nerdexam
Cisco

350-401 · Question #891

You want to create a policy that allows all TCP traffic in the port range of 20 to 110, except for telnet traffic, which should be dropped. Which of the following access control lists will accomplish

The correct answer is D. deny tcp any any eq 23. To implement a policy that allows TCP ports 20-110 but denies Telnet (port 23), a specific deny statement for Telnet must precede a broader permit statement for the desired range due to sequential ACL processing.

Submitted by andres_qro· Mar 6, 2026ERROR: Official Exam Domains list was not provided

Question

You want to create a policy that allows all TCP traffic in the port range of 20 to 110, except for telnet traffic, which should be dropped. Which of the following access control lists will accomplish this?

Options

  • Adeny tcp any any eq 22
  • Bpermit tcp any any range 22 443
  • Cdeny tcp any any eq 23
  • Ddeny tcp any any eq 23

How the community answered

(14 responses)
  • B
    7% (1)
  • C
    7% (1)
  • D
    86% (12)

Why each option

To implement a policy that allows TCP ports 20-110 but denies Telnet (port 23), a specific `deny` statement for Telnet must precede a broader `permit` statement for the desired range due to sequential ACL processing.

Adeny tcp any any eq 22

This statement denies TCP traffic on port 22 (SSH), not port 23 (Telnet), so it would not block Telnet.

Bpermit tcp any any range 22 443

This statement permits TCP traffic in the range of 22 to 443, which incorrectly includes Telnet (port 23) and extends beyond the specified upper limit of 110.

Cdeny tcp any any eq 23

This choice is identical to D and technically correct for denying Telnet traffic.

Ddeny tcp any any eq 23Correct

To selectively drop Telnet traffic while permitting other traffic in a range, a `deny` statement for Telnet (port 23) is essential. Placed before a broader `permit` rule for the port range 20-110, `deny tcp any any eq 23` ensures that Telnet traffic is specifically blocked as per the policy requirement.

Concept tested: ACL order of operations and port numbers

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-acl-a1.html

Topics

#Access Control Lists#ACL syntax#Telnet filtering#Port filtering

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice