| Exam 400-101 | Question id=1121 | Infrastructure Security |
You want to protect the control plane of RouterA from SNMPbased DoS attacks.
Additionally, you want to ensure that SNMP traffic from your management station, 192.168.1.111, to the control plane of RouterA is not restricted.
You have created a class map, created a policy map, and applied a service policy on the control plane in the inbound direction, as indicated by the partial running configuration shown below:
class-map match-all limit-snmp
match access-group name kyiv
!
policy-map snmp-policy
class limit-snmp
drop
!
control-plane
service-policy input snmp-policy
Which of the following command sets should you issue to complete the configuration?
| A. |
RouterA(config)#ip access-list extended kyiv
RouterA(config-ext-nacl)#deny udp host 192.168.1.111 any eq snmp
RouterA(config-ext-nacl)#permit udp any any eq snmp
| |
| B. |
RouterA(config)#ip access-list extended kyiv
RouterA(config-ext-nacl)#permit udp host 192.168.1.111 any eq snmp
RouterA(config-ext-nacl)#deny udp any any eq snmp
| |
| C. |
RouterA(config)#ip access-list extended kyiv
RouterA(config-ext-nacl)#deny udp any host 192.168.1.111 eq snmp
RouterA(config-ext-nacl)#permit udp any any eq snmp
| |
| D. |
RouterA(config)#ip access-list extended kyiv
RouterA(config-ext-nacl)#permit udp any host 192.168.1.111 eq snmp
RouterA(config-ext-nacl)#deny udp any any eq snmp
|
You should issue the command set below to create a named extended access control list (ACL) named kyiv that completes the configuration:
RouterA(config)#ip access-list extended kyiv
RouterA(config-ext-nacl)#deny udp host 192.168.1.111 any eq snmp
RouterA(config-ext-nacl)#permit udp any any eq snmp
To create a named extended ACL, you should issue the ip access-list extended acl-name command. Issuing this command will place the router in extended named ACL mode. Extended ACL entries can be created by using the following basic syntax:
[sequence-number] {deny | permit} protocol source source-wildcard [operator [port]] destination destination-wildcard [operator [port]]
In this scenario, the deny udp host 192.168.1.111 any eq snmp command creates an extended ACL entry that denies User Datagram Protocol (UDP) packets that have a source IP address of 192.168.1.111 and a destination port number of 161. Simple Network Management Protocol (SNMP) traffic uses UDP port 161 for control traffic and UDP port 162 for SNMP trap traffic. The permit udp any any eq snmp command adds a second entry to the ACL that permits all other SNMP traffic.
AC kyiv is used in a match statement in the class map named limit-snmp, as shown by the following partial command output:
class-map match-all limit-snmp
match access-group name kyiv
A class map defines a traffic class and specifies the criteria used to identify packets belonging to that class. In this scenario, the match access-group name kyiv command specifies that all packets permitted by the ACL named kyiv will belong to the traffic class named limit-snmp. The traffic class named limit- snmp is then used to identify traffic in a policy map named snmp-policy, as shown by the following partial command output:
policy-map snmp-policy
class limit-snmp
drop
A policy map specifies the actions that are taken on packets that match a particular traffic-class. In this scenario, the drop keyword specifies that packets identified as members of the traffic class named limit-snmp are discarded by the router. Finally, the service policy named snmp-policy is applied to the control plane in the inbound direction, as shown by the partial command output below:
control-plane
service-policy input snmp-policy
When this service policy is applied to the control plane in the inbound direction, only SNMP packets sourced from the management station, 192.168.1.111, are permitted to pass to the control plane. Because the service policy instructs the router to discard the remainder of the SNMP packets that are destined to the router's control plane, the router is protected from SNMP based Denial of Service (DoS) attacks.
The command set below does not complete the configuration, because it incorrectly permits only SNMP packets sourced from the management station:
RouterA(config)#ip access-list extended kyiv
RouterA(config-ext-nacl)#permit udp host 192.168.1.111 any eq snmp
RouterA(config-ext-nacl)#deny udp any any eq snmp
When the above ACL is used with the service policy in this scenario, only SNMP packets sourced from the management station, 192.168.1.111, are denied access to pass to the control plane. Because the service policy instructs the router to permit the remainder of the SNMP packets that are destined to the router's control plane, the router is not protected from SNMP based DoS attacks.
The command set below does not complete the configuration, because it incorrectly permits all SNMP packets, regardless of their source IP address:
RouterA(config)#ip access-list extended kyiv
RouterA(config-ext-nacl)#deny udp any host 192.168.1.111 eq snmp
RouterA(config-ext-nacl)#permit udp any any eq snmp
Although the above ACL can be used with the service policy in this scenario to protect the router's control plane from SNMP-based DoS attacks, the ACL does not enable the management station to access the router's control plane. Conversely, the command set below does not complete the configuration, because it incorrectly denies all SNMP packets, regardless of their source IP address:
RouterA(config)#ip access-list extended kyiv
RouterA(config-ext-nacl)#permit udp any host 192.168.1.111 eq snmp
RouterA(config-ext-nacl)#deny udp any any eq snmp
When the above ACL is used with the service policy in this scenario, all SNMP packets can access the router's control plane.