Exam 350-401 All Questions

View all questions & answers for the 350-401 exam

Exam 350-401 topic 1 question 728 discussion

Actual exam question from Cisco's 350-401

Question #: 728
Topic #: 1

Refer to the exhibit. An engineer must deny HTTP traffic from host A to host B while allowing all other communication between the hosts. Which command set accomplishes this task?

A. SW1(config)# mac access-list extended HOST-A-B
SW1(config-ext-macl)# permit host aaaa.bbbb.cccc aaaa.bbbb.dddd

SW1(config)# ip access-list extended DENY-HTTP
SW1(config-ext-nacl)# deny tcp host 10.1.1.10 host 10.1.1.20 eq www

SW1(config)# vlan access-map DROP-MAC 10
SW1(config-access-map)# match mac address HOST-A-B
SW1(config-access-map)# action drop
SW1(config)# vlan access-map HOST-A-B 20
SW1(config-access-map)# match ip address DENY-HTTP
SW1(config-access-map)# action drop

SW1(config)# vlan filter HOST-A-B vlan 10
B. SW1(config)# ip access-list extended DENY-HTTP
SW1(config-ext-nacl)# deny tcp host 10.1.1.10 host 10.1.1.20 eq www

SW1(config)# ip access-list extended MATCH_ALL
SW1(config-ext-nacl)# permit ip any any

SW1(config)# vlan access-map HOST-A-B 10
SW1(config-access-map)# match ip address DENY-HTTP
SW1(config-access-map)# action drop
SW1(config)# vlan access-map HOST-A-B 20
SW1(config-access-map)# match ip address MATCH_ALL
SW1(config-access-map)# action forward

SW1(config)# vlan filter HOST-A-B vlan 10
C. SW1(config)# mac access-list extended HOST-A-B
SW1(config-ext-macl)# permit host aaaa.bbbb.cccc aaaa.bbbb.dddd

SW1(config)# ip access-list extended DENY-HTTP
SW1(config-ext-nacl)# permit tcp host 10.1.1.10 host 10.1.1.20 eq www

SW1(config)# vlan access-map DROP-MAC 10
SW1(config-access-map)# match mac address HOST-A-B
SW1(config-access-map)# action forward
SW1(config)# vlan access-map HOST-A-B 20
SW1(config-access-map)# match ip address DENY-HTTP
SW1(config-access-map)# action drop

SW1(config)# vlan filter HOST-A-B vlan 10

Show Suggested Answer

Suggested Answer: B 🗳️

by MJane at March 11, 2023, 1:48 p.m.

Comments

Submit Cancel

HungarianDish_111

Highly Voted 2 years, 2 months ago

Selected Answer: B

MAC Access-Lists is irrelevant here. B seems to be the closest answer, however, it is not right in that form. This should work: SW1(config)# ip access-list extended DENY-HTTP SW1(config-ext-nacl)# permit tcp host 10.1.1.10 host 10.1.1.20 eq www SW1(config)# vlan access-map DROP-MAC 10 SW1(config-access-map)# match ip address DENY-HTTP SW1(config-access-map)# action drop SW1(config)# vlan access-map DROP-MAC 20 SW1(config-access-map)# action forward SW1(config-access-map)# exit SW1(config)# vlan filter DROP-MAC vlan 10 https://www.networkstraining.com/vlan-access-map-example-configuration/

upvoted 13 times

HungarianDish_111

2 years, 2 months ago

Tested in CML, and it worked. MAC access-list is only for L2 (for example arp), ip access-list is for L3, so that is what we need here. Both can be matched under vlan ACL, however, MAC access-list is rarely used in this combination.

upvoted 1 times

...

Clauster

2 years, 1 month ago

This is correct

upvoted 1 times

...

MJane

Highly Voted 2 years, 2 months ago

None of the 3 are correct

upvoted 10 times

...

RainHua

Most Recent 4 months, 1 week ago

Selected Answer: B

The Key Answer is missed in this question. Answer D is followed. D. SW1 (config)# ip access-list extended DENY-HTTP SW1 (config-ext-nacl)#permit tcp host 10.1.1.10 host 10.1.1.20 eq www SW1 (config)# ip access-list extended MATCH ALL SW1 (config-ext-nacl)# permit ip any any SW1 (config)# vlan access-map HOST-A-B 10 SW1 (config-access-map)# match ip address DENY-HTTP SW1 (config-access-map)# action drop SW1 (config)# vlan access-map HOST-A-B 20 SW1 (config-access-map)# match ip address MATCH ALL SW1 (config-access-map)# action forward SW1 (config)# vlan filter HOST-A-B vlan 10 D is the right answer. B is incorrect. Because it permits all traffic to forward. The result of ACL DENY-HTTP is no traffic will be permited. Put the ACL into access-map HOST-A-B 10, it would drop nothing.

upvoted 2 times

RainHua

4 months, 1 week ago

It made me have to choose an answer. So I cannot but choose B which is incorrect but the closest thing.

upvoted 1 times

...

ExamTaker1017

6 months, 1 week ago

Answer is D (the missing answer). A B & C are all wrong. A. All traffic is dropped. B. All traffic is forwarded. C. All traffic is dropped.

upvoted 1 times

...

[Removed]

1 year ago

B is correct

upvoted 1 times

[Removed]

11 months ago

i misread it, B is wrong, it must be permit not deny

upvoted 1 times

...

KZM

1 year, 2 months ago

D. SW1(config)# ip access-list extended DENY-HTTP SW1(config-ext-nacl)# permit tcp host 10.1.1.10 host 10.1.1.20 eq www SW1(config)# ip access-list extended MATCH_ALL SW1(config-ext-nacl)# permit ip any any SW1(config)# vlan access-map HOST-A-B 10 SW1(config-access-map)# match ip address DENY-HTTP SW1(config-access-map)# action drop SW1(config)# vlan access-map HOST-A-B 20 SW1(config-access-map)# match ip address MATCH_ALL SW1(config-access-map)# action forward SW1(config)# vlan filter HOST-A-B vlan 10

upvoted 7 times

...

Asombrosso

1 year, 8 months ago

I vote for D, the missing one.

upvoted 6 times

...

Manvek

1 year, 9 months ago

There seems to be an option missing. So I vote for D, the missing one. Here you can find the complete question with all answers. https://www.braindump2go.com/free-online-pdf/350-401-PDF-Dumps(409-433).pdf

upvoted 4 times

...

edajede

1 year, 11 months ago

I dont like the deny ip access list in option B. It should be permit for both cases and then decided about the drop in the access-map. I think C is correct.

upvoted 4 times

edajede

1 year, 11 months ago

hmm, sorry, the problem in C is, that the mac address communication in the access-map is at the first place, so it will avoid the http check

upvoted 3 times

...