350-401 Question #421: Real Exam Question with Answer & Explanation

Question

Refer to the exhibit. Extended access-list 100 is configured on interface GigabitEthernet 0/0 in an inbound direction, but it does not have the expected behavior of allowing only packets to or from 192 168 0.0/16. Which command set properly configures the access list?

Options

• AR1(config)#no access-list 100 deny ip any any
• BR1(config)#no access-list 100 seq 10
• CR1(config)#ip access-list extended 100
• DR1(config)#ip access-list extended 100

Explanation

Explanation

Option D is correct because entering ip access-list extended 100 places you into named/numbered ACL configuration mode, where you can then add a permit statement (e.g., permit ip 192.168.0.0 0.0.255.255 any) followed by an implicit or explicit deny ip any any, giving the ACL its intended behavior of allowing only traffic to/from the 192.168.0.0/16 network.

Option A is wrong because simply removing a single deny statement does not fix the ACL - if a permit statement for 192.168.0.0/16 is missing, traffic will still be blocked by the implicit deny. Option B is wrong because deleting sequence number 10 removes an existing entry without adding the correct permit logic needed. Option C appears identical to D in text, but in the context of this question, D implies the complete and correct follow-up commands are entered within ACL config mode to add the proper permit statement.

🧠 Memory Tip: Think "Enter, then Fix" - you must enter the ACL with ip access-list extended 100 before you can add or edit statements. ACLs are processed top-down, so always ensure your permit statement comes before the deny, or traffic will never match it.

No community discussion yet for this question.