350-401 · Question #891
You want to create a policy that allows all TCP traffic in the port range of 20 to 110, except for telnet traffic, which should be dropped. Which of the following access control lists will accomplish
The correct answer is D. deny tcp any any eq 23. To implement a policy that allows TCP ports 20-110 but denies Telnet (port 23), a specific deny statement for Telnet must precede a broader permit statement for the desired range due to sequential ACL processing.
Question
You want to create a policy that allows all TCP traffic in the port range of 20 to 110, except for telnet traffic, which should be dropped. Which of the following access control lists will accomplish this?
Options
- Adeny tcp any any eq 22
- Bpermit tcp any any range 22 443
- Cdeny tcp any any eq 23
- Ddeny tcp any any eq 23
How the community answered
(14 responses)- B7% (1)
- C7% (1)
- D86% (12)
Why each option
To implement a policy that allows TCP ports 20-110 but denies Telnet (port 23), a specific `deny` statement for Telnet must precede a broader `permit` statement for the desired range due to sequential ACL processing.
This statement denies TCP traffic on port 22 (SSH), not port 23 (Telnet), so it would not block Telnet.
This statement permits TCP traffic in the range of 22 to 443, which incorrectly includes Telnet (port 23) and extends beyond the specified upper limit of 110.
This choice is identical to D and technically correct for denying Telnet traffic.
To selectively drop Telnet traffic while permitting other traffic in a range, a `deny` statement for Telnet (port 23) is essential. Placed before a broader `permit` rule for the port range 20-110, `deny tcp any any eq 23` ensures that Telnet traffic is specifically blocked as per the policy requirement.
Concept tested: ACL order of operations and port numbers
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-acl-a1.html
Topics
Community Discussion
No community discussion yet for this question.