nerdexam
Cisco

350-401 · Question #1026

Refer to the exhibit. An engineer must allow the FTP traffic from users on 172.16.1.0 /24 to 172.16.2.0 /24 and block all other traffic. Which configuration must be applied?

The correct answer is B. R1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 20. To allow FTP traffic from the source subnet to the destination subnet while blocking all other traffic, the configuration must explicitly permit the FTP data channel using the correct ACL syntax.

Submitted by asante_acc· Mar 6, 2026Security

Question

Refer to the exhibit. An engineer must allow the FTP traffic from users on 172.16.1.0 /24 to 172.16.2.0 /24 and block all other traffic. Which configuration must be applied?

Exhibits

350-401 question #1026 exhibit 1
350-401 question #1026 exhibit 2

Options

  • AR1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255
  • BR1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 20
  • CR1 (config)# access-list 120 deny any any
  • DR1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255

How the community answered

(41 responses)
  • A
    12% (5)
  • B
    76% (31)
  • C
    5% (2)
  • D
    7% (3)

Why each option

To allow FTP traffic from the source subnet to the destination subnet while blocking all other traffic, the configuration must explicitly permit the FTP data channel using the correct ACL syntax.

AR1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255

The syntax `access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255` is incorrect for specifying a destination port; the port number (21) is misplaced and not preceded by a keyword like `eq`.

BR1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 20Correct

This command uses the correct syntax for an extended access-list to permit TCP traffic and specifically targets destination port 20 (`eq 20`), which is the standard port for the FTP data channel in active mode. Allowing the data channel is essential for FTP file transfers, and the implicit 'deny any any' at the end of the ACL will block all other traffic.

CR1 (config)# access-list 120 deny any any

The command `access-list 120 deny any any` would block all traffic, including the required FTP traffic, which contradicts the stated requirement to allow FTP.

DR1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255

The syntax `access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255` is incorrect for specifying a destination port; the port number (21) is misplaced and not preceded by a keyword like `eq`.

Concept tested: Extended IP Access-List for FTP

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-16/sec-data-acl-xe-16-book/sec-acl-feat.html

Topics

#extended ACL#FTP#access control#traffic filtering

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice