350-401 Question #1026: Real Exam Question with Answer & Explanation

Question

Refer to the exhibit. An engineer must allow the FTP traffic from users on 172.16.1.0 /24 to 172.16.2.0 /24 and block all other traffic. Which configuration must be applied?

Options

• AR1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255
• BR1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 20
• CR1 (config)# access-list 120 deny any any
• DR1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255

Explanation

To allow FTP traffic from the source subnet to the destination subnet while blocking all other traffic, the configuration must explicitly permit the FTP data channel using the correct ACL syntax.

Common mistakes.

• A. The syntax access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255 is incorrect for specifying a destination port; the port number (21) is misplaced and not preceded by a keyword like eq.
• C. The command access-list 120 deny any any would block all traffic, including the required FTP traffic, which contradicts the stated requirement to allow FTP.
• D. The syntax access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255 is incorrect for specifying a destination port; the port number (21) is misplaced and not preceded by a keyword like eq.

Concept tested. Extended IP Access-List for FTP

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-16/sec-data-acl-xe-16-book/sec-acl-feat.html

No community discussion yet for this question.