An engineer must configure and validate a CoPP policy that allows the network management server to monitor router R1 via SNMP while protecting the control plane. Which two commands or command sets must be used? (Choose two.)
An engineer must configure and validate a CoPP policy that allows the network management server to monitor router R1 via SNMP while protecting the control plane. Which two commands or command sets must be used? (Choose two.)
To configure and validate a CoPP policy that allows the network management server to monitor router R1 via SNMP while protecting the control plane, you need to define and implement proper access control lists, class maps, and policy maps. Option A includes these elements and additionally incorporates an essential protection mechanism by dropping violating traffic with 'violate-action drop'. To validate the CoPP policy, the 'show policy-map control-plane' command from option E will be necessary, as it allows you to see the applied policies and their statistics on the control plane. Therefore, the correct choices are options A and E.
A. access-list 150 permit udp 10.0.1.4 0.0.0.0 host 10.0.1.2 eq snmp access-list 150 permit udp 10.0.1.4 0.0.0.0 eq snmp host 10.0.1.2 class-map match-all CoPP-management match access-group 150 policy-map CoPP-policy class CoPP-management police 8000 conform-action transmit exceed-action transmit violate-action drop control-plane Service-policy input CoPP-policy B. show ip interface brief C. show quality-of-service-profile D. access-list 150 permit udp 10.0.1.4 0.0.0.0 host 10.0.1.2 eq snmp class-map match-all CoPP-management match access-group 150 policy-map CoPP-policy class CoPP-management police 8000 conform-action transmit exceed-action transmit violate-action transmit control-plane Service-policy input CoPP-policy E. show policy-map control-plane
A has "It has violate-action drop"
Since question says needs to protect, so A is the answer. It has violate-action drop.
It should be D and E
D does not have any protections for the control plane. Conform action = transmit Exceed action = transmit violate action = transmit No matter what, all traffic will be transmitted to the control plane, which doesn't protect it. A does at least have a violate-action = drop, so that's more protection than D gives.
Correct answer is A and E access-list 150 permit udp 10.0.1.4 0.0.0.0 host 10.0.1.2 eq snmp access-list 150 permit udp 10.0.1.4 0.0.0.0 eq snmp host 10.0.1.2 class-map match-all CoPP-management match access-group 150 ! ! policy-map CoPP-policy class CoPP-management police 8000 conform-action transmit exceed-action transmit violate-action drop ! control-plane service-policy input CoPP-policy
agree, but I can;t help but wonder why "access-list 150 permit udp 10.0.1.4 0.0.0.0 eq snmp host 10.0.1.2" is here. Why would 10.0.1.4 send traffic sourced with port 161
i will go with A and E D doesn't protect anything, all the actions are set to Transmit, no drop action
SNMP is management plane so surely it should be D and E ??
I think is D and E as well A option has this ACL 150: access-list 150 permit udp 10.0.1.4 0.0.0.0 host 10.0.1.2 eq snmp access-list 150 permit udp 10.0.1.4 0.0.0.0 eq snmp host 10.0.1.2 But D option only: access-list 150 permit udp 10.0.1.4 0.0.0.0 host 10.0.1.2 eq snmp A option has a violation-action drop, but D option has a violation-action transmit the SNMP traffic will be never dropped
So, ACL would not be dropping traffic by its implicit deny? Would not the violate-action drop be applied only for the police 8000? Besides, Option A ACL second line does not make much of a sense having snmp polling permitted on to a server IMO.
But D only has "transmit" statements, so not much of a protection. E is only a show command and the question is for "must configure" so also not a perfect match, but maybe the best of the options.
why not DE?
A - violation-action drop D - violation-action transmit