nerdexam
Cisco

350-401 · Question #572

Refer to the exhibit. An engineer must permit traffic from these networks and block all other traffic. An informational log message should be triggered when traffic enters from these prefixes. Which a

The correct answer is B. access-list acl_subn*ls permit ip 10.0.32.0 0.0.7.255 log. To permit a specific range of networks and log matching traffic while blocking all others, an extended ACL with the correct network address, wildcard mask, and the log keyword must be configured.

Submitted by jian89· Mar 6, 2026Security

Question

Refer to the exhibit. An engineer must permit traffic from these networks and block all other traffic. An informational log message should be triggered when traffic enters from these prefixes. Which access list must be used?

Options

  • Aaccess-list acl_subnets permit ip 10.0.32.0 0 0.0.255 log
  • Baccess-list acl_subn*ls permit ip 10.0.32.0 0.0.7.255 log
  • Caccess-list acl_subnets permit ip 10.0.32.0 0.0.7.255
  • Daccess-list acl_subnets permit ip 10.0.32.0 255.255.248.0 log

How the community answered

(42 responses)
  • A
    14% (6)
  • B
    74% (31)
  • C
    7% (3)
  • D
    5% (2)

Why each option

To permit a specific range of networks and log matching traffic while blocking all others, an extended ACL with the correct network address, wildcard mask, and the `log` keyword must be configured.

Aaccess-list acl_subnets permit ip 10.0.32.0 0 0.0.255 log

The wildcard mask `0.0.0.255` corresponds to a /24 subnet, not the /21 range (10.0.32.0 to 10.0.39.255) that covers the multiple networks implied by 'these networks'.

Baccess-list acl_subn*ls permit ip 10.0.32.0 0.0.7.255 logCorrect

The `access-list acl_subn*ls permit ip 10.0.32.0 0.0.7.255 log` command correctly defines an access list entry that permits all IP traffic originating from the 10.0.32.0/21 network range (which encompasses 10.0.32.0 to 10.0.39.255) and triggers an informational log message for each match. The implicit `deny all` at the end of any access list will block all other traffic.

Caccess-list acl_subnets permit ip 10.0.32.0 0.0.7.255

While the network address and wildcard mask `10.0.32.0 0.0.7.255` are correct for the specified range, this option omits the `log` keyword, failing to meet the requirement for triggering informational log messages.

Daccess-list acl_subnets permit ip 10.0.32.0 255.255.248.0 log

The `255.255.248.0` is a subnet mask, not a wildcard mask, and access lists require a wildcard mask to specify the range of addresses.

Concept tested: Extended ACL wildcard masks and logging

Source: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_acl_cfg.html

Topics

#Cisco ACLs#ACL wildcard masks#ACL logging

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice