Exam 300-410 All QuestionsBrowse all questions from this exam
Go to Exam
Question 495

SIMULATION

-

Guidelines

-

This is a lab item in which tasks will be performed on virtual devices.

• Refer to the Tasks tab to view the tasks for this lab item.

• Refer to the Topology tab to access the device console(s) and perform the tasks.

• Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.

• All necessary preconfigurations have been applied.

• Do not change the enable password or hostname for any device.

• Save your configurations to NVRAM before moving to the next item.

• Click Next at the bottom of the screen to submit this lab and move to the next question.

• When Next is clicked, the lab closes and cannot be reopened.

Topology

-

Tasks

-

A network is configured with CoPP to protect the CORE router route processor for stability and DDoS protection. As a company policy, a class named class-default is preconfigured and must not be modified or deleted. Troubleshoot CoPP to resolve the issues introduced during the maintenance window to ensure that:

1. Dynamic routing policies are under CoPP-CRITICAL and are allowed only from the 10.10.x.x range.

2. Telnet, SSH, and ping are under CoPP-IMPORTANT and are allowed strictly to/from 10.10.x.x to the CORE router (Hint: you can verify using Loopback1).

3. All devices ping (UDP) any CORE router interface successfully to/from the 10.10.x.x range and do not allow any other IP address.

4. All devices run a successful traceroute (UDP) to any interface on the CORE router to/from the 10.10.x.x range, are under CoPP-NORMAL, and do not allow any other IP address traceroute is to be under CoPP-NORMAL (Hint: Traceroute port range 33434 33464).

    Correct Answer:

Discussion
T_Cos

The statement implies that you do not need to configure the policy, class-map or apply it to the control plane. Does anyone agree with me? CORE(config)#ip access-list extended COPP-CRITICAL (...-ext-nacl)#permit eigrp 10.10.0.0 0.0.255.255 any (...-ext-nacl)#permit eigrp any 10.10.0.0 0.0.255.255 (...-ext-nacl)#permit eigrp any host 244.0.0.10 CORE(config)#ip access-list extended COPP-IMPORTANT (...-ext-nacl)#permit icmp 10.10.0.0 0.0.255.255 host 10.10.13.1 (...-ext-nacl)#permit tcp 10.10.0.0 0.0.255.255 host 10.10.13.1 eq telnet (...-ext-nacl)#permit tcp 10.10.0.0 0.0.255.255 host 10.10.13.1 eq 22 CORE(config)#ip access-list extended COPP-NORMAL (...-ext-nacl)#permit udp 10.10.0.0 0.0.255.255 host 10.10.1.1 range 33434 33464 (...-ext-nacl)#permit udp 10.10.0.0 0.0.255.255 host 10.10.12.1 range 33434 33464 (...-ext-nacl)#permit udp 10.10.0.0 0.0.255.255 host 10.10.13.1 range 33434 33464

[Removed]

Agree - its just a case of creating the correct ACLs for the Class Maps.

[Removed]

Also nice catch on allowing EIGRP to the multicast IP - I missed that

aqwsdfghjklp

I don't understand why "(... -ext-nacl)#permit eigrp any host 244.0.0.10" is not clear why it is necessary

buddhagaut

Great answer, for this requirement- Telnet, SSH, and ping are under CoPP-IMPORTANT and are allowed strictly to/from 10.10.x.x to the CORE router (Hint: you can verify using Loopback1). Shouldn't we also allow icmp, ping telnet to 10.10.12.1 and perhaps 10.10.1.1?

Pietjeplukgeluk

I am still not understanding "permit eigrp any 10.10.0.0 0.0.255.255" this would imply eigrp send NOT to a destination multicast address, but address to a unicast address.

DavideDL

Why in CoPP-IMPORTANT we accept ping/ssh/telnet only to 10.10.13.1 and not to 10.10.1.1 and 10.10.12.1 ? They told us " are allowed strictly to/from 10.10.x.x to the CORE router"

DavideDL

If I have to follow strictly to what the exercise is asking I'll do something like this: ip access-list extended COPP-CRITICAL permit eigrp 10.10.0.0 0.0.255.255 any ip access-list extended COPP-IMPORTANT permit tcp 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255 eq 22 permit tcp 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255 eq 23 permit icmp 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255 ip access-list extended COPP-NORMAL permit udp 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255 range 33434 33464

[Removed]

Anyone had this for real? The question and solution implies COPP policies/class-maps are setup and you just need to configure the ACLs? Also the wording suggests the ACLs are also applied to the interfaces?

Coffee_bean_master

COPP-CRITICAL 10 permit eigrp 10.10.0.0 0.0.255.255 any 20 permit eigrp any 10.10.0.0 0.0.255.255 30 permit ip 224.0.0.10 0.0.0.0 any 40 permit ip any host 224.0.0.10 ------------------------------------ COPP-IMPORTANT 10 permit tcp 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255 eq 23 20 permit tcp 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255 eq 22 30 permit icmp 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255 ----------------------------------- COPP-NORMAL 40 permit udp 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255 range 33434 33464

Pietjeplukgeluk

"30 permit ip 224.0.0.10 0.0.0.0 any" and "10 permit eigrp 10.10.0.0 0.0.255.255." Furthermore "10.10.0.0 0.0.255.255" as destination seems not adding much here, you can take any instead. Also "20 permit eigrp any 10.10.0.0 0.0.255.255" seems not very applicable here, only when defining static eigrp neighbors will eigrp be send as unicast.

Pietjeplukgeluk

Correction: "30 permit ip 224.0.0.10 0.0.0.0 any" and "10 permit eigrp 10.10.0.0 0.0.255.255." are very simular, you ideally only add "10 permit eigrp 10.10.0.0 0.0.255.255 any" as that is already sufficient.

buddhagaut

Can someone please explain the difference in ping requirement between these two- 2. Telnet, SSH, and ping are under CoPP-IMPORTANT and are allowed strictly to/from 10.10.x.x to the CORE router (Hint: you can verify using Loopback1). 3. All devices ping (UDP) any CORE router interface successfully to/from the 10.10.x.x range and do not allow any other IP address.