ACMP-6.4 question 21 discussion

answered

ip access-list session anewone
user network 10.1.1.0 255.255.255.0 any permit
user any any permit
host 10.1.1.1 host 10.2.2.2 any deny
A user sends a frame with the following attributes:
Source IP: 10.1.1.1 Destination IP: 10.2.2.2 Destination Port: 25
Based on the above Mobility Controller configuration file segment, what will this policy do
with the user frame?

  • A. The frame is discarded because of the implicit deny all at the end of the policy.
  • B. The frame is discarded because of the statement:user host 10.1.1.1 host 10.2.2.2 deny.
  • C. The frame is accepted because of the statement:user any any permit.
  • D. The frame is accepted because of the statement:user network 10.1.1.0 255.255.255.0 any permit.
  • E. This is not a valid policy.
Created 3 months ago by PCLuis04

PCLuis04

How is this C? Aruba firewall rules are from most specific to least specific. Although the second rule would permit the traffic, it would already hit and been permitted by the first rule since 10.1.1.1 is in the 10.1.1.0 network?

roberternst1961

The first rule is to destination 10.1.1.0. but the questions is using a source of 10.1.1.1. That is why it is answer C

zealist@gmail.cm

The first rule is from Source 10.1.1.0 ?

ciscoizamazing

Source is 'user' meaning match the client host address. Destination is 10.1.1.0. Protocol is 'any'

etherguy

Aruba firewall policies are evaluated top-down, first match used. The first rule permits any traffic to the 10.1.1.0/24 network. The second rule permits anything. The packet never gets to the third rule.

PCLuis04

the source IS network 10.1.1.0 on the first rule. The answer is D

cheshire

the first rule is for source:user and destination:network10.1.1.0/24. The frame it does not match that destination, thus it skips the first rule. The second rule matches source and destination.

alvarocf

the first rule is for user source:network 10.1.1.0/24 destination:any, this rule permit frame. The answer is D