Exam 350-401 All QuestionsBrowse all questions from this exam
Go to Exam
Question 412

Refer to the exhibit. Which commands are required to allow SSH connections to the router?

A.

B.

C.

D.

    Correct Answer:

    To allow SSH connections to the router, extended access control lists (ACLs) should be used because they permit both source and destination IP addresses and port numbers. The provided options use two different types of ACL numbers: standard (1-99) and extended (100-199). For SSH traffic, an extended ACL is necessary to specify TCP port 22. Option B introduces ACL 101, which is appropriate for this requirement. Therefore, the correct command sequence to allow SSH connections, which includes creating an extended ACL and applying it in the QoS policy map for control plane policing (CoPP), is as follows: access-list 100 permit tcp any any eq 22, access-list 101 permit tcp any any eq 22, class-map class-ssh, match access-group 101, policy-map CoPP, class class-ssh, police 100000 conform-action transmit. This configuration ensures that SSH traffic is correctly matched and permitted.

Discussion
Deu_Inder

Question is badly worded. They should say that SSH needs to be policed. Answer B is right.

FerroForce

B is correct. Extended ACL could not be 10.

bendarkel

B is correct. A is wrong because per the ACL, the traffic is being sourced from port 22.

H3kerman

A can't be right, because ACL 10 is standard, bud defined in config is extended. I would vote B

HarwinderSekhon

B is correct.

Ioannis34

answer is B

kejvi

B seems the best acl should contain "tcp any any eq 22", not "any eq 22 any", that would be src port 22

danman32

Why is there an entry for access-list 100 in B and C? Access-list 100 will have no effect on the newly created class-map, but could break the existing class-map.

PureInertiaCopy

Wondering the exact same thing...

nikramor

B is correct

lafrank

A can't be correct, as access-list 10 is standard ACL and as such it is not supporting port definition

kewokil120

B is right

onkel_andi

Answer is A) SSH will be added to the CoPP Policy Map

iGlitch

the ACL itself is wrong, the eq keyword should be placed at the end because we want to match incoming ssh requests so the destination "ssh server" will use port 22, and the source "ssh client" will use a random port number. The answer is B

GeorgeFortiGate

It is not. Asks for SSH traffic , how the source have port 80 ? This is going to be the destination port first of all. then it is also: Access List "10".

GeorgeFortiGate

Correct answer is B

Zendahr

B is correct. Extended ACL could not be 10.

SeMo0o0o

B is the only one that makes a bit of sense

andyforreg

Answer - B

Ayman_B

I could not find any defefirent between A and B , both of them are correct . can any body clarifying the deffirent

Pilgrim5

The difference is in the beginning access list statements. A - access-list 10 is wrong because standard access lists only support source address and mask. They don't support adding destination addresses, masks or source and destination ports. B - access-list 100 is right because this is an extended access list and extended access lists support source and destination addresses and masks and also source and destination ports. Standard access lists - 1-99 Extended access lists - 100-199

burban97

If I'm not mistaken standard acl 10 (standard) based off source only