350-401 Question #292: Real Exam Question with Answer & Explanation

Question

An engineer must configure a ACL that permits packets which include an ACK In the TCP header. Which entry must be Included In the ACL?

Options

• Aaccess-list 110 permit tcp any any eq 21 tcp-ack
• Baccess-list 10 permit ip any any eq 21 tcp-ack
• Caccess-list 10 permit tcp any any eq 21 established
• Daccess-list 110 permit tcp any any eq 21 established

Explanation

To permit TCP packets with the ACK flag set, an extended ACL with the established keyword must be used.

Common mistakes.

• A. The tcp-ack keyword is not a valid or standard command syntax for specifying the ACK flag in Cisco IOS extended ACLs.
• B. Access-list 10 is a standard ACL, which cannot inspect TCP header flags or port numbers; it only filters based on source IP address. Also, tcp-ack is an invalid keyword and ip as the protocol type is incorrect when specifying TCP flags.
• C. Access-list 10 is a standard ACL, which cannot inspect TCP header flags or port numbers. Therefore, the established keyword cannot be used with a standard ACL.

Concept tested. Cisco extended ACLs and TCP flag matching (established)

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-acl-ovw.html#GUID-E1A9D457-3B1B-441F-9592-34900746654B

No community discussion yet for this question.