350-401 · Question #766
350-401 Question #766: Real Exam Question with Answer & Explanation
The correct answer is D: Router(config)#class-map match-any class-control Router(config-cmap)#match access-group 100 Router(config-cmap)#match access-group 101 Router(config)#policy-map CoPP Router(config-pmap)#class class-control Router(config-pmap-c)#police 1000000 conform-action transmit Router(config)#control-plane Router(config-cp)#service-policy input CoPP. Option D is correct because it uses match-any in the class-map, which classifies traffic matching either ACL 100 (SSH) or ACL 101 (Telnet) — and applies the policy-map with service-policy input on the control-plane, which is the correct direction to police traffic arriving at t
Question
Refer to the exhibit. Which configuration set implements Control Plane Policing for SSH and Telnet? A. B. C. D.
Options
- ARouter(config)#class-map type inspect match-all Router(config-cmap)#match access-group 100 Router(config-cmap)#match access-group 101 Router(config)#policy-map CoPP Router(config-pmap)#class class-control Router(config-pmap-c)#police 1000000 conform-action transmit Router(config)#control-plane Router(config-cp)#service-policy output CoPP
- BRouter(config)#class-map match-all class-control Router(config-cmap)#match access-group 100 Router(config-cmap)#match access-group 101 Router(config)#policy-map CoPP Router(config-pmap)#class class-control Router(config-pmap-c)#police 1000000 conform-action transmit Router(config)#control-plane Router(config-cp)#service-policy output CoPP
- CRouter(config)#class-map class-telnet Router(config-cmap)#match access-group 100 Router(config-cmap)#match access-group 101 Router(config)#policy-map CoPP Router(config-pmap)#class class-telnet-ssh Router(config-pmap-c)#police 1000000 conform-action transmit Router(config)#control-plane Router(config-cp)#service-policy input CoPP
- DRouter(config)#class-map match-any class-control Router(config-cmap)#match access-group 100 Router(config-cmap)#match access-group 101 Router(config)#policy-map CoPP Router(config-pmap)#class class-control Router(config-pmap-c)#police 1000000 conform-action transmit Router(config)#control-plane Router(config-cp)#service-policy input CoPP
Explanation
Option D is correct because it uses match-any in the class-map, which classifies traffic matching either ACL 100 (SSH) or ACL 101 (Telnet) — and applies the policy-map with service-policy input on the control-plane, which is the correct direction to police traffic arriving at the router's CPU.
Why the distractors fail:
- A uses
type inspect, which is Zone-Based Firewall syntax, not CoPP — andservice-policy outputis the wrong direction. - B uses
match-all, which would require a packet to match both ACLs simultaneously — impossible for a single protocol — and also applies the policy in the wrongoutputdirection. - C defines a class-map named
class-telnetbut the policy-map references a non-existentclass-telnet-ssh, creating a name mismatch that breaks the policy binding.
Memory tip: Think "ANY in, protect within" — use match-any when policing multiple protocols (SSH or Telnet), and always apply CoPP as service-policy input on the control-plane because you're protecting against traffic coming in to the CPU.
Topics
Community Discussion
No community discussion yet for this question.