Refer to the exhibit. An engineer must deny HTTP traffic from host A to host B while allowing all other communication between the hosts. Drag and drop the commands into the configuration to achieve these results. Some commands may be used more than once. Not all commands are used.
Select and Place:
I think the first answer is "Deny".
The answer provided is correct, the first answer must permit: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.pdf Router# show ip access-lists net_10Extended IP access list net_10 permit ip 10.0.0.0 0.255.255.255 any Router(config)# vlan access-map ganymede 10Router(config-access-map)# match ip address net_10Router(config-access-map)# action drop log
Hi, the permit filtrate the traffic 10.1.1.10 to 10.1.1.20, the deny will filtrate other than the traffic 10.1.1.10 to 10.1.1.20. the drop is implemented by vlan access-map, not by access-list. access-list only filtrate the traffic that need be treated by vlan access-map.
it does not make send if the first answer is "Deny". Because you've already denied , you don't need "action drop". However, this is silly because it wastes the processing power
Trick question - Given Answer is correct - some options can be used twice create a condition by permit then later deny by action drop
Make sense...
The reason the ACLs must Both be 'permit' is that they create the 'test condition' , then based on that test , we drop it later in the Map.
When talking about access-lists or prefix-lists associated with *-maps, Permit and Deny take on new meanings. As we all know, a *-list processes each entry until a match is found. Once a match is found, processing of the *-list stops. *-maps operate the same way. - If the matched statement is 'permit,' the *-list reports back to the *-map with a match success, which allows the *-map to process the associated action. No further *-map sequences are processed. - If the matched statement is 'deny,' the *-list reports back to the *-map with NO MATCH; wherein the *-map will proceed to the next *-map sequence until a *-map match IS found. - If NO statement is matched in the *-list, the implicit 'deny any any' is ALWAYS matched. In This case, the *-list will report to the *-map with NO MATCH, and the *-map will proceed to the next sequence until a match IS found.
the correct answer is: 1- Deny: you want to deny HTTP 2- permit: to allow other traffic 3- drop: to drop traffic that matches the map "HTTP_Drop" 4- forward: to forward the other traffic
after research, given answers are correct. https://www.networkstraining.com/vlan-access-map-example-configuration/
In this case we need to configure a VLAN access-map to deny HTTP traffic and apply it to VLAN 10. To do it, first create an access-list, by which interesting traffic will be matched. The principle of VLAN access-map config is similar to the route-map principle. After this we’ll create a vlan access-map, which has two main parameters: action and match. Match: by this parameter the interesting traffic is matched and here RACL or MAC ACL can be applied as well. Action: what to do with matched traffic. Two main parameters exist: Drop and Forward. In case of Drop, matched traffic will be dropped, and in case of forward, matched traffic will be allowed
Provided answer is correct. permit, permit, action drop, action forward.
The answer provided is correct. Because even the first statement is 'permit' but once it is matched , the action will be dropped
correct
given answers are correct. https://www.networkstraining.com/vlan-access-map-example-configuration/
SW1(config)# ip access-list extended DENY-HTTP SW1(config-ext-nacl)# deny tcp host 10.1.1.10 host 10.1.1.20 eq www SW1(config)# ip access-list extended MATCH_ALL SW1(config-ext-nacl)# permit ip any any SW1(config)# vlan access-map HOST-A-B 10 SW1(config-access-map)# match ip address DENY-HTTP SW1(config-access-map)# action drop SW1(config)# vlan access-map HOST-A-B 20 SW1(config-access-map)# match ip address MATCH_ALL SW1(config-access-map)# action forward SW1(config)# vlan filter HOST-A-B vlan 10
I agree I think the first answer is "Deny". Can someone clarify why this is or isn't true?
If ip access-list extended DENY-HTTP is "Deny", then HTTP traffic will get denied in this ACL and there will be no more matching entry for vlan access-map HOST-A-B 10 to action drop.
addrelanina do we have chance to use permit couple times? if is a drop and drag question i see only one permit available
The question itself says: "Some commands may be used more than once" Pay attention to the question, read it carefully.