In AOS 10, which session-based ACL configuration will only allow ping from wired stations to wireless clients but will not allow ping from wireless clients to wired stations?

• A. ip access-list session pingFromWired any user any permit
• B. ip access-list session pingFromWired user any svc-icmp deny any any svc-icmp permit
• C. ip access-list session pingFromWired any any svc-icmp permit user any svc-icmp deny
• D. ip access-list session pingFromWired any any svc-icmp deny any user svc-icmp permit

Answer: (D)

In AOS 10, session-based ACLs are evaluated for each individual session from top to bottom, and they can enforce asymmetric behavior by blocking one direction before permitting the other. The line that denies ICMP where the source is a wireless user targets all ping attempts initiated by wireless clients, regardless of destination. That blocks the direction from wireless to wired (and to other devices) because those sessions originate from a wireless user. The next line then permits ICMP for the sessions not matched by the deny—i.e., the sessions where the source is not a wireless user, which corresponds to wired devices pinging wireless clients. By placing the deny first, you ensure wireless-origin ping is blocked while wired-origin ping is allowed, achieving the required directionality.

The other options either permit ICMP too broadly or place rules in a way that doesn’t correctly constrain the reverse direction, so they wouldn’t enforce the desired one-way ping behavior.