CCIE Security (legacy) — Question 1

Which configuration implements an ingress traffic filter on a dual-stack ISR border router to prevent attacks from the outside to services such as DNSv6 and
DHCPv6?

Answer options

• A. ! ipv6 access-list test deny ipv6 FF05::/16 any deny ipv6 any FF05::/16 ! output omitted permit ipv6 any any !
• B. ! ipv6 access-list test permit ipv6 any FF05::/16 ! output omitted deny ipv6 any any !
• C. ! ipv6 access-list test deny ipv6 any any eq dns deny ipv6 any any eq dhcp ! output omitted permit ipv6 any any !
• D. ! ipv6 access-list test deny ipv6 any 2000::/3 ! output omitted permit ipv6 any any !
• E. ! ipv6 access-list test deny ipv6 any FE80::/10 ! output omitted permit ipv6 any any

Correct answer: A

Explanation

The correct answer, A, effectively denies all IPv6 traffic from the link-local multicast address FF05::/16, which helps prevent attacks targeting services like DNSv6 and DHCPv6. Options B, C, D, and E do not sufficiently restrict access to the necessary multicast address or do not specifically address the filtering of malicious ingress traffic aimed at these services.