nerdexam
EC-Council

312-50V9 · Question #317

The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and den

The correct answer is C. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router. Cisco IOS processes ACL entries sequentially from top to bottom, and the first matching entry wins, so a broad deny-all TCP statement at the top silently blocks all subsequent permit rules.

Scanning Networks

Question

The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router nobody can access to the ftp and the permitted hosts cannot access to the Internet. According to the next configuration what is happening in the network? access-list 102 deny tcp any any access-list 104 permit udp host 10.0.0.3 any access-list 110 permit tcp host 10.0.0.2 eq www any access-list 108 permit tcp any eq ftp any

Options

  • AThe ACL 110 needs to be changed to port 80
  • BThe ACL for FTP must be before the ACL 110
  • CThe first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
  • DThe ACL 104 needs to be first because is UDP

How the community answered

(30 responses)
  • A
    10% (3)
  • B
    7% (2)
  • C
    63% (19)
  • D
    20% (6)

Why each option

Cisco IOS processes ACL entries sequentially from top to bottom, and the first matching entry wins, so a broad deny-all TCP statement at the top silently blocks all subsequent permit rules.

AThe ACL 110 needs to be changed to port 80

Changing ACL 110 to port 80 is unnecessary because 'eq www' is already equivalent to port 80; the root problem is the deny-all TCP rule blocking all traffic before ACL 110 is ever reached.

BThe ACL for FTP must be before the ACL 110

Reordering the FTP ACL relative to ACL 110 does not help because ACL 102's blanket 'deny tcp any any' will still match all TCP traffic, including FTP, before either permit statement is evaluated.

CThe first ACL is denying all TCP traffic and the other ACLs are being ignored by the routerCorrect

Cisco routers evaluate ACL statements in the order they are configured, stopping at the first match and taking that action. ACL 102 contains 'deny tcp any any', which matches every TCP packet - including HTTP (port 80) and FTP (port 21) - before the router ever evaluates the permit statements in ACLs 108 and 110. This renders all subsequent TCP-based permit rules completely unreachable, explaining why no FTP or web traffic is passing.

DThe ACL 104 needs to be first because is UDP

Moving ACL 104 first would only benefit UDP traffic from host 10.0.0.3 and does not address the deny-all TCP rule that is blocking both HTTP and FTP.

Concept tested: Cisco ACL sequential processing and first-match behavior

Source: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Topics

#ACL#router configuration#implicit deny#access control list

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice