Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location
Mob_nav_barsMENU

HPE7-A02 Exam - Topic 3 Question 8 Discussion

Actual exam question for HP's HPE7-A02 exam
Question #: 8
Topic #: 3
[All HPE7-A02 Questions]

A port-access role for AOS-CX switches has this policy applied to it:

plaintext

Copy code

port-access policy mypolicy

10 class ip zoneC action drop

20 class ip zoneA action drop

100 class ip zoneB

The classes have this configuration:

plaintext

Copy code

class ip zoneC

10 match tcp 10.2.0.0/16 eq https

class ip zoneA

10 match ip any 10.1.0.0/16

class ip zoneB

10 match ip any 10.0.0.0/8

The company wants to permit clients in this role to access 10.2.12.0/24 with HTTPS. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: A

Comprehensive Detailed Explanation

The requirement is to permit HTTPS traffic from clients to the 10.2.12.0/24 subnet.

ZoneC is configured to drop all HTTPS traffic to the 10.2.0.0/16 subnet. Therefore, the first match in the zoneC class (priority 10) will drop the desired traffic.

To override this behavior, you must add a higher-priority rule (lower rule number) to zoneC that explicitly matches 10.2.12.0/24 and permits the traffic.

Thus, adding the rule 5 match any 10.2.12.0/24 eq https to zoneC ensures the desired traffic is permitted while maintaining the drop behavior for the rest of 10.2.0.0/16.

Reference

AOS-CX Role-Based Access Control documentation.

Understanding class priority and policy rule ordering in AOS-CX.


by Louann at Mar 24, 2025, 05:28 PM

Limited Time Offer

25%

Off

Get Premium HPE7-A02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Kenda
6 days ago
I remember practicing a similar question where we had to adjust rules in a policy. I feel like zoneB might be the right choice here.
upvoted 0 times
...
Emilio
12 days ago
I think we need to add a rule to zoneC since it matches HTTPS traffic, but I'm not sure if the action should be 'match' or 'ignore'.
upvoted 0 times
...
Millie
17 days ago
Hmm, I'm not entirely sure about this one. The policy and class configurations are a bit complex, and I want to make sure I understand everything before making any changes. I'll need to take a closer look and think it through carefully.
upvoted 0 times
...
Chan
23 days ago
I've got an idea! Since the company wants to permit access to 10.2.12.0/24 with HTTPS, we should add a rule to zoneB to match that subnet and action. That seems like the most straightforward solution.
upvoted 0 times
...
Rory
28 days ago
I'm a bit confused here. The policy already has rules for zoneA and zoneB, so I'm not sure if adding a rule to zoneC is the right approach. Let me re-read the question and think this through.
upvoted 0 times
...
Noah
1 month ago
Okay, I think I've got it. We need to add a new rule to the zoneC class to permit HTTPS access to 10.2.12.0/24. That should do the trick.
upvoted 0 times
...
Sherill
1 month ago
Hmm, this looks like a tricky one. I'll need to carefully read through the policy and class configurations to figure out the best approach.
upvoted 0 times
...
Essie
7 months ago
I agree with Terrilyn, option A seems to be the most appropriate choice.
upvoted 0 times
...
Terrilyn
7 months ago
But adding the rule to zoneC makes more sense, doesn't it?
upvoted 0 times
...
Val
7 months ago
Alright, let's think this through. I'm going to go with option D as well, it seems to be the only one that directly addresses the requirement.
upvoted 0 times
Lemuel
5 months ago
Great, let's go with option D then.
upvoted 0 times
...
Kristofer
5 months ago
Adding the rule to zoneC with 'ignore tcp' will allow access to 10.2.12.0/24 with HTTPS.
upvoted 0 times
...
Lai
5 months ago
Yes, I agree. Option D seems to be the most appropriate solution.
upvoted 0 times
...
Josefa
5 months ago
I think option D is the correct choice.
upvoted 0 times
...
Tamekia
6 months ago
Great, let's go with option D then.
upvoted 0 times
...
Raelene
6 months ago
Adding the rule to zoneC with 'ignore tcp' will allow access to 10.2.12.0/24 with HTTPS.
upvoted 0 times
...
Fannie
6 months ago
Yes, I agree. Option D is the only one that matches the requirement.
upvoted 0 times
...
Beckie
7 months ago
I think option D is the correct choice.
upvoted 0 times
...
...
Edda
7 months ago
Haha, 'zoneC' - sounds like a secret agent operation or something. Gotta keep those clients in the right zone!
upvoted 0 times
...
Stephanie
7 months ago
I disagree, I believe the correct answer is C.
upvoted 0 times
...
Bo
8 months ago
I'm curious, why did they include the 'plaintext' code blocks? Seems a bit unnecessary if it's just showing the policy config.
upvoted 0 times
...
Raul
8 months ago
Hmm, this looks like a tricky one. I'm leaning towards option D, it seems to make the most sense to add the rule to zoneC.
upvoted 0 times
Vivienne
6 months ago
Yes, option D is the way to go. Adding the rule to zoneC makes the most sense.
upvoted 0 times
...
Paz
7 months ago
I agree, adding the rule to zoneC in option D seems like the right move.
upvoted 0 times
...
Herman
7 months ago
I think option D is the best choice. It makes sense to add the rule to zoneC.
upvoted 0 times
...
...
Terrilyn
8 months ago
I think the answer is A.
upvoted 0 times
...

Save Cancel