nerdexam
Cisco

350-401 · Question #286

Which configuration restricts the amount of SSH traffic that a router accepts to 100 kbps? A. B. C. D.

The correct answer is C. class-map match-all CoPP_SSH match access-group name CoPP_SSH ! policy-map CoPP_SSH class CoPP_SSH police cir 100000 exceed-action drop ! ! control-plane service-policy input CoPP_SSH ! ip access-list extended CoPP_SSH permit tcp any any eq 22. Option C is correct because Control Plane Policing (CoPP) must be applied to the 'control-plane' (host) subinterface, not a physical interface, to protect the router's CPU from excessive traffic destined for the router itself (such as SSH management traffic). The ACL correctly us

Submitted by wei.xz· Mar 6, 2026Infrastructure Security – Implementing and verifying Control Plane Policing (CoPP) to protect the router control plane from excessive or malicious traffic, typically mapped to Cisco CCNP Enterprise or CCNA Security exam objectives.

Question

Which configuration restricts the amount of SSH traffic that a router accepts to 100 kbps? A. B. C. D.

Exhibits

350-401 question #286 exhibit 1
350-401 question #286 exhibit 2
350-401 question #286 exhibit 3
350-401 question #286 exhibit 4
350-401 question #286 exhibit 5
350-401 question #286 exhibit 6
350-401 question #286 exhibit 7
350-401 question #286 exhibit 8

Options

  • Aclass-map match-all CoPP_SSH match access-group name CoPP_SSH ! policy-map CoPP_SSH class CoPP_SSH police cir 100000 exceed-action drop ! ! interface GigabitEthernet0/1 ip address 209.165.200.225 255.255.255.0 ip access-group EGRESS out service-policy input CoPP_SSH ! ip access-list extended CoPP_SSH permit tcp any any eq 22
  • Bclass-map match-all CoPP_SSH match access-group name CoPP_SSH ! policy-map CoPP_SSH class CoPP_SSH police cir 100000 exceed-action drop ! ! interface GigabitEthernet0/1 ip address 209.165.200.225 255.255.255.0 ip access-group EGRESS out service-policy input CoPP_SSH ! ip access-list extended CoPP_SSH deny tcp any any eq 22
  • Cclass-map match-all CoPP_SSH match access-group name CoPP_SSH ! policy-map CoPP_SSH class CoPP_SSH police cir 100000 exceed-action drop ! ! control-plane service-policy input CoPP_SSH ! ip access-list extended CoPP_SSH permit tcp any any eq 22
  • Dclass-map match-all CoPP_SSH match access-group name CoPP_SSH ! policy-map CoPP_SSH class CoPP_SSH police cir 100000 exceed-action drop ! ! control-plane transit service-policy input CoPP_SSH ! ip access-list extended CoPP_SSH permit tcp any any eq 22

How the community answered

(32 responses)
  • A
    13% (4)
  • B
    6% (2)
  • C
    59% (19)
  • D
    22% (7)

Explanation

Option C is correct because Control Plane Policing (CoPP) must be applied to the 'control-plane' (host) subinterface, not a physical interface, to protect the router's CPU from excessive traffic destined for the router itself (such as SSH management traffic). The ACL correctly uses 'permit tcp any any eq 22' to match SSH traffic, and the policy-map polices it at 100 kbps (100,000 bps CIR) with an exceed-action of drop.

Topics

#Control Plane Policing#CoPP#QoS Policy-Map#Infrastructure Security

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice