350-401 · Question #415
Refer to the exhibit. An engineer must deny HTTP traffic from host A to host B while allowing all other communication between the hosts. Which command set accomplishes this task?
The correct answer is B. SW1(config)# ip access-list extended DENY-HTTP. Explanation Option B is correct because HTTP traffic operates at Layer 3/Layer 4 (IP protocol using TCP port 80), which requires an IP (Layer 3) extended ACL to match both the source/destination IP addresses and the specific port number (TCP 80). An extended IP ACL provides the g
Question
Exhibits
Options
- ASW1(config)# mac access-list extended HOST-A-B
- BSW1(config)# ip access-list extended DENY-HTTP
- CSW1(config)# mac access-list extended HOST-A-B
How the community answered
(22 responses)- A5% (1)
- B91% (20)
- C5% (1)
Explanation
Explanation
Option B is correct because HTTP traffic operates at Layer 3/Layer 4 (IP protocol using TCP port 80), which requires an IP (Layer 3) extended ACL to match both the source/destination IP addresses and the specific port number (TCP 80). An extended IP ACL provides the granularity needed to deny HTTP specifically while permitting all other traffic between the two hosts.
Options A and C are wrong because MAC access lists operate at Layer 2 and can only filter based on MAC addresses - they have no ability to inspect Layer 3/4 information such as IP addresses or TCP port numbers, making it impossible to selectively block HTTP traffic while allowing other IP-based communication.
Memory Tip: Think of it this way - HTTP = Port 80 = Layer 4 = IP ACL. Whenever you need to filter based on protocols, ports, or IP addresses, you must use an IP ACL (preferably extended). MAC ACLs are "Layer 2 blind" to port numbers - if you see a question mentioning HTTP, FTP, Telnet, or any application protocol, an IP extended ACL is always the right tool.
Topics
Community Discussion
No community discussion yet for this question.

