Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

HP Exam HPE7-A02 Topic 3 Question 8 Discussion

Actual exam question for HP's HPE7-A02 exam
Question #: 8
Topic #: 3
[All HPE7-A02 Questions]

A port-access role for AOS-CX switches has this policy applied to it:

plaintext

Copy code

port-access policy mypolicy

10 class ip zoneC action drop

20 class ip zoneA action drop

100 class ip zoneB

The classes have this configuration:

plaintext

Copy code

class ip zoneC

10 match tcp 10.2.0.0/16 eq https

class ip zoneA

10 match ip any 10.1.0.0/16

class ip zoneB

10 match ip any 10.0.0.0/8

The company wants to permit clients in this role to access 10.2.12.0/24 with HTTPS. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: A

Comprehensive Detailed Explanation

The requirement is to permit HTTPS traffic from clients to the 10.2.12.0/24 subnet.

ZoneC is configured to drop all HTTPS traffic to the 10.2.0.0/16 subnet. Therefore, the first match in the zoneC class (priority 10) will drop the desired traffic.

To override this behavior, you must add a higher-priority rule (lower rule number) to zoneC that explicitly matches 10.2.12.0/24 and permits the traffic.

Thus, adding the rule 5 match any 10.2.12.0/24 eq https to zoneC ensures the desired traffic is permitted while maintaining the drop behavior for the rest of 10.2.0.0/16.

Reference

AOS-CX Role-Based Access Control documentation.

Understanding class priority and policy rule ordering in AOS-CX.


Contribute your Thoughts:

Terrilyn
1 hours ago
But adding the rule to zoneC makes more sense, doesn't it?
upvoted 0 times
...
Val
2 days ago
Alright, let's think this through. I'm going to go with option D as well, it seems to be the only one that directly addresses the requirement.
upvoted 0 times
...
Edda
3 days ago
Haha, 'zoneC' - sounds like a secret agent operation or something. Gotta keep those clients in the right zone!
upvoted 0 times
...
Stephanie
9 days ago
I disagree, I believe the correct answer is C.
upvoted 0 times
...
Bo
13 days ago
I'm curious, why did they include the 'plaintext' code blocks? Seems a bit unnecessary if it's just showing the policy config.
upvoted 0 times
...
Raul
16 days ago
Hmm, this looks like a tricky one. I'm leaning towards option D, it seems to make the most sense to add the rule to zoneC.
upvoted 0 times
Herman
2 hours ago
I think option D is the best choice. It makes sense to add the rule to zoneC.
upvoted 0 times
...
...
Terrilyn
20 days ago
I think the answer is A.
upvoted 0 times
...

Save Cancel