Refer to the exhibit. The branch router is configured with a default route toward the Internet and has no routes configured for the HQ site that is connected through interface G2/0. The HQ router is fully configured and does not require changes.
Which configuration on the branch router makes the intranet website (TCP port 80) available to the branch office users?
The branch router should have a policy-based routing configuration that directs only traffic destined for the intranet web server (on TCP port 80) through the HQ router. This is achieved by creating an access control list (ACL) that matches traffic to the intranet web server and then applying a route map to set the next-hop IP address to the HQ router. Option C fits this requirement as it has the correct ACL match statement and properly sets the next-hop to the HQ router's IP address. Applying the policy route map to the interface facing the HQ router ensures the traffic is routed correctly.
D, the instructions say that the intranet branch users require to have access to the intranet web server at HQ without modifying the routing table at Branch, the only way is to point all the Branch network users to the next hop 192.168.2.2 on TCP port 80. Therefore the PBR has to be applied at Branch router interface G1/0
the option correct is D, beacause PBR match with interface g1/0 (gateway user)
A: access-list 101 permit tcp any any eq 80 access-list 102 permit tcp any host intranet-webserver-ip route-map pbr permit 10 match ip address 101 set ip next-hop 192.168.2.2 route-map pbr permit 20 match ip address 102 set ip next-hop 192.168.2.2 interface G2/0 ip policy route-map pbr B: access-list 100 permit tcp host intranet-webserver-ip eq 80 any route-map pbr permit 10 match ip address 100 set ip next-hop 192.168.2.2 interface G1/0 ip policy route-map pbr C: access-list 100 permit tcp any host intranet-webserver-ip eq 80 route-map pbr permit 10 match ip address 100 set ip next-hop 192.168.2.2 interface G2/0 ip policy route-map pbr D: access-list 101 permit tcp any any eq 80 access-list 102 permit tcp any host intranet-webserver-ip route-map pbr permit 10 match ip address 101 102 set ip next-hop 192.168.2.2 interface G1/0 ip policy route-map pbr PBR must be placed on traffic ingress interface.
I don't see a correct answer here, you can not send all http traffic to the intranet server in this case, in this case C is more likely because it only will apply to traffic destinated to the server but is missing the permit 20 on the route map.
Using Policy Based Routing there is no requirement for "route-map route_map_name permit 20" as in this case when no policy base routing is used, normal routing is used. So do not mix applying a route-map as route filtering (that has an implicit deny) and applying a route map for PBR. Anyway, in my opinion C is also correct, only it is applied to the wrong interface.
"C" is for egress traffic, "D" is for ingress, so for me "D" is right. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/pbroute.pdf "You specify PBR on the incoming interface (the interface on which packets are received), not outgoing interface." https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/policy_based_routing_pbr.pdf "PBR cannot be applied to egress traffic or to multicast traffic."
I believe it is D as it is applied in the correct interface G1/0.
All Answer are techically wrong Answer D makes all traffic flow to HQ instead of only the Web Traffic as stated in the qeustion. A is also wrong due too outgoing interface B is Fault in the syntax of the ACL Answer C is also outgoing interface
By process of elimination (A) & (C) = PRB applied on wrong interface. (B) wrong ACL syntax, leaving D as the only right option.
To me seems the more right even if pass all 80 traffic to web server.
The best answer would be C if the pbr is applied to Gi0/1 and not Gi0/2. In the given answers D is the closest one, but it sends EVERY HTTP(port80) traffic sourced from Branch to the Intranet webserver. Considering that you probaply never want to allow your network to communicate through open HTTP(80) on the internet, this makes more sense then any other option.
C. access-list 100 permit tcp any host intranet-webserver-ip eq 80 ! route-map pbr permit 10 match ip address 100 set ip next-hop 192.168.2.2 ! interface G2/0 ip policy route-map pbr
You only need the single ACL to match the Internet webserver IP .
the same job can be done via option B,
I actually retract my answer, none are correct. D is the closest to being correct.
The only problem is that this would send all traffic including to the internet on port 80 to the hub router
D is correct
Answer C does the job accordingly to the question asked. Answer D is more generally conditions which will work too.
Answer C looks more logical compared to D.
No, because on C is applying to the outbound interface GI0/2, so PBR will never match as PBR works when analizing the inbond interface.
C, makes sense to me!