312-50V9 · Question #317
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and den
The correct answer is C. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router. Cisco IOS processes ACL entries sequentially from top to bottom, and the first matching entry wins, so a broad deny-all TCP statement at the top silently blocks all subsequent permit rules.
Question
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router nobody can access to the ftp and the permitted hosts cannot access to the Internet. According to the next configuration what is happening in the network? access-list 102 deny tcp any any access-list 104 permit udp host 10.0.0.3 any access-list 110 permit tcp host 10.0.0.2 eq www any access-list 108 permit tcp any eq ftp any
Options
- AThe ACL 110 needs to be changed to port 80
- BThe ACL for FTP must be before the ACL 110
- CThe first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
- DThe ACL 104 needs to be first because is UDP
How the community answered
(30 responses)- A10% (3)
- B7% (2)
- C63% (19)
- D20% (6)
Why each option
Cisco IOS processes ACL entries sequentially from top to bottom, and the first matching entry wins, so a broad deny-all TCP statement at the top silently blocks all subsequent permit rules.
Changing ACL 110 to port 80 is unnecessary because 'eq www' is already equivalent to port 80; the root problem is the deny-all TCP rule blocking all traffic before ACL 110 is ever reached.
Reordering the FTP ACL relative to ACL 110 does not help because ACL 102's blanket 'deny tcp any any' will still match all TCP traffic, including FTP, before either permit statement is evaluated.
Cisco routers evaluate ACL statements in the order they are configured, stopping at the first match and taking that action. ACL 102 contains 'deny tcp any any', which matches every TCP packet - including HTTP (port 80) and FTP (port 21) - before the router ever evaluates the permit statements in ACLs 108 and 110. This renders all subsequent TCP-based permit rules completely unreachable, explaining why no FTP or web traffic is passing.
Moving ACL 104 first would only benefit UDP traffic from host 10.0.0.3 and does not address the deny-all TCP rule that is blocking both HTTP and FTP.
Concept tested: Cisco ACL sequential processing and first-match behavior
Source: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Topics
Community Discussion
No community discussion yet for this question.