Refer to the exhibit. An engineer must deny HTTP traffic from host A to host B while allowing all other communication between the hosts. Which command set accomplishes this task?
A.
SW1(config)# mac access-list extended HOST-A-B SW1(config-ext-macl)# permit host aaaa.bbbb.cccc aaaa.bbbb.dddd
SW1(config)# vlan access-map DROP-MAC 10 SW1(config-access-map)# match mac address HOST-A-B SW1(config-access-map)# action drop SW1(config)# vlan access-map HOST-A-B 20 SW1(config-access-map)# match ip address DENY-HTTP SW1(config-access-map)# action drop
SW1(config)# vlan filter HOST-A-B vlan 10
B.
SW1(config)# ip access-list extended DENY-HTTP SW1(config-ext-nacl)# deny tcp host 10.1.1.10 host 10.1.1.20 eq www
SW1(config)# ip access-list extended MATCH_ALL SW1(config-ext-nacl)# permit ip any any
SW1(config)# vlan access-map HOST-A-B 10 SW1(config-access-map)# match ip address DENY-HTTP SW1(config-access-map)# action drop SW1(config)# vlan access-map HOST-A-B 20 SW1(config-access-map)# match ip address MATCH_ALL SW1(config-access-map)# action forward
SW1(config)# vlan filter HOST-A-B vlan 10
C.
SW1(config)# mac access-list extended HOST-A-B SW1(config-ext-macl)# permit host aaaa.bbbb.cccc aaaa.bbbb.dddd
MAC Access-Lists is irrelevant here. B seems to be the closest answer, however, it is not right in that form. This should work:
SW1(config)# ip access-list extended DENY-HTTP
SW1(config-ext-nacl)# permit tcp host 10.1.1.10 host 10.1.1.20 eq www
SW1(config)# vlan access-map DROP-MAC 10
SW1(config-access-map)# match ip address DENY-HTTP
SW1(config-access-map)# action drop
SW1(config)# vlan access-map DROP-MAC 20
SW1(config-access-map)# action forward
SW1(config-access-map)# exit
SW1(config)# vlan filter DROP-MAC vlan 10
https://www.networkstraining.com/vlan-access-map-example-configuration/
Tested in CML, and it worked. MAC access-list is only for L2 (for example arp), ip access-list is for L3, so that is what we need here. Both can be matched under vlan ACL, however, MAC access-list is rarely used in this combination.
The Key Answer is missed in this question. Answer D is followed.
D. SW1 (config)# ip access-list extended DENY-HTTP
SW1 (config-ext-nacl)#permit tcp host 10.1.1.10 host 10.1.1.20 eq www
SW1 (config)# ip access-list extended MATCH ALL
SW1 (config-ext-nacl)# permit ip any any
SW1 (config)# vlan access-map HOST-A-B 10
SW1 (config-access-map)# match ip address DENY-HTTP
SW1 (config-access-map)# action drop
SW1 (config)# vlan access-map HOST-A-B 20
SW1 (config-access-map)# match ip address MATCH ALL
SW1 (config-access-map)# action forward
SW1 (config)# vlan filter HOST-A-B vlan 10
D is the right answer.
B is incorrect. Because it permits all traffic to forward. The result of ACL DENY-HTTP is no traffic will be permited. Put the ACL into access-map HOST-A-B 10, it would drop nothing.
There seems to be an option missing. So I vote for D, the missing one.
Here you can find the complete question with all answers.
https://www.braindump2go.com/free-online-pdf/350-401-PDF-Dumps(409-433).pdf
I dont like the deny ip access list in option B. It should be permit for both cases and then decided about the drop in the access-map. I think C is correct.
hmm, sorry, the problem in C is, that the mac address communication in the access-map is at the first place, so it will avoid the http check
upvoted 3 times
...
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
HungarianDish_111
Highly Voted 1 year, 10 months agoHungarianDish_111
1 year, 10 months agoClauster
1 year, 10 months agoMJane
Highly Voted 1 year, 11 months agoRainHua
Most Recent 2 weeks, 1 day agoRainHua
2 weeks, 1 day agoExamTaker1017
2 months, 2 weeks ago[Removed]
8 months, 2 weeks ago[Removed]
7 months, 1 week agoKZM
10 months, 2 weeks agoAsombrosso
1 year, 5 months agoManvek
1 year, 6 months agoedajede
1 year, 8 months agoedajede
1 year, 8 months ago