350-401 Question #32: Real Exam Question with Answer & Explanation

Question

A client with IP address 209.165.201.25 must access a web server on port 80 at 209.165.200.225. To allow this traffic, an engineer must add a statement to an access control list that is applied in the inbound direction on the port connecting to the web server. Which statement allows this traffic?

Options

• Apermit tcp host 209.165.200.225 eq 80 host 209.165.201.25
• Bpermit tcp host 209.165.201.25 host 209.165.200.225 eq 80
• Cpermit tcp host 209.165.200.225 It 80 host 209.165.201.25
• Dpermit tcp host 209.165.200.225 host 209.165.201.25 eq 80

Explanation

Explanation

Option A is correct because when the ACL is applied inbound on the port connecting to the web server, traffic is flowing from the web server (209.165.200.225) back to the client (209.165.201.25) - so the source is the web server on port 80, making permit tcp host 209.165.200.225 eq 80 host 209.165.201.25 the accurate match for return traffic on that interface.

Why the distractors are wrong:

• Option B reverses the logic - it places the client as the source and the server with port 80 as the destination, which would be correct for an outbound ACL on the client side, not inbound on the server's port.
• Option C uses lt 80 (less than 80) instead of eq 80, which would match ports below 80 rather than exactly port 80.
• Option D places the client as the destination with eq 80, meaning it incorrectly tries to match port 80 on the client side rather than the server side.

💡 Memory Tip: Always ask yourself, "Which direction is traffic flowing at the point where the ACL is applied?" - the source in your ACL statement must reflect where the packet is coming from at that specific interface, not the original requester.

No community discussion yet for this question.