350-401 · Question #1026
Refer to the exhibit. An engineer must allow the FTP traffic from users on 172.16.1.0 /24 to 172.16.2.0 /24 and block all other traffic. Which configuration must be applied?
The correct answer is B. R1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 20. To allow FTP traffic from the source subnet to the destination subnet while blocking all other traffic, the configuration must explicitly permit the FTP data channel using the correct ACL syntax.
Question
Exhibits
Options
- AR1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255
- BR1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 20
- CR1 (config)# access-list 120 deny any any
- DR1(config)# access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255
How the community answered
(41 responses)- A12% (5)
- B76% (31)
- C5% (2)
- D7% (3)
Why each option
To allow FTP traffic from the source subnet to the destination subnet while blocking all other traffic, the configuration must explicitly permit the FTP data channel using the correct ACL syntax.
The syntax `access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255` is incorrect for specifying a destination port; the port number (21) is misplaced and not preceded by a keyword like `eq`.
This command uses the correct syntax for an extended access-list to permit TCP traffic and specifically targets destination port 20 (`eq 20`), which is the standard port for the FTP data channel in active mode. Allowing the data channel is essential for FTP file transfers, and the implicit 'deny any any' at the end of the ACL will block all other traffic.
The command `access-list 120 deny any any` would block all traffic, including the required FTP traffic, which contradicts the stated requirement to allow FTP.
The syntax `access-list 120 permit tcp 172.16.1.0 0.0.0.255 21 172.16.2.0 0.0.0.255` is incorrect for specifying a destination port; the port number (21) is misplaced and not preceded by a keyword like `eq`.
Concept tested: Extended IP Access-List for FTP
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-16/sec-data-acl-xe-16-book/sec-acl-feat.html
Topics
Community Discussion
No community discussion yet for this question.

