nerdexam
Cisco

350-401 · Question #626

Refer to the exhibit. Which commands are required to allow SSH connection to the router? A. B. C. D.

The correct answer is B. Router(config)#access-list 100 permit tcp any eq 22 Router(config)#class-map class-ssh Router(config-cmap)#match access-group 10 Router(config)#policy-map CoPP Router(config-pmap)#class class-ssh Router(config-pmap-c)#police 100000 conform-action transmit. Option B is correct because it properly configures a Control Plane Policing (CoPP) policy for SSH traffic: it uses a named extended ACL (100) matching TCP traffic on port 22, creates a class-map that references ACL 100, and correctly structures the policy-map with the class defin

Submitted by minji_kr· Mar 6, 2026Infrastructure Security - Implement and configure Control Plane Policing (CoPP) to protect router management plane access, specifically for SSH traffic classification and rate-limiting (CCNP/CCIE Security or CCNP Enterprise)

Question

Refer to the exhibit. Which commands are required to allow SSH connection to the router? A. B. C. D.

Exhibits

350-401 question #626 exhibit 1
350-401 question #626 exhibit 2
350-401 question #626 exhibit 3
350-401 question #626 exhibit 4
350-401 question #626 exhibit 5
350-401 question #626 exhibit 6
350-401 question #626 exhibit 7
350-401 question #626 exhibit 8
350-401 question #626 exhibit 9
350-401 question #626 exhibit 10

Options

  • ARouter(config)#access-list 100 permit udp any eq 22 Router(config)#access-list 101 permit tcp any eq 22 Router(config)#class-map class-ssh Router(config-cmap)#match access-group 101 Router(config)#policy-map CoPP Router(config-pmap)#police 100000 conform-action transmit
  • BRouter(config)#access-list 100 permit tcp any eq 22 Router(config)#class-map class-ssh Router(config-cmap)#match access-group 10 Router(config)#policy-map CoPP Router(config-pmap)#class class-ssh Router(config-pmap-c)#police 100000 conform-action transmit
  • CRouter(config)#access-list 10 permit tcp any eq 22 Router(config)#class-map class-ssh Router(config-cmap)#match access-group 10 Router(config)#policy-map CoPP Router(config-pmap)#class class-ssh Router(config-pmap-c)#police 100000 conform-action transmit
  • DRouter(config)#access-list 100 permit tcp any eq 22 Router(config)#access-list 101 permit tcp any eq 22 Router(config)#class-map class-ssh Router(config-cmap)#match access-group 101 Router(config)#policy-map CoPP Router(config-pmap)#class class-ssh Router(config-pmap-c)#police 100000 conform-action transmit

How the community answered

(39 responses)
  • A
    26% (10)
  • B
    56% (22)
  • C
    8% (3)
  • D
    10% (4)

Explanation

Option B is correct because it properly configures a Control Plane Policing (CoPP) policy for SSH traffic: it uses a named extended ACL (100) matching TCP traffic on port 22, creates a class-map that references ACL 100, and correctly structures the policy-map with the class defined inside the policy-map context before applying the police action. The critical elements are using TCP (not UDP) for SSH, correctly referencing the ACL number in the class-map, and including the 'class class-ssh' line within the policy-map before the police statement.

Topics

#Control Plane Policing (CoPP)#SSH Security#Access Control Lists#QoS Policy-Map

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice