Comprehensive and Detailed Explanation (200–250 words):
In an iMaster NCE-Campus policy control matrix, rows representsource security groupsand columns representdestination security groups. A green check mark indicates that communication is allowed, while a red cross indicates that communication is denied. This matrix enables fine-grained user access control in VXLAN-based virtualized campus networks.
From the figure, communication betweenGuest_Group and Research_Groupis explicitly denied in both directions, as indicated by red crosses. Therefore, statementsAandDare both correct. The matrix also shows a green check mark forSales_Group communicating with itself, meaning intra-group communication is permitted, makingstatement B correct.
Theunknowngroup represents users that are not classified into Guest_Group, Research_Group, or Sales_Group. In the matrix, the unknown group is not completely blocked from all resources by default; access behavior depends on explicit policy configuration. Since the figure does not indicate a universal deny policy for unknown users toward all destinations,statement C is incorrect.
According to HCIP Datacom Campus Network policy control design, security group–based access control allows administrators to precisely define which user groups can communicate, improving security and service isolation. Hence, the correct answers areA, B, and D.
