Cisco
200-101 · Question #127
200-101 Question #127: Real Exam Question with Answer & Explanation
The correct answer is B: access-list 103 deny tcp 172.16.8.0 0.0.3.255 any eq 80. Blocking WWW (port 80) for subnets 172.16.8.0 through 172.16.11.0 requires a wildcard mask that covers exactly those four /24 networks.
Question
An organization is concerned that too many employees are wasting company time accessing the Internet. Which access list statement would stop World Wide Web access for employees on the range of subnets from 172.16.8.0/24 to 172.16.11.0/24?
Options
- Aaccess-list 103 deny tcp 172.16.8.0 0.0.0.3 any eq 80
- Baccess-list 103 deny tcp 172.16.8.0 0.0.3.255 any eq 80
- Caccess-list 103 deny http 172.16.8.0 0.0.7.255 any
- Daccess-list 103 deny tcp any 172.16.8.0 0.0.3.255 eq 80
- Eaccess-list 103 deny tcp 172.16.8.0 0.0.11.255 any eq 80
Explanation
Blocking WWW (port 80) for subnets 172.16.8.0 through 172.16.11.0 requires a wildcard mask that covers exactly those four /24 networks.
Common mistakes.
- A. The wildcard 0.0.0.3 only spans four host addresses within 172.16.8.0/24 (172.16.8.0-172.16.8.3), far too narrow to cover the required four full subnets.
- C. 'http' is not a valid Cisco IOS ACL protocol keyword - the correct syntax requires 'tcp' with 'eq 80' to match HTTP traffic.
- D. The source and destination are reversed; this statement would deny TCP port 80 traffic sent TO the subnet range rather than FROM it, blocking inbound web server responses instead of outbound employee requests.
- E. The wildcard 0.0.11.255 applied to 172.16.8.0 covers 172.16.8.0 through 172.16.19.255, which includes subnets beyond 172.16.11.0 and is broader than required.
Concept tested. Cisco extended ACL wildcard mask calculation for subnet ranges
Reference. https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Community Discussion
No community discussion yet for this question.