350-401 · Question #1271
Which configuration creates a CoPP policy that provides unlimited SSH access from client 10.0.0.5 and denies access from all other SSH clients? A. B. C. D.
The correct answer is A. access-list 100 deny tcp host 10.0.0.5 any eq 22 access-list 100 permit tcp any any eq 22 ! class-map match-all telnet_copp match access-group 100 ! policy-map CoPP class telnet_copp drop ! control-plane service-policy input CoPP !. Option A is correct because in CoPP, ACL entries with deny cause traffic to not match the class-map, meaning that traffic bypasses the policy and reaches the control plane unrestricted. By placing deny tcp host 10.0.0.5 first, SSH from 10.0.0.5 is excluded from the class - giving
Question
Exhibits
Options
- Aaccess-list 100 deny tcp host 10.0.0.5 any eq 22 access-list 100 permit tcp any any eq 22 ! class-map match-all telnet_copp match access-group 100 ! policy-map CoPP class telnet_copp drop ! control-plane service-policy input CoPP !
- Baccess-list 100 permit tcp any any eq 22 access-list 100 deny tcp host 10.0.0.5 any eq 22 ! class-map match-all telnet_copp match access-group 100 ! policy-map CoPP class telnet_copp police 8000 ! control-plane service-policy input CoPP !
- Caccess-list 100 permit tcp host 10.0.0.5 any eq 22 access-list 100 deny tcp any any eq 22 ! class-map match-all telnet_copp match access-group 100 ! policy-map CoPP class telnet_copp police 8000 ! control-plane service-policy input CoPP !
- Daccess-list 100 permit tcp host 10.0.0.5 any eq 22 access-list 100 deny tcp any any eq 22 ! class-map match-all telnet_copp match access-group 100 ! policy-map CoPP class telnet_copp drop ! control-plane service-policy input CoPP !
How the community answered
(26 responses)- A62% (16)
- B12% (3)
- C23% (6)
- D4% (1)
Explanation
Option A is correct because in CoPP, ACL entries with deny cause traffic to not match the class-map, meaning that traffic bypasses the policy and reaches the control plane unrestricted. By placing deny tcp host 10.0.0.5 first, SSH from 10.0.0.5 is excluded from the class - giving it unlimited access - while all other SSH traffic matches the permit entry, gets classified, and is then dropped by the policy.
Option B fails because the permit any any eq 22 line is first, so it matches all SSH including 10.0.0.5 before the deny can be evaluated; additionally, police 8000 rate-limits rather than drops, so other SSH clients aren't fully denied.
Option C is doubly wrong: it classifies 10.0.0.5 (rate-limiting it with police 8000 instead of allowing unlimited access) and leaves all other SSH clients unclassified, so they flow unrestricted to the control plane.
Option D has the correct ACL logic from Option A's perspective but applies drop to 10.0.0.5's traffic (since it's the one that matches the permit line), which blocks the host that should have unlimited access while inadvertently allowing everyone else.
Memory tip: Think of CoPP ACL logic as inverted intent - a deny in the ACL means "don't classify this traffic, let it pass freely," while a permit means "classify it and apply the policy action (drop/police)." If you want to protect a trusted host, deny it in the ACL.
Topics
Community Discussion
No community discussion yet for this question.

