nerdexam
Cisco

352-001 · Question #721

Your customer wants to migrate their network from IPv4 to IPv6. They currently have Control Plane Policing deployed to protect their network devices from illegitimate ICMP traffic flooding. How do you

The correct answer is B. The customer must pay special attention to the ICMPv6 rate limiting policy because it has. ICMPv6 still requires Control Plane Policing, but the rate-limiting policy must be carefully tuned because ICMPv6 carries critical LAN control functions absent in ICMPv4.

Designing Security

Question

Your customer wants to migrate their network from IPv4 to IPv6. They currently have Control Plane Policing deployed to protect their network devices from illegitimate ICMP traffic flooding. How do you adjust Control Plane Policing for ICMPv6 traffic, if it should be adjusted at all?

Options

  • AUnlike ICMPv4, ICMPv6 must never be policed because it has additional functionality in the LAN
  • BThe customer must pay special attention to the ICMPv6 rate limiting policy because it has
  • CICMPv6 must be policed to the ICMPv4 lower value because the ICMPv6 packet size is bigger
  • DThe policy must remain the same for ICMPv4 and ICMPv6

How the community answered

(24 responses)
  • A
    8% (2)
  • B
    67% (16)
  • C
    4% (1)
  • D
    21% (5)

Why each option

ICMPv6 still requires Control Plane Policing, but the rate-limiting policy must be carefully tuned because ICMPv6 carries critical LAN control functions absent in ICMPv4.

AUnlike ICMPv4, ICMPv6 must never be policed because it has additional functionality in the LAN

ICMPv6 must still be policed to protect the control plane from flooding attacks; the expanded LAN functionality is a reason to tune carefully, not a justification to omit policing entirely.

BThe customer must pay special attention to the ICMPv6 rate limiting policy because it hasCorrect

ICMPv6 serves expanded roles compared to ICMPv4, including Neighbor Discovery Protocol (NDP, which replaces ARP) and Multicast Listener Discovery (MLD, which replaces IGMP). If the CoPP rate limit is set too aggressively, these essential control-plane functions can be disrupted and break IPv6 connectivity; if too permissive, the device remains exposed to floods. The policy must be carefully tuned to protect the control plane while allowing sufficient ICMPv6 for NDP and MLD to function correctly.

CICMPv6 must be policed to the ICMPv4 lower value because the ICMPv6 packet size is bigger

No standard guidance mandates policing ICMPv6 at a lower absolute rate than ICMPv4 based solely on packet size; rate limits must reflect expected legitimate traffic volumes and functional requirements.

DThe policy must remain the same for ICMPv4 and ICMPv6

The ICMPv4 and ICMPv6 policies cannot simply remain identical because ICMPv6 carries NDP and MLD traffic that was handled by separate protocols in IPv4, requiring different and more careful rate-limit thresholds.

Concept tested: CoPP tuning for ICMPv6 and NDP traffic

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_cop/configuration/xe-16/sec-data-cop-xe-16-book/sec-ctrl-plane-policing.html

Topics

#CoPP#ICMPv6 rate limiting#IPv6 migration#control plane protection

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice