CCDE: Cisco Certified Design Expert (Practical) — Question 92

A customer has a functional requirement that states HR systems within a data center should be segmented from other systems that reside in the same data center and same VLAN. The systems run legacy applications by using hard-coded IP addresses with all HR systems dedicated to .129 to .254 of the 10.20.20.0/24 prefix. Which segmentation method is optimal for the customer?

Answer options

• A. data center perimeter firewalling
• B. routed firewalls
• C. VACLs on data center switches
• D. ACLs on data center switches

Correct answer: C

Explanation

Using VACLs (VLAN Access Control Lists) on data center switches is the most suitable approach for segmenting HR systems as it allows for granular control over traffic within the same VLAN, effectively isolating those systems. Other options like perimeter firewalls or routed firewalls are less effective for this specific scenario since they operate at different layers and may not provide the necessary isolation within the same VLAN. ACLs on switches could be a viable option, but VACLs offer more comprehensive filtering capabilities for VLAN traffic.