350-401 · Question #1211
A customer deployed an ISE solution that allows for web authentication and URL redirect enforced from the access layer. Due to control plane security concerns, only host IP 10.0.1.25 should have HTTP
The correct answer is A. ip access-list extended HOST-ACL 10 permit host 10.0.1.25 any 20 deny any any ip http server ip http secure-server ip http secure-active-session-modules none ip http active-session-modules none ip http access-class HOST-ACL. Option A is correct because it uses an extended ACL (HOST-ACL) to permit only host 10.0.1.25 HTTP/HTTPS access and denies all others, then applies this ACL directly to the HTTP server using 'ip http access-class HOST-ACL'. This is the proper Cisco IOS mechanism to restrict manage
Question
A customer deployed an ISE solution that allows for web authentication and URL redirect enforced from the access layer. Due to control plane security concerns, only host IP 10.0.1.25 should have HTTP access to these switches. Which configuration must be applied to the switches? A. B. C. D.
Exhibits
Options
- Aip access-list extended HOST-ACL 10 permit host 10.0.1.25 any 20 deny any any ip http server ip http secure-server ip http secure-active-session-modules none ip http active-session-modules none ip http access-class HOST-ACL
- Bip access-list standard 10 permit 10.0.1.25 0.0.0.0 ip http server ip http secure-server ip http secure-active-session-modules none ip http access-class 10
- Cip access-list standard 10 deny 10.0.1.25 0.0.0.0 permit any ip http server ip http secure-server class-map CoPP_Class match access_group 10 policy-map CoPP_Policy class CoPP_Class police 100000 conform-action permit exceed-action drop violate-action drop control-plane service-policy input CoPP_Policy
- Dip access-list extended HOST-ACL 10 permit host 10.0.1.25 any 20 deny any any no ip http server ip http secure-server class-map CoPP_Class match access_group HOST-ACL policy-map CoPP_Policy class CoPP_Class police 100000 conform-action permit exceed-action drop violate-action drop control-plane service-policy input CoPP_Policy
How the community answered
(42 responses)- A62% (26)
- B19% (8)
- C14% (6)
- D5% (2)
Explanation
Option A is correct because it uses an extended ACL (HOST-ACL) to permit only host 10.0.1.25 HTTP/HTTPS access and denies all others, then applies this ACL directly to the HTTP server using 'ip http access-class HOST-ACL'. This is the proper Cisco IOS mechanism to restrict management HTTP/HTTPS access to the switch's web server, which is required for ISE web authentication and URL redirection. Both 'ip http server' and 'ip http secure-server' are enabled (required for ISE WebAuth), and the session modules are set to 'none' to ensure only ISE-related web sessions are handled.
Topics
Community Discussion
No community discussion yet for this question.







