rate than ICMPv4 based solely on packet size; rate limits must reflect expected legitimate traffic volumes and functional requirements.
The ICMPv4 and ICMPv6 policies cannot simply remain identical because ICMPv6 carries NDP and MLD traffic that was handled by separate protocols in IPv4, requiring different and more careful rate-limit thresholds.
Concept tested: CoPP tuning for ICMPv6 and NDP traffic
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_cop/configuration/xe-16/sec-data-cop-xe-16-book/sec-ctrl-plane-policing.html
Topics
Community Discussion
No community discussion yet for this question.