nerdexam
Cisco

350-401 · Question #659

An engineer must configure an ACL that permits packets which include an ACK in the TCP header Which entry must be included in the ACL?

The correct answer is D. access-list 110 permit tcp any any eq 21 established. To permit TCP packets containing an ACK in the header, an extended access list must be used with the established keyword, which specifically checks for the ACK or RST bit.

Submitted by priya_blr· Mar 6, 2026Security

Question

An engineer must configure an ACL that permits packets which include an ACK in the TCP header Which entry must be included in the ACL?

Options

  • Aaccess-list 10 permit ip any any eq 21 tcp-ack
  • Baccess-list 110 permit tcp any any eq 21 tcp-ack
  • Caccess-list 10 permit tcp any any eq 21 established
  • Daccess-list 110 permit tcp any any eq 21 established

How the community answered

(29 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    10% (3)
  • D
    83% (24)

Why each option

To permit TCP packets containing an ACK in the header, an extended access list must be used with the `established` keyword, which specifically checks for the ACK or RST bit.

Aaccess-list 10 permit ip any any eq 21 tcp-ack

Access list 10 is a standard ACL and cannot specify TCP flags, protocols, or destination ports; additionally, `tcp-ack` is not a valid keyword.

Baccess-list 110 permit tcp any any eq 21 tcp-ack

While access list 110 is an extended ACL and `tcp` is correct, the `tcp-ack` keyword is not a valid command to check for the ACK flag; `established` is the correct keyword.

Caccess-list 10 permit tcp any any eq 21 established

Access list 10 is a standard ACL and therefore cannot use the `tcp` protocol specifier or the `established` keyword.

Daccess-list 110 permit tcp any any eq 21 establishedCorrect

An extended access list (numbered 100-199, like 110) is necessary to filter based on TCP flags and specific ports. The `established` keyword within a `permit tcp` statement explicitly checks if the ACK or RST bit is set in the TCP header, making it the correct method to allow return traffic for existing TCP connections, with `eq 21` specifying the destination port.

Concept tested: Extended ACL TCP established flag

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-acl-feat.html

Topics

#ACL#TCP established#ACK flag#extended ACL

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice