nerdexam
Cisco

350-401 · Question #199

Refer to the exhibit. PC-1 must access the web server on port 8080. To allow this traffic, which statement must be added to an access control list that is applied on SW2 port G0/0 in the inbound direc

The correct answer is C. permit host 192.168.0.5 eq 8080 host 172.16.0.2. Explanation Option C is correct because when an ACL is applied inbound on SW2's G0/0 port, it inspects traffic arriving at that interface - meaning the traffic coming from the web server (source: 192.168.0.5) destined for PC-1 (destination: 172.16.0.2). The port number qualifier

Submitted by suresh_in· Mar 6, 2026Security

Question

Refer to the exhibit. PC-1 must access the web server on port 8080. To allow this traffic, which statement must be added to an access control list that is applied on SW2 port G0/0 in the inbound direction?

Exhibits

350-401 question #199 exhibit 1
350-401 question #199 exhibit 2

Options

  • Apermit host 172.16.0.2 host 192.168.0.5 eq 8080
  • Bpermit host 192.168.0.5 host 172.16.0.2 eq 8080
  • Cpermit host 192.168.0.5 eq 8080 host 172.16.0.2
  • Dpermit host 192.168.0.5 it 8080 host 172.16.0.2

How the community answered

(34 responses)
  • A
    6% (2)
  • B
    12% (4)
  • C
    59% (20)
  • D
    24% (8)

Explanation

Explanation

Option C is correct because when an ACL is applied inbound on SW2's G0/0 port, it inspects traffic arriving at that interface - meaning the traffic coming from the web server (source: 192.168.0.5) destined for PC-1 (destination: 172.16.0.2). The port number qualifier eq 8080 must follow the source address (192.168.0.5) because the web server is the one responding from port 8080, making the syntax: permit host 192.168.0.5 eq 8080 host 172.16.0.2.

Why the others are wrong:

  • Option A reverses the logic entirely - it matches traffic from PC-1 to the web server, which would suit an outbound ACL or one placed on the opposite interface.
  • Option B has the correct source and destination order but incorrectly places eq 8080 after the destination host, which doesn't match the standard ACL syntax for filtering on the source port.
  • Option D uses lt (less than) instead of eq (equal), which would permit traffic on any port below 8080, not specifically port 8080.

Memory Tip: For inbound ACLs, always think "Who is knocking on the door FROM this interface?" - that entity becomes your source. The port qualifier always immediately follows the address it belongs to.

Topics

#Access Control Lists (ACLs)#Network Security#Traffic Flow Analysis#TCP/IP Ports

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice