350-401 Question #572: Real Exam Question with Answer & Explanation

Question

Refer to the exhibit. An engineer must permit traffic from these networks and block all other traffic. An informational log message should be triggered when traffic enters from these prefixes. Which access list must be used?

Options

• Aaccess-list acl_subnets permit ip 10.0.32.0 0 0.0.255 log
• Baccess-list acl_subn*ls permit ip 10.0.32.0 0.0.7.255 log
• Caccess-list acl_subnets permit ip 10.0.32.0 0.0.7.255
• Daccess-list acl_subnets permit ip 10.0.32.0 255.255.248.0 log

Explanation

To permit a specific range of networks and log matching traffic while blocking all others, an extended ACL with the correct network address, wildcard mask, and the log keyword must be configured.

Common mistakes.

• A. The wildcard mask 0.0.0.255 corresponds to a /24 subnet, not the /21 range (10.0.32.0 to 10.0.39.255) that covers the multiple networks implied by 'these networks'.
• C. While the network address and wildcard mask 10.0.32.0 0.0.7.255 are correct for the specified range, this option omits the log keyword, failing to meet the requirement for triggering informational log messages.
• D. The 255.255.248.0 is a subnet mask, not a wildcard mask, and access lists require a wildcard mask to specify the range of addresses.

Concept tested. Extended ACL wildcard masks and logging

Reference. https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_acl_cfg.html

No community discussion yet for this question.