Question 45 of 530 from exam 400-251: CCIE Security written exam

Question 45 of 530 from exam 400-251: CCIE Security written exam

Question

The ASA can be configured to drop IPv6 headers with routing-type 0 using the MPF.

Choose the correct configuration.

Answers

Explanations

A. B. C. D. E. F.

A.

The correct configuration to drop IPv6 headers with routing-type 0 using the MPF on the ASA is:

A. policy-map type inspect ipv6 IPv6_PMAP match header routing-type eq 0 drop log

Here is a detailed explanation of why option A is the correct answer, and why the other options are incorrect:

Option A: policy-map type inspect ipv6 IPv6_PMAP match header routing-type eq 0 drop log

This configuration creates an IPv6 policy-map named "IPv6_PMAP" of type inspect, which matches any IPv6 traffic with a routing-type header equal to 0, and drops it. The "log" keyword enables logging of dropped packets.

Option B: policy-map type inspect icmpv6 ICMPv6_PMAP match header routing-type eq 0 drop log

This configuration creates an ICMPv6 policy-map named "ICMPv6_PMAP" of type inspect, which matches any ICMPv6 traffic with a routing-type header equal to 0, and drops it. However, this option only matches ICMPv6 traffic, not all IPv6 traffic, so it is not a correct answer.

Option C: policy-map type inspect ipv6-header HEADER_PMAP match header routing-type eq 0 drop log

This configuration creates an IPv6-header policy-map named "HEADER_PMAP" of type inspect, which matches any IPv6 traffic with a routing-type header equal to 0, and drops it. However, this option only matches the IPv6 header, not the entire packet, so it is not a correct answer.

Option D: policy-map type inspect http HEADER_PMAP match routing-header 0 drop log

This configuration creates an HTTP policy-map named "HEADER_PMAP" of type inspect, which matches any HTTP traffic with a routing-header equal to 0, and drops it. However, this option only matches HTTP traffic, not all IPv6 traffic, so it is not a correct answer.

Option E: policy-map type inspect ipv6 IPv6_PMAP match header type 0 drop log

This configuration creates an IPv6 policy-map named "IPv6_PMAP" of type inspect, which matches any IPv6 traffic with a header type equal to 0, and drops it. However, "type" is not a valid keyword for matching IPv6 headers, so this option is not a correct answer.

Option F: policy-map type inspect ipv6-header HEADER_PMAP match header type 0

This configuration creates an IPv6-header policy-map named "HEADER_PMAP" of type inspect, which matches any IPv6 traffic with a header type equal to 0, but it does not specify what action should be taken, so it is not a correct answer.