nerdexam
Cisco

200-101 · Question #164

Unauthorized users have used Telnet to gain access to a company router. The network administrator wants to configure and apply an access list to allow Telnet access to the router, but only from the ne

The correct answer is B. access-list 3 permit host 172.16.3.3 line vty 0 4 access-class 3 in. To restrict Telnet access to a router's VTY lines to a single IP address, a standard ACL must be applied to the VTY lines using the 'access-class' command, not 'ip access-group'.

Network Device Management

Question

Unauthorized users have used Telnet to gain access to a company router. The network administrator wants to configure and apply an access list to allow Telnet access to the router, but only from the network administrator's computer. Which group of commands would be the best choice to allow only the IP address 172.16.3.3 to have Telnet access to the router?

Exhibit

200-101 question #164 exhibit

Options

  • Aaccess-list 101 permit tcp any host 172.16.3.3 eq telnet interface s0/0 ip access-group 101 in
  • Baccess-list 3 permit host 172.16.3.3 line vty 0 4 access-class 3 in
  • Caccess-list 101 permit tcp any host 172.16.3.3 eq telnet access-list 101 permit ip any any interface s0/0 ip access-group 101 in
  • Daccess-list 3 permit host 172.16.3.3 line vty 0 4 ip access-group 3 in

How the community answered

(41 responses)
  • A
    7% (3)
  • B
    71% (29)
  • C
    17% (7)
  • D
    5% (2)

Why each option

To restrict Telnet access to a router's VTY lines to a single IP address, a standard ACL must be applied to the VTY lines using the 'access-class' command, not 'ip access-group'.

Aaccess-list 101 permit tcp any host 172.16.3.3 eq telnet interface s0/0 ip access-group 101 in

Applying an extended ACL to a physical interface (s0/0) with 'ip access-group' affects all traffic transiting that interface, not just Telnet to the router itself, and would not restrict VTY access from other interfaces.

Baccess-list 3 permit host 172.16.3.3 line vty 0 4 access-class 3 inCorrect

A standard ACL (number 3) permitting only host 172.16.3.3 implicitly denies all other sources. Applying it to VTY lines 0-4 with 'access-class 3 in' is the correct IOS syntax for filtering inbound Telnet connections to the router's virtual terminal lines, ensuring only that host can connect.

Caccess-list 101 permit tcp any host 172.16.3.3 eq telnet access-list 101 permit ip any any interface s0/0 ip access-group 101 in

Although the ACL logic is partly correct, applying it to a physical interface with 'ip access-group' does not restrict VTY access from all interfaces and could block transit traffic unnecessarily.

Daccess-list 3 permit host 172.16.3.3 line vty 0 4 ip access-group 3 in

The 'ip access-group' command is used on physical interfaces and is not valid syntax on VTY lines; the correct command for VTY line filtering is 'access-class'.

Concept tested: VTY access control using access-class on router

Source: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Topics

#VTY access control#access-class#standard ACL#Telnet security

Community Discussion

No community discussion yet for this question.

Full 200-101 Practice