Exam 350-401 topic 1 question 1044 discussion

There is a bit of reverse psychology going on in this question. The Access list matches SSH traffic that isn't 10.0.0.5 and the policy map then drops that match traffic. But 10.0.0.5 was never matched and therefore never dropped. Therefore the answer must be A.

Great question but an illogical way of configuring RP protection, why not require a permit statement in the ACL to make this less confusing? From Cisco - see example below via link https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/cpp.html#wp1094638 The following example shows how to apply a QoS policy for aggregate CP services to Telnet traffic transmitted from the control plane. Trusted networks with source addresses 3.3.3.0 and 4.4.4.0 receive Internet Control Management Protocol (ICMP) port-unreachable responses without constraint, while allowing all remaining ICMP port-unreachable responses to be dropped:

A is the right answer. < A "deny" statement in the ACL will still forward packets to the control plane but the packets will not be policed. This is useful when certain trusted hosts should have unfettered access to a device’s control plane, for example for Telnet or SSH.> This is from Cisco documentation ENCOR labs CoPP

The ACL's actually have nothing to do with controlling flows within CoPP: 1. “Any Access List ACL entries prefixed with a ‘deny’ or ‘permit’ actually instruct the CoPP Policy to ignore the identified traffic“ 2. "Traffic "denied" by the ACL will simply not be considered in the Class Map, i.e. not policed." 3. (bonus) “CoPP supports inbound and outbound policies; however, outbound policies are not commonly used” The "provides unlimited SSH access" requirement effectively states no rate limiting, so "A" as "C" has a rate limit statement. hth

It´s A.

I love this question, the correct answer is A, because all packets that do not match aforementioned host are dropped….You would logically expect the deny clause matching packets to be dropped , but they are just filtered out, so they wouldn’t be dropped by policy

Explanation: Access List: access-list 100 permit tcp host 10.0.0.5 any eq 22: This line allows SSH traffic from the specific host 10.0.0.5. access-list 100 deny tcp any any eq 22: This line denies SSH traffic from all other sources. Class-map: class-map match-all telnet_copp: This class-map matches the traffic defined by access list 100. Policy-map: The policy-map CoPP defines how to handle the traffic. The police 8000 command allows traffic at a rate of 8000 Kbps, which essentially provides unlimited bandwidth for the matched traffic.

The Answer should be "D" not A or C ----the question asks to "ALLOW" from 10.0.0.5 "A" would Deny 10.0.0.5, and allow everything else, which completely reversed. the Answer in right format is "D"

1. Create an ACL to permit SSH traffic from 10.0.0.5, deny all other SSHs. - permit tcp host 10.0.0.5 any eq 22 - deny tcp any any eq 22 2. Create a class-map 3. Create a policy-map - police 8000 = 8000 bits per second (bps) - should not drop 4. Apply the policy-map

The given answer is correct.