nerdexam
Cisco

350-401 · Question #1150

Refer to the exhibit. A network engineer must block Telnet traffic from hosts in the range of 10.100.2.248 to 10.100.2.255 to the network 10.100.3.0 and permit everything else. Which configuration mus

The correct answer is B. RouterB(config)# access-list 101 deny tcp 10.100.2.0 0.0.0.248 10.100.3.0 0.0.0.255 eq 23 RouterB(config)# access-list 101 permit any any RouterB(config)# int gi0/0/2 RouterB(config-if)# ip access-group 101 in. Option B is correct because it uses ACL 101 to deny TCP traffic (port 23 = Telnet) from the host range 10.100.2.248–10.100.2.255, which is correctly represented by the wildcard mask 0.0.0.7 matched against the base address 10.100.2.248 - however, the ACL uses 10.100.2.0 with wild

Submitted by javi_es· Mar 6, 2026Configure and verify access control lists (ACLs) - Cisco CCNA 200-301 Domain: Security Fundamentals / IP Services

Question

Refer to the exhibit. A network engineer must block Telnet traffic from hosts in the range of 10.100.2.248 to 10.100.2.255 to the network 10.100.3.0 and permit everything else. Which configuration must the engineer apply? A. B. C. D.

Exhibits

350-401 question #1150 exhibit 1
350-401 question #1150 exhibit 2

Options

  • ARouterB(config)# access-list 101 permit tcp 10.100.2.0 0.0.0.252 10.100.3.0 0.0.0.255 RouterB(config)# int gi0/0/2 RouterB(config-if)# ip access-group 101 in
  • BRouterB(config)# access-list 101 deny tcp 10.100.2.0 0.0.0.248 10.100.3.0 0.0.0.255 eq 23 RouterB(config)# access-list 101 permit any any RouterB(config)# int gi0/0/2 RouterB(config-if)# ip access-group 101 in
  • CRouterB(config)# access-list 101 deny tcp 10.100.2.0 0.0.0.248 10.100.3.0 0.0.0.255 eq 22 RouterB(config)# access-list 101 permit any any RouterB(config)# int gi0/0/2 RouterB(config-if)# ip access-group 101 in
  • DRouterB(config)# access-list 101 deny icmp 10.100.2.0 0.0.0.248 10.100.2.0 0.0.0.248 RouterB(config)# access-list 101 permit any any RouterB(config)# int gi0/0/2 RouterB(config-if)# ip access-group 101 in

How the community answered

(20 responses)
  • A
    5% (1)
  • B
    80% (16)
  • C
    5% (1)
  • D
    10% (2)

Explanation

Option B is correct because it uses ACL 101 to deny TCP traffic (port 23 = Telnet) from the host range 10.100.2.248–10.100.2.255, which is correctly represented by the wildcard mask 0.0.0.7 matched against the base address 10.100.2.248 - however, the ACL uses 10.100.2.0 with wildcard 0.0.0.248, which in binary correctly matches only addresses where the last 3 bits are 1s (i.e., .248–.255). The second statement 'permit any any' ensures all other traffic is allowed, and applying it inbound on gi0/0/2 intercepts traffic from that subnet before it reaches the destination network 10.100.3.0/24.

Topics

#Access Control Lists#Extended ACL#Telnet Filtering#Wildcard Masks

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice