nerdexam
Cisco

350-401 · Question #820

Refer to the exhibit. Which two commands are required on router R1 to block FTP and allow all other traffic from the Branch 2 network? (Choose two)

The correct answer is A. access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp C. interface GigabitEthernet0/0. To block FTP traffic from the Branch 2 network to a specific host, an extended access list must be defined with a deny tcp eq ftp rule and then applied to the relevant interface.

Submitted by javi_es· Mar 6, 2026Security

Question

Refer to the exhibit. Which two commands are required on router R1 to block FTP and allow all other traffic from the Branch 2 network? (Choose two)

Exhibits

350-401 question #820 exhibit 1
350-401 question #820 exhibit 2

Options

  • Aaccess-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp
  • Baccess-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp-data
  • Cinterface GigabitEthernet0/0
  • Daccess-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp
  • Einterface GigabitEthernet0/0

How the community answered

(43 responses)
  • A
    72% (31)
  • B
    5% (2)
  • D
    7% (3)
  • E
    16% (7)

Why each option

To block FTP traffic from the Branch 2 network to a specific host, an extended access list must be defined with a `deny tcp eq ftp` rule and then applied to the relevant interface.

Aaccess-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftpCorrect

This command correctly defines an extended access list (101) to deny TCP traffic originating from the 10.0.2.0/24 network (Branch 2) destined for host 10.0.101.3, specifically targeting the FTP control port (21).

Baccess-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp-data

`eq ftp-data` typically refers to TCP port 20, which is used for the FTP data connection, while `eq ftp` refers to TCP port 21, the control connection usually targeted to block FTP access.

Cinterface GigabitEthernet0/0Correct

This command is required to enter interface configuration mode for GigabitEthernet0/0, which is where the access list would subsequently be applied using the `ip access-group` command.

Daccess-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp

This is a duplicate of option A and does not represent an additional unique required command.

Einterface GigabitEthernet0/0

This is a duplicate of option C and does not represent an additional unique required command.

Concept tested: Extended ACL configuration and application

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-16-5/sec-data-acl-xe-16-5-book.html

Topics

#Cisco ACL#Extended ACL#FTP filtering#Interface configuration

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice