Refer to the exhibit. Which configuration set implements Control Plane Policing for SSH and Telnet?
A.
B.
C.
D.
Exam 350-401 All QuestionsBrowse all questions from this exam
Question 520
Correct Answer:
The correct answer is D. Control Plane Policing (CoPP) is used to manage traffic that is directed to the router's control plane, and it requires applying a service policy in the input direction to manage incoming traffic. In configuration option D, 'class-map match-any class-control' is used to match access-group 100 (telnet) or 101 (SSH), and the 'service-policy input CoPP' command correctly applies the policy to incoming traffic. This setup correctly filters and controls Telnet and SSH traffic entering the control plane based on the specified access control lists.
Discussion
Caledonia
The right answer is D
onkel_andi
Correct answer is D
KZM
It is D. Control Plane Policing (CoPP) is configured to control traffic entering the router, so the service-policy should be applied to the input direction. So, think out option A and B. Option C is incorrect because the class-map "class-telnet-ssh" has not been defined, only "class-telnet" and "class-ssh" have been configured. Therefore, the policy will not have any effect on the router. Hence, the correct answer is option D, which makes sense in the configuration.
CKL_SG
Answer is D R8(config)#class-map type ? control Configure a control policy class-map inspect Configure Firewall Class Map Inspect is to configure firewall class map R8(config)#class-map ? WORD class-map name match-all Logical-AND all matching statements under this classmap match-any Logical-OR all matching statements under this classmap https://community.cisco.com/t5/switching/class-map-match-all-or-match-any-exact-difference/td-p/783620 match-all (Optional) Matches all match criteria in the class map. match-any (Optional) Matches one or more match criteria.
SeMo0o0o
D is correct
SeMo0o0o
keywords: class-map match-any class-control service-policy input CoPP
slacker_at_work
Answer D CSR01(config)#ip access-list extended 100 CSR01(config-ext-nacl)#10 permit tcp any any eq telnet CSR01(config-ext-nacl)#ip access-list extended 101 CSR01(config-ext-nacl)#10 permit tcp any any eq 22 CSR01(config-ext-nacl)#exit CSR01(config)#class-map match-any class-control CSR01(config-cmap)#match access-group 100 CSR01(config-cmap)#match access-group 101 CSR01(config-cmap)#exit CSR01(config)#policy-map CoPP CSR01(config-pmap)#class class-control CSR01(config-pmap-c)#police 1000000 conform-action transmit CSR01(config-pmap-c-police)#exit CSR01(config-pmap-c)#exit CSR01(config-pmap)#exit CSR01(config)#control-plane CSR01(config-cp)#service-policy input CoPP CSR01(config-cp)#^Z CSR01# CSR01#show policy-map CoPP Policy Map CoPP Class class-control police cir 1000000 bc 31250 conform-action transmit exceed-action drop CSR01#
olaniyijt
D is the right answer
Sammy3637
D is correct
forccnp
D is correct!!!!!
MO_2022
D is correct
IgorLVG
this question is Tricky, the requirement is telnet and ssh conrol, but you use or telnet or ssh so you need mach-any
AMK2ENG
The right answer is D
CCNPWILL
D is the correct answer folks.
j8fx
Definitely D
HarwinderSekhon
class map type-inspect is used in Zone Based firewall config for IOS. D is the answer.
massimp
Don't know why i can't choose the answer here, but it is D for sure.
xuanluo
if u select A, the warning XXX type inspect is not allowed in policy-map copp of type default; if u select D, match-any means OR not AND The B sounds better, because match-all means logical AND
JackDRipper
For answer B, every packet needs to be both telnet and SSH to go through CoPP, which is improbable, if not impossible. D is correct. CoPP is triggered when either a telnet or SSH packet comes in, which is what I take the question is talking about.