350-401 · Question #1121
An engineer must configure interface and sensor monitoring on a router. The NMS server is located in a trusted zone with IP address 10.15.2.19. Communication between the router and the NMS server must
The correct answer is B. ip access-list standard nms. To secure SNMP monitoring with encryption and restrict access to a single NMS server, a standard access list is used to permit the specific NMS IP address, coupled with SNMPv3 configuration for authentication and privacy.
Question
An engineer must configure interface and sensor monitoring on a router. The NMS server is located in a trusted zone with IP address 10.15.2.19. Communication between the router and the NMS server must be encrypted and password-protected using the most secure algorithms. Access must be allowed only for the NMS server and with the minimum permission levels needed. Which configuration must the engineer apply?
Options
- Aip access-list extended nms
- Bip access-list standard nms
- Cip access-list standard nms
- Dip access-list standard nms
How the community answered
(22 responses)- A5% (1)
- B82% (18)
- C5% (1)
- D9% (2)
Why each option
To secure SNMP monitoring with encryption and restrict access to a single NMS server, a standard access list is used to permit the specific NMS IP address, coupled with SNMPv3 configuration for authentication and privacy.
An extended IP access list (Choice A) offers more granular control, including protocol and port filtering, but is unnecessarily complex when the only requirement for access control is filtering by source IP, making a standard ACL more suitable.
Choice B initiates a standard IP access list, which is the appropriate and most efficient method to restrict SNMP access solely based on the source IP address of the NMS server (10.15.2.19), satisfying the access control requirement for minimum complexity.
While initiating a standard access list like Choice B, Choice C implicitly represents an incomplete or incorrect subsequent configuration for permitting the specific NMS server IP address, as Choice B is identified as the solely correct answer.
Similar to Choice C, Choice D implies an incomplete or incorrect configuration for filtering the NMS server's IP address, as it fails to represent the full and correct command sequence present in Choice B for securing SNMP access.
Concept tested: SNMPv3 security and ACL application for NMS access
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe-16/snmp-xe-16-book/snmp-cfg-snmp-v3.html
Topics
Community Discussion
No community discussion yet for this question.