Exam 300-410 topic 1 question 79 discussion

A: access-list 101 permit tcp any any eq 80 access-list 102 permit tcp any host intranet-webserver-ip route-map pbr permit 10 match ip address 101 set ip next-hop 192.168.2.2 route-map pbr permit 20 match ip address 102 set ip next-hop 192.168.2.2 interface G2/0 ip policy route-map pbr B: access-list 100 permit tcp host intranet-webserver-ip eq 80 any route-map pbr permit 10 match ip address 100 set ip next-hop 192.168.2.2 interface G1/0 ip policy route-map pbr C: access-list 100 permit tcp any host intranet-webserver-ip eq 80 route-map pbr permit 10 match ip address 100 set ip next-hop 192.168.2.2 interface G2/0 ip policy route-map pbr D: access-list 101 permit tcp any any eq 80 access-list 102 permit tcp any host intranet-webserver-ip route-map pbr permit 10 match ip address 101 102 set ip next-hop 192.168.2.2 interface G1/0 ip policy route-map pbr PBR must be placed on traffic ingress interface.

There is no correct answer. Cisco question writers should properly review the questions they create. D appears to be the correct answer. However, all HTTP traffic is forwarded to the intranet server.D is most like it. However, all HTTP traffic is forwarded to the intranet server.

D is correct

By process of elimination (A) & (C) = PRB applied on wrong interface. (B) wrong ACL syntax, leaving D as the only right option.

D, the instructions say that the intranet branch users require to have access to the intranet web server at HQ without modifying the routing table at Branch, the only way is to point all the Branch network users to the next hop 192.168.2.2 on TCP port 80. Therefore the PBR has to be applied at Branch router interface G1/0

the option correct is D, beacause PBR match with interface g1/0 (gateway user)

I don't see a correct answer here, you can not send all http traffic to the intranet server in this case, in this case C is more likely because it only will apply to traffic destinated to the server but is missing the permit 20 on the route map.

"C" is for egress traffic, "D" is for ingress, so for me "D" is right. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/pbroute.pdf "You specify PBR on the incoming interface (the interface on which packets are received), not outgoing interface." https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/policy_based_routing_pbr.pdf "PBR cannot be applied to egress traffic or to multicast traffic."

Answer C does the job accordingly to the question asked. Answer D is more generally conditions which will work too.

I believe it is D as it is applied in the correct interface G1/0.

To me seems the more right even if pass all 80 traffic to web server.

The best answer would be C if the pbr is applied to Gi0/1 and not Gi0/2. In the given answers D is the closest one, but it sends EVERY HTTP(port80) traffic sourced from Branch to the Intranet webserver. Considering that you probaply never want to allow your network to communicate through open HTTP(80) on the internet, this makes more sense then any other option.

Answer C looks more logical compared to D.

C. access-list 100 permit tcp any host intranet-webserver-ip eq 80 ! route-map pbr permit 10 match ip address 100 set ip next-hop 192.168.2.2 ! interface G2/0 ip policy route-map pbr

C, makes sense to me!

All Answer are techically wrong Answer D makes all traffic flow to HQ instead of only the Web Traffic as stated in the qeustion. A is also wrong due too outgoing interface B is Fault in the syntax of the ACL Answer C is also outgoing interface

You only need the single ACL to match the Internet webserver IP .