350-401 · Question #659
An engineer must configure an ACL that permits packets which include an ACK in the TCP header Which entry must be included in the ACL?
The correct answer is D. access-list 110 permit tcp any any eq 21 established. To permit TCP packets containing an ACK in the header, an extended access list must be used with the established keyword, which specifically checks for the ACK or RST bit.
Question
Options
- Aaccess-list 10 permit ip any any eq 21 tcp-ack
- Baccess-list 110 permit tcp any any eq 21 tcp-ack
- Caccess-list 10 permit tcp any any eq 21 established
- Daccess-list 110 permit tcp any any eq 21 established
How the community answered
(29 responses)- A3% (1)
- B3% (1)
- C10% (3)
- D83% (24)
Why each option
To permit TCP packets containing an ACK in the header, an extended access list must be used with the `established` keyword, which specifically checks for the ACK or RST bit.
Access list 10 is a standard ACL and cannot specify TCP flags, protocols, or destination ports; additionally, `tcp-ack` is not a valid keyword.
While access list 110 is an extended ACL and `tcp` is correct, the `tcp-ack` keyword is not a valid command to check for the ACK flag; `established` is the correct keyword.
Access list 10 is a standard ACL and therefore cannot use the `tcp` protocol specifier or the `established` keyword.
An extended access list (numbered 100-199, like 110) is necessary to filter based on TCP flags and specific ports. The `established` keyword within a `permit tcp` statement explicitly checks if the ACK or RST bit is set in the TCP header, making it the correct method to allow return traffic for existing TCP connections, with `eq 21` specifying the destination port.
Concept tested: Extended ACL TCP established flag
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-acl-feat.html
Topics
Community Discussion
No community discussion yet for this question.