Exam 300-410 topic 1 question 242 discussion

Its B. ACL blocks the specific host/port incoming. You cannot use ACLs to protect the 'management plane' on an interface

Lets think through this. A) is wrong because SNMP functions in the management not the control plane. B) this sounds correct, but if you think about it, it may cause unintended traffic denies. If we create a new ACL to deny the host, the answer does not specify other parameters, and we could assume that a permit any at the end will be configured as well. C) is wrong, we are trying to block the host. D) seems to be the best answer. If we use the same ACL 90, we are inherently deny any other hosts that do not require access to R1's management plane, and only permit the ones defined in the ACL. D is the best answer B works, but not entirely the best answer.

B is corerct

So , management plane protection(MPP) can be added to an interface. This makes your router only reachable from that interface. But with MPP you can not specify an ACL. So i do not see how D could be correct. Picking B https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_plane_prot.html

The ACL would block SNMP packets from reaching the MGMT plane in the first place. Option D would also work but would still be processed via the MGMT plane and then be discarded. The less unnecessary packets processed through the MGMT/control plane the better in my opinion.

D is correct

snmp-server community Public RO 90 snmp-server community Private W 90 R1#show access-list 90 Standard IP access list 90 permit 10.11.110.11 permit 10.11.111.12 Console messages are from 10.11.110.12 See the difference between the permit IP statement and host IP? B is correct.

The question does not specify if the new ACL (answer B) will allow other hosts to access the router through E1/0. I believe the best answer would be D as it uses the existing ACL which block access from the suspected attacker to access R1.

yes, correct option B. Easy question