350-401 · Question #685
350-401 Question #685: Real Exam Question with Answer & Explanation
The correct answer is C: access-list 100 permit tcp host 10.0.0.5 any eq 22 access-list 100 deny tcp any any eq 22 ! class-map match-all telnet_copp match access-group 100 ! policy-map CoPP class telnet_copp drop ! control-plane service-policy input CoPP !. Important Note: The Stated Correct Answer Appears to Be Incorrect Based on standard Cisco CoPP (Control Plane Policing) and MQC (Modular QoS CLI) behavior, Option B is the correct answer, not C. Here's why: --- How match access-group Works in CoPP Traffic permitted by the ACL →
Question
Which configuration creates a CoPP policy that provides unlimited SSH access from dient 10.0.0.5 and denies access from all other SSH clients'? A. B. C. D.
Options
- Aaccess-list 100 permit tcp any any eq 22 access-list 100 deny tcp host 10.0.0.5 any eq 22 ! class-map match-all telnet_copp match access-group 100 ! policy-map CoPP class telnet_copp police 8000 ! control-plane service-policy input CoPP !
- Baccess-list 100 deny tcp host 10.0.0.5 any eq 22 access-list 100 permit tcp any any eq 22 ! class-map match-all telnet_copp match access-group 100 ! policy-map CoPP class telnet_copp drop ! control-plane service-policy input CoPP !
- Caccess-list 100 permit tcp host 10.0.0.5 any eq 22 access-list 100 deny tcp any any eq 22 ! class-map match-all telnet_copp match access-group 100 ! policy-map CoPP class telnet_copp drop ! control-plane service-policy input CoPP !
- Daccess-list 100 permit tcp host 10.0.0.5 any eq 22 access-list 100 deny tcp any any eq 22 ! class-map match-all telnet_copp match access-group 100 ! policy-map CoPP class telnet_copp police 8000 ! control-plane service-policy input CoPP !
Explanation
Important Note: The Stated Correct Answer Appears to Be Incorrect
Based on standard Cisco CoPP (Control Plane Policing) and MQC (Modular QoS CLI) behavior, Option B is the correct answer, not C. Here's why:
How match access-group Works in CoPP
Traffic permitted by the ACL → classified into the class → policy action applied Traffic denied by the ACL → NOT in the class → passes through (unlimited)
Why Option B Is Actually Correct
deny host 10.0.0.5 → 10.0.0.5 SSH is NOT classified → passes through (unlimited ✓)
permit any → all other SSH IS classified → action: DROP ✓
This achieves the goal: unlimited for 10.0.0.5, dropped for everyone else.
Why Option C Is Wrong (Despite Being Listed as Correct)
permit host 10.0.0.5 → 10.0.0.5 SSH IS classified → action: DROP âœ-
deny any → other SSH is NOT classified → passes through âœ-
Option C does the opposite of the requirement — it drops 10.0.0.5 and passes all others.
Why the Other Options Fail
| Option | Problem |
|---|---|
| A | Police 8000 bps (rate-limit) instead of drop; ACL order also matches wrong traffic |
| B | Actually correct (see above) |
| C | Classifies 10.0.0.5 SSH for DROP, passes all others — backwards |
| D | Same ACL as C, but police instead of drop — still backwards |
Memory Tip
CoPP classifies traffic you want to HURT, not traffic you want to HELP. Put the ALLOWED host in the ACL
denyline (so it misses the class and passes freely). Put everyone else inpermit(so they get classified and dropped).
This question as written contains an error — if you see it on a real exam, Option B is the defensible answer based on Cisco documentation.
Topics
Community Discussion
No community discussion yet for this question.