nerdexam
Cisco

350-401 · Question #1127

Refer to the exhibit. An engineer must configure router R1 to allow only NETCONF connections from the management VLAN. Which command completes this configuration?

The correct answer is B. R1(config)# netconf-yang ipv4 access-list name netconfacl. To restrict NETCONF connections to a router from a specific management VLAN, a dedicated command netconf-yang ipv4 access-list name is used to apply an access list directly to the NETCONF-YANG service.

Submitted by femi9· Mar 6, 2026Automation

Question

Refer to the exhibit. An engineer must configure router R1 to allow only NETCONF connections from the management VLAN. Which command completes this configuration?

Exhibits

350-401 question #1127 exhibit 1
350-401 question #1127 exhibit 2

Options

  • AR1(config-if)# ip access-group netconfacl in
  • BR1(config)# netconf-yang ipv4 access-list name netconfacl
  • CR1(config)#ip http secure-server
  • DR1(config-if)#ip access-group netconfacl out

How the community answered

(47 responses)
  • A
    2% (1)
  • B
    83% (39)
  • C
    11% (5)
  • D
    4% (2)

Why each option

To restrict NETCONF connections to a router from a specific management VLAN, a dedicated command `netconf-yang ipv4 access-list name` is used to apply an access list directly to the NETCONF-YANG service.

AR1(config-if)# ip access-group netconfacl in

The command `ip access-group netconfacl in` applies an access list to a specific interface for inbound traffic, which is a general packet filtering method but not the direct, service-specific way to control access to the NETCONF-YANG agent itself.

BR1(config)# netconf-yang ipv4 access-list name netconfaclCorrect

The command `netconf-yang ipv4 access-list name netconfacl` is the specific global configuration command used on Cisco IOS XE devices to apply an IPv4 access list named `netconfacl` directly to the NETCONF-YANG service, thereby restricting incoming NETCONF connections to only those permitted by the ACL.

CR1(config)#ip http secure-server

The command `ip http secure-server` enables the HTTPS server for web-based management access (e.g., GUI), and does not pertain to securing NETCONF connections.

DR1(config-if)#ip access-group netconfacl out

The command `ip access-group netconfacl out` applies an access list to a specific interface for outbound traffic, which is incorrect for restricting incoming NETCONF connections.

Concept tested: NETCONF-YANG access control using ACLs

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/178/b_prog_xe_178_cg/configure_netconf_yang.html

Topics

#NETCONF#YANG#management plane ACL#netconf-yang

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice