300-410 Question #90: Real Exam Question with Answer & Explanation

Question

Refer to the exhibit. The ACL is placed on the inbound Gigabit 0/1 interface of the router. Host 192.168.10.10 cannot SSH to host 192.168.10.0 even though the flow is permitted. Which action resolves the issue without opening full access to this router? ip access-list extended FILTER deny tcp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 22 deny tcp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 23 deny tcp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 80 deny tcp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 443 permit tcp host 192.168.10.10 host 192.168.10.0 eq ssh permit ip any any ! interface GigabitEthernet0/1 ip address 192.168.10.1 255.255.255.0 ip access-group FILTER in

Options

• AMove the SSH entry to the beginning of the ACL
• BTemporarily move the permit ip any any line to the beginning of the ACL to see if the flow works
• CTemporarily remove the ACL from the interface to see if the flow works
• DRun the show access-list FILTER command to view if the SSH entry has any hit statistic associated with it

Explanation

The SSH connection fails due to an incorrect ACL order where a general deny statement for port 22 precedes a more specific permit statement for SSH traffic.

Common mistakes.

• B. Moving permit ip any any to the beginning would open full access, violating the requirement to resolve the issue 'without opening full access to this router'.
• C. Temporarily removing the ACL from the interface would open full access, which contradicts the requirement to resolve the issue 'without opening full access to this router'.
• D. Running show access-list FILTER is a diagnostic step to verify hit counts, not an action that resolves the configuration issue itself.

Concept tested. ACL processing order

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-16/sec-data-acl-xe-16-book/sec-acl-overview.html

No community discussion yet for this question.