ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 350-601 All Questions

View all questions & answers for the 350-601 exam
Go to Exam

Exam 350-601 topic 1 question 194 discussion

Actual exam question from Cisco's 350-601
Question #: 194
Topic #: 1
[All 350-601 Questions]


Refer to the exhibit. A network engineer created a new role to be assigned to the SAN users. The requirement is for users to have these characteristics:
* permitted to show access to the system, SNMP, module, and hardware information.
* permitted to run debug zone and exec fcping commands.
* restricted from accessing show feature environment command.
Which configuration set meets these requirements?

  • A. MDS-B(config)# role name default-role MDS-B(config-role)# rule 5 deny show feature environment
  • B. MDS-B(config)# role name default-role MDS-B(config-role)# rule 5 permit show feature module MDS-B(config-role)# rule 6 deny *
  • C. MDS-B(config)# role name san-users MDS-B(config-role)# rule 3 deny show feature environment
  • D. MDS-B(config)# role name san-users MDS-B(config-role)# rule 3 permit show feature system MDS-B(config-role)# rule 4 permit show feature hardware MDS-B(config-role)# rule 5 permit show feature module
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by harmann at July 30, 2022, 2:33 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DSAM9
2 weeks, 2 days ago
Selected Answer: A
I will go with A... If you choose C you will fail because of this: In cases where a default role is applicable to all users, and a configured role is applicable for specific users, consider the following scenarios: Same rule type (permit or deny)—If the default role and the configured role for a specific user have the same rule type, then the specific user will have access to all the rules of both the default role and the configured role.
upvoted 1 times
DSAM9
2 weeks, 2 days ago
If the default role, say A, has the following rules: rule 5 permit show feature environment rule 4 permit show feature hardware rule 3 permit config feature ssh rule 2 permit config feature ntp rule 1 permit config feature tacacs+ And, a specific user is assigned to the following role, say B, with two rules: rule 6 permit config feature dpvm rule 2 deny config feature ntp Rule 2 of A and B are in conflict. In this case, A overrides the conflicting rule of B, and the user is assigned with the remaining rules of A and B, including the overridden rule: rule 6 permit config feature dpvm rule 5 permit show feature environment rule 4 permit show feature hardware rule 3 permit config feature ssh rule 2 permit config feature ntp -----------> Overridden rule rule 1 permit config feature tacacs+
upvoted 1 times
...
...
bizzar7774
2 months ago
Selected Answer: C
I choose C because as per documentation the default-role cannot be changed or deled.
upvoted 1 times
...
U_O
7 months, 3 weeks ago
Selected Answer: A
I think we can make changes in the default-role and not in the system generated roles like network-admin, network-operator and server admin. The default-role applies to all users so even if the deny access in san-users role the user will still get the access. Hence option A looks to be the right one. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/8_x/config/security/cisco_mds9000_security_config_guide_8x/configuring_users_and_common_roles.html
upvoted 2 times
...
Scheldon
10 months ago
Selected Answer: D
We should assign to the user only one role SAN-Users and then answer D is the best. We are missing there only one rule "rule 6 permit show feature SNMP". Because we did not add rule "rule x permit show feature environment" and there is no other role for mentioned users in cofiguration, SAN User will not be able to execute "show environment" command.
upvoted 2 times
...
C4rlos
1 year, 2 months ago
Selected Answer: C
C is correct, the default role cannot be changed or deleted.
upvoted 1 times
C4rlos
1 year, 2 months ago
C seems to be the only logical answer, but as pointed out by harmann: "Access to a commandtakes priority over being denied access to a command. "
upvoted 1 times
...
...
GuyThatTakesDumps
1 year, 5 months ago
Selected Answer: C
C is correct!
upvoted 1 times
...
harmann
1 year, 6 months ago
Selected Answer: A
I think it's A because you can't deny what's already allowed on the default role. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_01000.pdf&ved=2ahUKEwjI3KD-6KD5AhWll1YBHXQpC9AQFnoECA4QAQ&usg=AOvVaw0LMfWmT-hIZrUAFuMORswG If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a commandtakes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the user also has RoleB, which has access to the configuration commands. In this case, the user has access to the configuration commands.
upvoted 3 times
Salilgen
1 year, 5 months ago
Default role cannot be changed or deleted. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/8_x/config/security/cisco_mds9000_security_config_guide_8x/configuring_security_features_on_external_aaa_server.html
upvoted 1 times
25e4462
6 days, 6 hours ago
The documentation is incorrect, only network-admin & network-operation roles cannot be changed. Default-role can be amended. (config)# role name network-operator ERROR: Cannot configure system defined role "network-operator" (config)# role name default-role (config-role)# rule 6 permit show feature version Role: default-role Description: This is a system defined role and applies to all users. Vsan policy: permit (default) ------------------------------------------------- Rule Type Command-type Feature ------------------------------------------------- 1 permit show system 2 permit show snmp 3 permit show module 4 permit show hardware 5 permit show environment 6 permit show version
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago