300-415 Question #444: Real Exam Question with Answer & Explanation

The correct answer is A: permit tcp any eq 23456 any permit udp any eq 12446 any permit tcp any eq 23556 any. Cisco SD-WAN control connections primarily use specific UDP ports for DTLS and TCP ports for TLS, which must be precisely permitted in an access list.

Security and Quality of Service

Question

Which three commands correctly configure an access list entry to permit control connections from SD-WAN controllers while blocking non-control connections?

Options

Apermit tcp any eq 23456 any permit udp any eq 12446 any permit tcp any eq 23556 any
Bpermit udp any range 12346 12446 any permit tcp any range 23456 23556 any
Cpermit tcp any range 12346 12446 any permit udp any range 23456 23556 any
Dpermit udp any range 12346 12446 any permit tcp any range 23456 23756 any

Explanation

Cisco SD-WAN control connections primarily use specific UDP ports for DTLS and TCP ports for TLS, which must be precisely permitted in an access list.

Common mistakes.

B. Using port ranges like 12346 12446 and 23456 23556 for UDP and TCP respectively permits a wider range of ports than strictly necessary for standard SD-WAN control connections, potentially allowing unintended traffic.
C. This choice incorrectly assigns the UDP range to TCP and the TCP range to UDP, which does not match the protocols used by SD-WAN control connections for those specific port numbers.
D. The TCP port range 23456 23756 includes port 23756 which is not a standard Cisco SD-WAN control connection port, and the use of ranges is generally less precise than specifying individual eq ports.

Concept tested. Cisco SD-WAN control plane port numbers for access lists

Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-cr-book/sdwan-overview.html

Topics

#SD-WAN Control Plane#Access Lists#Port Numbers#Network Security

Community Discussion

No community discussion yet for this question.

Full 300-415 Practice