350-401 Question #820: Real Exam Question with Answer & Explanation

The correct answer is A: access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp. To block FTP traffic from the Branch 2 network to a specific host, an extended access list must be defined with a deny tcp eq ftp rule and then applied to the relevant interface.

Submitted by javi_es· Mar 6, 2026Security

Question

Refer to the exhibit. Which two commands are required on router R1 to block FTP and allow all other traffic from the Branch 2 network? (Choose two)

Options

Aaccess-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp
Baccess-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp-data
Cinterface GigabitEthernet0/0
Daccess-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp
Einterface GigabitEthernet0/0

Explanation

To block FTP traffic from the Branch 2 network to a specific host, an extended access list must be defined with a deny tcp eq ftp rule and then applied to the relevant interface.

Common mistakes.

B. eq ftp-data typically refers to TCP port 20, which is used for the FTP data connection, while eq ftp refers to TCP port 21, the control connection usually targeted to block FTP access.
D. This is a duplicate of option A and does not represent an additional unique required command.
E. This is a duplicate of option C and does not represent an additional unique required command.

Concept tested. Extended ACL configuration and application

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-16-5/sec-data-acl-xe-16-5-book.html

Topics

#Cisco ACL#Extended ACL#FTP filtering#Interface configuration

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice Browse All 350-401 Questions