ACMP-6.4 question 21 discussion


ip access-list session anewone
user network any permit
user any any permit
host host any deny
A user sends a frame with the following attributes:
Source IP: Destination IP: Destination Port: 25
Based on the above Mobility Controller configuration file segment, what will this policy do
with the user frame?

  • A. The frame is discarded because of the implicit deny all at the end of the policy.
  • B. The frame is discarded because of the statement:user host host deny.
  • C. The frame is accepted because of the statement:user any any permit.
  • D. The frame is accepted because of the statement:user network any permit.
  • E. This is not a valid policy.
Created 3 months ago by PCLuis04


How is this C? Aruba firewall rules are from most specific to least specific. Although the second rule would permit the traffic, it would already hit and been permitted by the first rule since is in the network?


The first rule is to destination but the questions is using a source of That is why it is answer C

The first rule is from Source ?


Source is 'user' meaning match the client host address. Destination is Protocol is 'any'


Aruba firewall policies are evaluated top-down, first match used. The first rule permits any traffic to the network. The second rule permits anything. The packet never gets to the third rule.


the source IS network on the first rule. The answer is D


the first rule is for source:user and destination:network10.1.1.0/24. The frame it does not match that destination, thus it skips the first rule. The second rule matches source and destination.


the first rule is for user source:network destination:any, this rule permit frame. The answer is D