300-415 Question #443: Real Exam Question with Answer & Explanation

The correct answer is A: sdwan interface GigabitEthernet0/0/1 allow-service sshd. To enable secure command line access for in-band management on an SD-WAN interface, the allow-service sshd command should be used.

Security and Quality of Service

Question

Refer to the exhibit. An engineer is enabling command line access via MPLS for in-band management. Which command completes the partial SD-WAN interface configuration with the highest degree of security?

Options

Asdwan interface GigabitEthernet0/0/1 allow-service sshd
Bsdwan interface GigabitEthernet0/0/1 allow-service https
Csdwan interface GigabitEthernet0/0/1 allow-service icmp
Dsdwan interface GigabitEthernet0/0/1 allow-service all

Explanation

To enable secure command line access for in-band management on an SD-WAN interface, the allow-service sshd command should be used.

Common mistakes.

B. allow-service https enables web-based graphical user interface (GUI) access, not command-line access.
C. allow-service icmp allows Internet Control Message Protocol (ICMP) for diagnostic purposes like ping, not for command-line management.
D. allow-service all enables all possible services, which significantly reduces the security posture by exposing unnecessary services and increasing the attack surface.

Concept tested. SD-WAN interface allow-service configuration for secure management

Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-cr-book/sdwan-interfaces.html

Topics

#SD-WAN Interface Configuration#In-band Management#Security Best Practices#SSH

Community Discussion

No community discussion yet for this question.

Full 300-415 Practice