Refer to the exhibit.
A network engineer is trying to configure a router as a zone-based firewall and needs to allow
DHCP traffic to and from the router on the outside interface. After applying the configuration to the
router, he notices that his configuration is not working.
What is wrong with the configuration?
A.
The UDP ports in access list 111 and access list 112 are incorrect.
B.
The wrong action has been configured on the policy map.
C.
The zone pair configuration is incorrect.
D.
The inside and outside references are incorrect.
Explanation:
spam, don’t click
0
0
68 UDP BOOTP, Bootstrap Protocol, client.
69 UDP TFTP, Trivial File Transfer Protocol.
http://www.networksorcery.com/enp/protocol/ip/ports00000.htm
0
0
C is the correct answer
Attaching a Policy Map to a Zone Pair
SUMMARY STEPS
1. enable
2. configure terminal
3. zone security zone-name
4. exit
5. zone security zone-name
6. exit
7. zone-pair security zone-pair-name [source zone-name destination [zone-name]]
8. service-policy type inspect policy-map-name
9. exit
10. interface type number
11. zone-member security zone-name
12. end
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-data-nest-cmap.html
0
0
This example configuration shows how to prevent all UDP traffic from a zone into your router’s self zone except for DHCP packets. Use an access-list with specific ports in order to allow just DHCP traffic; in this example, UDP port 67 and UDP port 68 are specified to be matched. A class-map that references the access-list has the pass action applied.
access-list extended 111
10 permit udp any any eq 67
access-list extended 112
10 permit udp any any eq 68
class-map type inspect match-any self-to-out
match access-group 111
class-map type inspect match-any out-to-self
match access-group 112
zone security outside
zone security inside
interface Ethernet0/1
zone-member security outside
interface Ethernet0/2
zone-member security inside
policy-map type inspect out-to-self
class type inspect out-to-self
pass
class class-default
drop
policy-map type inspect self-to-out
class type inspect self-to-out
pass
class class-default
drop
zone-pair security out-to-self source outside destination self
service-policy type inspect out-to-self
zone-pair security self-to-out source self destination outside
service-policy type inspect self-to-out
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/116117-configure-dhcp-zbf-00.html
0
0
A.
The UDP ports in access list 111 and access list 112 are incorrect.
0
0
I would like to thank you for the efforts you’ve put in writing this website. I’m hoping the same high-grade site post from you in the upcoming as well. In fact your creative writing abilities has inspired me to get my own site now. Really the blogging is spreading its wings fast. Your write up is a good example of it.
http://www.LSwL3dxW3V.com/LSwL3dxW3V
0
0