Learn how an access control list (ACL) behaves when applied to an ArubaOS-CX 6300 switch in this HPE6-A69 certification exam practice question. Understand which types of traffic are logged or not logged to the event logs based on the ACL configuration.
Table of Contents
Question
When applying the following access-list to an ArubaOS-CX 6300 switch:
10 permit tcp any RADIUS-SERVERS group WEB-PORTS log 20 permit udp any any group DHCP-PORTS log 30 permit udp any any group DNS-PORTS log 40 permit icmp any RADIUS-SERVERS log 50 deny tcp any MANAGEMENT-SERVERS log 60 deny icmp any MANAGEMENT-SERVERS count 70 permit udp any MANAGEMENT-SERVERS eq 162 count 60 permit udp any MANAGEMENT-SERVERS eq 69 log
How does this ACL behave on the selected switch? (Choose two.)
A. The tftp traffic to MANAGEMENT-SERVERS group is logged to the event logs.
B. The denied tcp traffic to the MANAGEMENT-SERVERS group is not logged to event logs.
C. The denied tcp traffic to the MANAGEMENT-SERVERS group is logged to event logs.
D. The tftp traffic to MANAGEMENT-SERVERS group is not logged to the event logs.
E. The snmp-trap traffic to MANAGEMENT-SERVERS is logged to the event logs.
Answer
C. The denied tcp traffic to the MANAGEMENT-SERVERS group is logged to event logs.
D. The tftp traffic to MANAGEMENT-SERVERS group is not logged to the event logs.
Explanation
The given ACL has the following relevant entries:
50 deny tcp any MANAGEMENT-SERVERS log
80 permit udp any MANAGEMENT-SERVERS eq 69 log
Entry 50 denies all TCP traffic to the MANAGEMENT-SERVERS group and specifies the “log” option. This means any denied TCP traffic matching this entry will be logged to the event logs. Therefore, answer choice C is correct – the denied TCP traffic to the MANAGEMENT-SERVERS group is logged.
Entry 80 permits UDP port 69 traffic (TFTP) to the MANAGEMENT-SERVERS group and specifies the “log” option. However, there is no general “permit ip any any” entry in this ACL. That means the implicit “deny any any” rule at the end of the ACL will drop all other IP traffic not explicitly permitted, including the TFTP traffic permitted by entry 80.
Crucially, the implicit “deny any any” rule does NOT have the “log” option. Therefore, the TFTP traffic that is ultimately denied will not be logged, since logging must be explicitly configured on the matching ACL entry. So answer choice D is also correct – the TFTP traffic to the MANAGEMENT-SERVERS group ultimately gets denied without being logged.
In summary, the denied TCP traffic is logged as specified in entry 50, while the permitted but ultimately denied TFTP traffic is not logged since there is no explicit logging configured on the implicit deny rule. The other answer choices are incorrect based on the details of the ACL configuration.
HPE6-A69 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the HPE6-A69 exam and earn HPE6-A69 certification.