This image is cut off. Here's the is continuation below:
R1# show access-list 199
Extended ip access list 199
10 deny tcp any eq telnet any (50 matches)
50 permit ip any any (1 match)
R1# show running-config | section line vty
line vty 0 4
login
transport input telnet ssh
transport output telnet ssh
-------------------------------------------------------------------------
In order to restrict access to ssh only, shouldn't we limit the vty lines to transport ssh only?
I believe the answer is B and C.
I have done that on lab, with the above output the SSH is not working! So i have remove Class-map ANY- then I was able to SSH to the router. So A is 100% ok. Other best option is C, since if we replace input telnet ssh to only SSH then you do not have access through telnet on the router.
A & C are correct
B is incorrect, because;
- there is no need for transport output statement, since we are talking about incommig traffic only.
- sequence 20 in access list 100 is for outbound telnet, the question says restrict access TO the router by ssh (not from).
here is the full exhibit
R1#show policy-map control-plane
Control Plane
Service-policy input: CoPP
Class-map: PERMIT (match-all)
50 packets, 3811 bytes
5 minute offered rate 0000 bps
Match: access-group 100
Class-map: ANY (match-all)
210 packets, 19104 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group 199
drop
Class-map: class-default (match-any)
348 packets, 48203 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
R1#show access-list 100
Extended IP access list 100
10 permit udp any any eq 23 (100 matches)
20 permit tcp any any eq telnet (5 matches)
30 permit tcp any eq telnet any (10 matches)
R1#show access-list 199
Extended IP access list 199
10 deny tcp any eq telnet any (50 matches)
50 permit ip any any (1 match)
R1#show running-config | section line vty line vty 0 4
login
transport input telnet ssh
transport output telnet ssh
A and C are right.
A) ACL 199 match SSH traffic by sequence 50. The class-map match ACL 199 and this class is droping all traffic. if you remove the SSH traffic will match default class and will pass. If you don't permit SSH in ACL 100 it's mandatory remove this class.
B) if you configure output ssh you are allowing R1 being the connection's client and i'm not sure if it is desided by the question. but you need to configure SSH input to ssh works and there is no option to do it except option C.
C) It works with option A. Mandatory you need to input ssh in the lines vty to allow SSH and this is the unique option you can do it. We don't have the option to include SSH in ACL 100, so we need to remove the class ANY and input the SSH. Option C also removes sequence 30 in ACL 100 and this make the router unable to answer telnet connection. I would prefer to remover sequence 20, but removing sequence 30 also works.
D) Does not make sense to me.
E) does not make sense either.
Removing Sequence 30 in AC doesn't make the router unable to answer telnet connection. It is simply disallowing the remote device to respond back to the connection initiated by R1 because the control plane has the service policy applied in inbound direction. Hence Option B is not needed to be used to stop the outbound SSH connection thou the question never asked for this.
Thou, your explanations for A and C being the right answers are correct.
I think this question is wrong as removing class ANY will mean you do not use CoPP at all. If the technology provides any benefits, why have questions that just allow all traffic? Anyway, i would not mind making a question like this wrong.
Full picture seen on the following site givin picture is wrong.
https://www.actual4test.com/articles/dec-2021-pass-300-410-exam-in-first-attempt-updated300-410-actual4test-exam-question-q91-q113/
Class ANY will match pretty much everything. The only thing it doesn't match is the outbound telnet from the router to where else (because the seq 10 in ACL 199 would match the return traffic). Therefore, you must remove this class because it would deny the inbound SSH traffic
C would restrict inbound to be SSH only, despite that the "PERMIT" map would allow for inbound Telnet
It seems that it is necessary to reduce the options for connecting to the router to SSH.
Block telnet, allow SSH - it's clearer.
Only the ANY captures(ACL199) SSH packets for policy(only this class-map can influence the ssh by control plane policy):
10 deny tcp any eq telnet any
50 permit ip any any <--------------------here(picture cropped)
i.e. A
By removing the ANY, we will skip the ssh packages default class. But apparently, "restrict" means that you need to disable telnet, leaving only ssh TO router.
So we need the command "transport input ssh",
i.e. C.
P.S.: disgusting question
B and C
Some configuration output is missing, which is why some of you are choosing the wrong answers. See below for missing VTY Line config.
line vty 0 4
transport input telnet ssh
transport output telnet ssh
We only want SSH and no Telnet session.
Configuring transport input/output ssh with remove the transport input telnet off the vty line.
Also if you select B and C, you will also remove telnet from ACL 100.
B and C
We only want SSH and no Telnet session.
Configuring transport input/output ssh with remove the transport input telnet off the vty line.
Also if you select B and C, you will also remove telnet from ACL 100.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
DaanB
Highly Voted 3 years, 8 months agobjromero28
Highly Voted 3 years, 1 month agospapi0390
3 years agochinopla
Most Recent 5 months ago[Removed]
5 months ago[Removed]
5 months agoAlexInShort12
1 year agonet_eng10021
1 year, 3 months agoconft
1 year, 4 months agointeldarvid
1 year, 5 months agoMalasxd
1 year, 7 months agoClarent_I
1 year, 5 months agoPietjeplukgeluk
1 year agobk989
4 months, 1 week agoericxw
1 year, 11 months agoNoUserName1234
2 years agoHuntkey
2 years, 2 months agowts
2 years, 3 months agoTECH3K3
2 years, 5 months agoTECH3K3
2 years, 5 months agoCarl1999
2 years, 10 months agoCarl1999
2 years, 10 months agowts
2 years, 11 months ago