350-401 · Question #572
Refer to the exhibit. An engineer must permit traffic from these networks and block all other traffic. An informational log message should be triggered when traffic enters from these prefixes. Which a
The correct answer is B. access-list acl_subn*ls permit ip 10.0.32.0 0.0.7.255 log. To permit a specific range of networks and log matching traffic while blocking all others, an extended ACL with the correct network address, wildcard mask, and the log keyword must be configured.
Question
Refer to the exhibit. An engineer must permit traffic from these networks and block all other traffic. An informational log message should be triggered when traffic enters from these prefixes. Which access list must be used?
Options
- Aaccess-list acl_subnets permit ip 10.0.32.0 0 0.0.255 log
- Baccess-list acl_subn*ls permit ip 10.0.32.0 0.0.7.255 log
- Caccess-list acl_subnets permit ip 10.0.32.0 0.0.7.255
- Daccess-list acl_subnets permit ip 10.0.32.0 255.255.248.0 log
How the community answered
(42 responses)- A14% (6)
- B74% (31)
- C7% (3)
- D5% (2)
Why each option
To permit a specific range of networks and log matching traffic while blocking all others, an extended ACL with the correct network address, wildcard mask, and the `log` keyword must be configured.
The wildcard mask `0.0.0.255` corresponds to a /24 subnet, not the /21 range (10.0.32.0 to 10.0.39.255) that covers the multiple networks implied by 'these networks'.
The `access-list acl_subn*ls permit ip 10.0.32.0 0.0.7.255 log` command correctly defines an access list entry that permits all IP traffic originating from the 10.0.32.0/21 network range (which encompasses 10.0.32.0 to 10.0.39.255) and triggers an informational log message for each match. The implicit `deny all` at the end of any access list will block all other traffic.
While the network address and wildcard mask `10.0.32.0 0.0.7.255` are correct for the specified range, this option omits the `log` keyword, failing to meet the requirement for triggering informational log messages.
The `255.255.248.0` is a subnet mask, not a wildcard mask, and access lists require a wildcard mask to specify the range of addresses.
Concept tested: Extended ACL wildcard masks and logging
Source: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_acl_cfg.html
Topics
Community Discussion
No community discussion yet for this question.