312-50V11 · Question #148
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and den
The correct answer is D. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router. Cisco ACLs are processed sequentially top-to-bottom; a broad deny statement early in the list will block all matching traffic before more specific permit entries are ever reached.
Question
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router, nobody can access to the ftp, and the permitted hosts cannot access the Internet. According to the next configuration, what is happening in the network?
Options
- AThe ACL 104 needs to be first because is UDP
- BThe ACL 110 needs to be changed to port 80
- CThe ACL for FTP must be before the ACL 110
- DThe first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
How the community answered
(65 responses)- A29% (19)
- B17% (11)
- C9% (6)
- D45% (29)
Why each option
Cisco ACLs are processed sequentially top-to-bottom; a broad deny statement early in the list will block all matching traffic before more specific permit entries are ever reached.
ACL sequence numbers (104, 110) do not control protocol processing priority; they simply identify the access list, and statement order within the ACL is what determines processing sequence.
Changing the ACL to port 80 (HTTP) does not resolve the root problem of an earlier deny statement blocking all TCP before any permit rules are reached.
While moving the FTP ACL higher would be a partial fix, the actual root cause is that the first statement denies all TCP traffic, making the ordering of the FTP rule a symptom rather than the cause.
In Cisco ACLs, the router evaluates each statement in order and stops processing as soon as a match is found. If the first entry is a broad 'deny tcp any any' (or similar), it matches all TCP traffic - including HTTP and FTP - and the router never evaluates the subsequent permit statements. This explains why both Internet access and FTP are broken despite the later permit rules.
Concept tested: Cisco ACL sequential processing and implicit deny
Source: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Topics
Community Discussion
No community discussion yet for this question.