Refer to the exhibit. An engineer must deny HTTP traffic from host A to host B while allowing all other communication between the hosts. Which command set accomplishes this task?
Refer to the exhibit. An engineer must deny HTTP traffic from host A to host B while allowing all other communication between the hosts. Which command set accomplishes this task?
To deny HTTP traffic from host A to host B while allowing all other communications, you can use an IP access list to identify the specific traffic (HTTP from host A to host B) and then apply an action to drop that traffic in a VLAN access map. The provided solution specifies creating an IP access list named DENY-HTTP to deny TCP traffic for port www (HTTP) between the specified hosts, a match-all IP access list named MATCH_ALL, and a VLAN access map named HOST-A-B that drops the matching HTTP traffic and forwards all other traffic. The commands match the requirements and use IP access lists as needed. Thus, the option B is valid and appropriate for this scenario.
MAC Access-Lists is irrelevant here. B seems to be the closest answer, however, it is not right in that form. This should work: SW1(config)# ip access-list extended DENY-HTTP SW1(config-ext-nacl)# permit tcp host 10.1.1.10 host 10.1.1.20 eq www SW1(config)# vlan access-map DROP-MAC 10 SW1(config-access-map)# match ip address DENY-HTTP SW1(config-access-map)# action drop SW1(config)# vlan access-map DROP-MAC 20 SW1(config-access-map)# action forward SW1(config-access-map)# exit SW1(config)# vlan filter DROP-MAC vlan 10 https://www.networkstraining.com/vlan-access-map-example-configuration/
Tested in CML, and it worked. MAC access-list is only for L2 (for example arp), ip access-list is for L3, so that is what we need here. Both can be matched under vlan ACL, however, MAC access-list is rarely used in this combination.
This is correct
None of the 3 are correct
I vote for D, the missing one.
I dont like the deny ip access list in option B. It should be permit for both cases and then decided about the drop in the access-map. I think C is correct.
hmm, sorry, the problem in C is, that the mac address communication in the access-map is at the first place, so it will avoid the http check
There seems to be an option missing. So I vote for D, the missing one. Here you can find the complete question with all answers. https://www.braindump2go.com/free-online-pdf/350-401-PDF-Dumps(409-433).pdf
D. SW1(config)# ip access-list extended DENY-HTTP SW1(config-ext-nacl)# permit tcp host 10.1.1.10 host 10.1.1.20 eq www SW1(config)# ip access-list extended MATCH_ALL SW1(config-ext-nacl)# permit ip any any SW1(config)# vlan access-map HOST-A-B 10 SW1(config-access-map)# match ip address DENY-HTTP SW1(config-access-map)# action drop SW1(config)# vlan access-map HOST-A-B 20 SW1(config-access-map)# match ip address MATCH_ALL SW1(config-access-map)# action forward SW1(config)# vlan filter HOST-A-B vlan 10
B is correct
i misread it, B is wrong, it must be permit not deny