A network engineer is troubleshooting an issue where SSH access to a Cisco router from a specific management subnet (10.10.10.0/24) is intermittently failing. The router has a CoPP policy applied to the control plane. The engineer checks the CoPP statistics and sees that packets from the management subnet are being dropped by the control-plane service-policy. Which configuration change should the engineer make to allow SSH from the management subnet while still protecting the control plane?
Trap 1: Remove the deny statement from the CoPP ACL to allow all traffic.
Incorrect because removing the deny statement would allow all traffic to the control plane, defeating the purpose of CoPP.
Trap 2: Increase the police rate for the CoPP class that matches SSH…
Incorrect because the issue is not rate limiting; the traffic is being dropped by an ACL deny, not policed.
Trap 3: Remove the CoPP policy from the control plane and rely on interface…
Incorrect because removing CoPP leaves the control plane vulnerable to attacks; interface ACLs alone may not provide sufficient protection.
- A
Modify the CoPP ACL to include a permit statement for TCP port 22 from 10.10.10.0/24 before the deny statement.
Correct because this allows SSH traffic from the management subnet to be classified and permitted by the CoPP policy, preventing drops.
- B
Remove the deny statement from the CoPP ACL to allow all traffic.
Why wrong: Incorrect because removing the deny statement would allow all traffic to the control plane, defeating the purpose of CoPP.
- C
Increase the police rate for the CoPP class that matches SSH traffic.
Why wrong: Incorrect because the issue is not rate limiting; the traffic is being dropped by an ACL deny, not policed.
- D
Remove the CoPP policy from the control plane and rely on interface ACLs.
Why wrong: Incorrect because removing CoPP leaves the control plane vulnerable to attacks; interface ACLs alone may not provide sufficient protection.