nerdexam
Cisco

350-401 · Question #292

An engineer must configure a ACL that permits packets which include an ACK In the TCP header. Which entry must be Included In the ACL?

The correct answer is D. access-list 110 permit tcp any any eq 21 established. To permit TCP packets with the ACK flag set, an extended ACL with the established keyword must be used.

Submitted by saadiq_pk· Mar 6, 2026Network Security

Question

An engineer must configure a ACL that permits packets which include an ACK In the TCP header. Which entry must be Included In the ACL?

Options

  • Aaccess-list 110 permit tcp any any eq 21 tcp-ack
  • Baccess-list 10 permit ip any any eq 21 tcp-ack
  • Caccess-list 10 permit tcp any any eq 21 established
  • Daccess-list 110 permit tcp any any eq 21 established

How the community answered

(55 responses)
  • A
    13% (7)
  • B
    4% (2)
  • C
    7% (4)
  • D
    76% (42)

Why each option

To permit TCP packets with the ACK flag set, an extended ACL with the `established` keyword must be used.

Aaccess-list 110 permit tcp any any eq 21 tcp-ack

The `tcp-ack` keyword is not a valid or standard command syntax for specifying the ACK flag in Cisco IOS extended ACLs.

Baccess-list 10 permit ip any any eq 21 tcp-ack

Access-list `10` is a standard ACL, which cannot inspect TCP header flags or port numbers; it only filters based on source IP address. Also, `tcp-ack` is an invalid keyword and `ip` as the protocol type is incorrect when specifying TCP flags.

Caccess-list 10 permit tcp any any eq 21 established

Access-list `10` is a standard ACL, which cannot inspect TCP header flags or port numbers. Therefore, the `established` keyword cannot be used with a standard ACL.

Daccess-list 110 permit tcp any any eq 21 establishedCorrect

The `access-list 110` indicates an extended ACL, which is necessary to inspect TCP header flags. The `established` keyword in a Cisco extended ACL specifically permits TCP packets that have the ACK or RST bit set, which is characteristic of an established TCP connection or a response to an initial SYN. This correctly identifies packets that include an ACK in the TCP header.

Concept tested: Cisco extended ACLs and TCP flag matching (`established`)

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-acl-ovw.html#GUID-E1A9D457-3B1B-441F-9592-34900746654B

Topics

#Cisco ACLs#TCP established#Network security#Packet filtering

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice