nerdexam
Cisco

350-401 · Question #766

Refer to the exhibit. Which configuration set implements Control Plane Policing for SSH and Telnet? A. B. C. D.

The correct answer is D. Router(config)#class-map match-any class-control Router(config-cmap)#match access-group 100 Router(config-cmap)#match access-group 101 Router(config)#policy-map CoPP Router(config-pmap)#class class-control Router(config-pmap-c)#police 1000000 conform-action transmit Router(config)#control-plane Router(config-cp)#service-policy input CoPP. Option D is correct because it uses match-any in the class-map, which classifies traffic matching either ACL 100 (SSH) or ACL 101 (Telnet) - and applies the policy-map with service-policy input on the control-plane, which is the correct direction to police traffic arriving at the

Submitted by deeparc· Mar 6, 2026Security

Question

Refer to the exhibit. Which configuration set implements Control Plane Policing for SSH and Telnet? A. B. C. D.

Exhibits

350-401 question #766 exhibit 1
350-401 question #766 exhibit 2
350-401 question #766 exhibit 3
350-401 question #766 exhibit 4
350-401 question #766 exhibit 5
350-401 question #766 exhibit 6
350-401 question #766 exhibit 7
350-401 question #766 exhibit 8
350-401 question #766 exhibit 9
350-401 question #766 exhibit 10

Options

  • ARouter(config)#class-map type inspect match-all Router(config-cmap)#match access-group 100 Router(config-cmap)#match access-group 101 Router(config)#policy-map CoPP Router(config-pmap)#class class-control Router(config-pmap-c)#police 1000000 conform-action transmit Router(config)#control-plane Router(config-cp)#service-policy output CoPP
  • BRouter(config)#class-map match-all class-control Router(config-cmap)#match access-group 100 Router(config-cmap)#match access-group 101 Router(config)#policy-map CoPP Router(config-pmap)#class class-control Router(config-pmap-c)#police 1000000 conform-action transmit Router(config)#control-plane Router(config-cp)#service-policy output CoPP
  • CRouter(config)#class-map class-telnet Router(config-cmap)#match access-group 100 Router(config-cmap)#match access-group 101 Router(config)#policy-map CoPP Router(config-pmap)#class class-telnet-ssh Router(config-pmap-c)#police 1000000 conform-action transmit Router(config)#control-plane Router(config-cp)#service-policy input CoPP
  • DRouter(config)#class-map match-any class-control Router(config-cmap)#match access-group 100 Router(config-cmap)#match access-group 101 Router(config)#policy-map CoPP Router(config-pmap)#class class-control Router(config-pmap-c)#police 1000000 conform-action transmit Router(config)#control-plane Router(config-cp)#service-policy input CoPP

How the community answered

(32 responses)
  • A
    3% (1)
  • B
    13% (4)
  • C
    6% (2)
  • D
    78% (25)

Explanation

Option D is correct because it uses match-any in the class-map, which classifies traffic matching either ACL 100 (SSH) or ACL 101 (Telnet) - and applies the policy-map with service-policy input on the control-plane, which is the correct direction to police traffic arriving at the router's CPU.

Why the distractors fail:

  • A uses type inspect, which is Zone-Based Firewall syntax, not CoPP - and service-policy output is the wrong direction.
  • B uses match-all, which would require a packet to match both ACLs simultaneously - impossible for a single protocol - and also applies the policy in the wrong output direction.
  • C defines a class-map named class-telnet but the policy-map references a non-existent class-telnet-ssh, creating a name mismatch that breaks the policy binding.

Memory tip: Think "ANY in, protect within" - use match-any when policing multiple protocols (SSH or Telnet), and always apply CoPP as service-policy input on the control-plane because you're protecting against traffic coming in to the CPU.

Topics

#Control Plane Policing (CoPP)#QoS#Security#Class-map

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice