Learn how to configure Cisco ACI fabric integrated with VMware VDS to drop packets when the ESXi host detects a mismatch between the actual and effective MAC addresses. Prepare for the [Cisco 300-620] certification exam with this detailed explanation.
Table of Contents
Question
A Cisco ACI fabric is integrated with VMware VDS. The fabric must apply a security policy to check the integrity of traffic out of the network adapter. Which action must be taken to drop the packet when the ESXi host discovers a mismatch between the actual source MAC address transmitted by the guest operating system and the effective MAC address of the virtual machine adapter?
A. Reject MAC changes.
B. Reject forged transmits.
C. Accept MAC changes.
D. Accept forged transmits.
Answer
B. Reject forged transmits.
Explanation
When a Cisco ACI fabric is integrated with VMware VDS (vSphere Distributed Switch), you can configure a security policy to ensure the integrity of traffic leaving the virtual machine’s network adapter. If the ESXi host detects a mismatch between the actual source MAC address transmitted by the guest operating system and the effective MAC address assigned to the virtual machine adapter, you should configure the policy to drop the packet.
To achieve this, you must enable the “Reject forged transmits” option in the security policy settings. This option ensures that the ESXi host compares the actual source MAC address with the effective MAC address of the virtual machine adapter. If a mismatch is discovered, the packet will be dropped, preventing potential security issues arising from MAC address spoofing or forged transmissions.
Options A and C, which involve accepting or rejecting MAC changes, are not directly related to the scenario described in the question. These options deal with allowing or disallowing the modification of the effective MAC address assigned to the virtual machine adapter.
Option D, “Accept forged transmits,” would allow packets with mismatched MAC addresses to be transmitted, which goes against the desired security policy of checking the integrity of the traffic and dropping packets when a mismatch is detected.
In summary, to drop packets when the ESXi host discovers a mismatch between the actual source MAC address and the effective MAC address of the virtual machine adapter in a Cisco ACI fabric integrated with VMware VDS, you should select option B and enable the “Reject forged transmits” setting in the security policy.
Cisco 300-620 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Cisco 300-620 exam and earn Cisco 300-620 certification.