nerdexam
Cisco

200-150 · Question #162

Refer to the exhibit. What is the result of the configuration?

The correct answer is D. Traffic that originates from subnet 190.169.100.0/24 fails to again terminal access to the switch.. A standard ACL applied to VTY lines with 'access-class' permits only matched subnets for terminal access, with an implicit deny blocking all other sources including the subnet referenced in choice D.

Cisco Data Center Networking Technologies

Question

Refer to the exhibit. What is the result of the configuration?

Exhibit

200-150 question #162 exhibit

Options

  • ATraffic that originates from subnet 192.168.100.0/24 is denied access through the switch.
  • BOnly traffic that originates from subnet 192.168.100.0/24 can gain terminal access to the switch.
  • CACL 1 allows TCP traffic that originates from subnet 192.168.100.0/24 gain access to the switch.
  • DTraffic that originates from subnet 190.169.100.0/24 fails to again terminal access to the switch.

How the community answered

(30 responses)
  • A
    10% (3)
  • B
    3% (1)
  • C
    3% (1)
  • D
    83% (25)

Why each option

A standard ACL applied to VTY lines with 'access-class' permits only matched subnets for terminal access, with an implicit deny blocking all other sources including the subnet referenced in choice D.

ATraffic that originates from subnet 192.168.100.0/24 is denied access through the switch.

ACL 1 explicitly permits traffic from 192.168.100.0/24, so that subnet is allowed terminal access - not denied - by the access-class configuration on the VTY lines.

BOnly traffic that originates from subnet 192.168.100.0/24 can gain terminal access to the switch.

While 192.168.100.0/24 is the only permitted source, the most precise and testable result of the configuration is what happens to non-matching traffic; additionally, without confirming all VTY lines are covered, 'only' is too absolute a qualifier.

CACL 1 allows TCP traffic that originates from subnet 192.168.100.0/24 gain access to the switch.

ACL 1 is a standard IP ACL that matches solely on source IP address - it does not specify TCP or any other protocol; only extended ACLs can match on Layer 4 protocol, and access-class applies a standard ACL to VTY sessions.

DTraffic that originates from subnet 190.169.100.0/24 fails to again terminal access to the switch.Correct

The configuration applies ACL 1 - which permits only the 192.168.100.0/24 subnet - to the VTY lines using the 'access-class' command. Because Cisco ACLs terminate with an implicit deny-all, any traffic from a non-matching subnet such as 190.169.100.0/24 fails to match the permit entry and is blocked from gaining terminal access to the switch.

Concept tested: Standard ACL access-class on VTY lines

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-16/sec-data-acl-xe-16-book/sec-create-ip-apply.html

Topics

#access control list#VTY terminal access#switch security#ACL filtering

Community Discussion

No community discussion yet for this question.

Full 200-150 Practice