312-50V10 · Question #148
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and den
The correct answer is D. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router. Cisco ACLs are evaluated sequentially from top to bottom, and the first matching entry is applied - all subsequent entries are never reached once a match occurs.
Question
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router, nobody can access to the ftp, and the permitted hosts cannot access the Internet. According to the next configuration, what is happening in the network?
Options
- AThe ACL 104 needs to be first because is UDP
- BThe ACL 110 needs to be changed to port 80
- CThe ACL for FTP must be before the ACL 110
- DThe first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
How the community answered
(23 responses)- A22% (5)
- B13% (3)
- C4% (1)
- D61% (14)
Why each option
Cisco ACLs are evaluated sequentially from top to bottom, and the first matching entry is applied - all subsequent entries are never reached once a match occurs.
ACL processing order is determined by sequence position in the list, not by the protocol type (TCP vs UDP) - there is no rule that UDP ACLs are processed before TCP ACLs.
Changing ACL 110 to port 80 would not resolve the issue because the root cause is an earlier deny-all-TCP statement that blocks HTTP and FTP traffic before ACL 110 is ever reached.
Repositioning only the FTP ACL above the deny statement would fix FTP access but would not restore Internet (HTTP) access for the permitted hosts, since the deny-all-TCP rule would still block port 80 traffic.
A deny-all-TCP entry at the top of the ACL list matches FTP (TCP 21) and HTTP (TCP 80) traffic before the specific permit entries for those services are ever evaluated, causing the router to drop the traffic immediately and ignore the remaining ACL entries that would have permitted it.
Concept tested: Cisco ACL sequential processing and first-match logic
Source: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Topics
Community Discussion
No community discussion yet for this question.