[: Cisco APIC Management Guide, "Out-of-Band Management Configuration" and "Contract Configuration.", B. Create an out-of-band EPG in the external management entity. Associate the management profile with the OOB contract: , This approach creates an EPG for OOB management, but it does not specify protocol filters (HTTPS/SSH) or IP range restrictions. The management profile alone does not enforce these requirements., Reference: Cisco ACI External Management Configuration Guide., C. Set up static IPs on the management interfaces from the required IP range. Add the required subnets to the external network instance profile: , Assigning static IPs to management interfaces is a configuration step, but it does not enforce protocol restrictions (HTTPS/SSH) or limit source IP ranges via a contract. This is incomplete., Reference: Cisco APIC Interface Configuration Guide., D. Create an out-of-band EPG in the common tenant. Associate the external network instance profile with the OOB contract: , The common tenant can host an OOB EPG, but this option lacks explicit protocol filtering (HTTPS/SSH) and relies on the external network instance profile, which may not fully address the GUI/SSH restriction., Reference: Cisco ACI Tenant Configuration Guide., Final Answer Justification, A is correct because it directly addresses both requirements: using an OOB contract to filter HTTPS and SSH protocols and adding the specified subnets to the external network instance profile to restrict IP ranges., Primary Cisco References: , Cisco APIC Management Tenant Configuration Guide, "OOB Management Access.", Cisco ACI Security Guide, "Contract-Based Access Control.", , ]