Exam 350-501 topic 1 question 226 discussion

Actual exam question from Cisco's 350-501

Question #: 226
Topic #: 1

A network engineer is testing an automation platform that interacts with Cisco networking devices via NETCONF over SSH. In accordance with internal security requirements:
✑ NETCONF sessions are permitted only from trusted sources in the 172.16.20.0/24 subnet.
✑ CLI SSH access is permitted from any source.
Which configuration must the engineer apply on R1?

A. configure terminal hostname R1 ip domain-name mydomain.com crypto key generate rsa ip ssh version 1 access-list 1 permit 172.16.20.0 0.0.0.255 netconf ssh acl 1 line vty 0 4 transport input ssh end
B. configure terminal hostname R1 ip domain-name mydomain.com crypto key generate rsa ip ssh version 2 access-list 1 permit 172.16.20.0 0.0.0.255 access-list 1 permit any netconf ssh line vty 0 4 access-class 1 in transport input ssh end
C. configure terminal hostname R1 ip domain-name mydomain.com crypto key generate rsa ip ssh version 1 access-list 1 permit 172.16.20.0 0.0.0.255 access-list 2 permit any netconf ssh line vty 0 4 access-class 2 in transport input ssh end
D. configure terminal hostname R1 ip domain-name mydomain.com crypto key generate rsa ip ssh version 2 access-list 1 permit 172.16.20.0 0.0.0.255 netconf ssh acl 1 line vty 0 4 transport input ssh end

Show Suggested Answer

Suggested Answer: D 🗳️

by oreluc at Sept. 15, 2022, 6:28 p.m.

Comments

Submit Cancel

ccie_race

Highly Voted 1 year, 8 months ago

Option D Restrict access to netconf ssh using acl 1. (ssh here doesn't mean ssh. it means netconf ssh. This is how you configure netconf) Allow everyone on SSH line: No ACL applied to line vty ==================== configure terminal hostname R1 ip domain-name mydomain.com crypto key generate rsa ip ssh version 2 access-list 1 permit 172.16.20.0 0.0.0.255 netconf ssh acl 1 line vty 0 4 transport input ssh end

upvoted 5 times

...