nerdexam
Cisco

350-401 · Question #923

Refer to the exhibit. A network administrator must configure router B to allow traffic only from network 10.100.2.0 to networks outside of router B. Which configuration must be applied?

The correct answer is D. RouterB(config)# access-list 101 permit ip 10.100.2.0 0.0.0.255 any. To allow traffic only from network 10.100.2.0 to exit Router B, a standard access list permitting this source network must be created and then applied outbound on the interface connected to external networks.

Submitted by jaden.t· Mar 6, 2026Security

Question

Refer to the exhibit. A network administrator must configure router B to allow traffic only from network 10.100.2.0 to networks outside of router B. Which configuration must be applied?

Exhibits

350-401 question #923 exhibit 1
350-401 question #923 exhibit 2

Options

  • ARouterB(config)# access-list 101 permit ip 10.100.2.0 0.0.0.255 any
  • BRouterB(config)# access-list 101 permit ip 10.100.3.0 0.0.0.255 any
  • CRouterB(config)# access-list 101 permit ip 10.100.2.0 0.0.0.255 any
  • DRouterB(config)# access-list 101 permit ip 10.100.2.0 0.0.0.255 any

How the community answered

(21 responses)
  • B
    10% (2)
  • C
    5% (1)
  • D
    86% (18)

Why each option

To allow traffic only from network 10.100.2.0 to exit Router B, a standard access list permitting this source network must be created and then applied outbound on the interface connected to external networks.

ARouterB(config)# access-list 101 permit ip 10.100.2.0 0.0.0.255 any

Applying the access list with ip access-group 101 in would filter traffic entering the Gi0/1 interface, which is the opposite direction needed to control traffic leaving Router B towards external networks.

BRouterB(config)# access-list 101 permit ip 10.100.3.0 0.0.0.255 any

This option incorrectly specifies the source network as 10.100.3.0 instead of the required 10.100.2.0 for the permit statement.

CRouterB(config)# access-list 101 permit ip 10.100.2.0 0.0.0.255 any

Choice C is identical to choice D and is also a correct configuration, making D also correct.

DRouterB(config)# access-list 101 permit ip 10.100.2.0 0.0.0.255 anyCorrect

The command access-list 101 permit ip 10.100.2.0 0.0.0.255 any creates a standard access list that explicitly allows traffic originating from the 10.100.2.0/24 network. Applying this access list with ip access-group 101 out on the appropriate outbound interface (e.g., Gi0/1) ensures that only traffic from this specific source network is permitted to leave Router B towards external networks, while implicitly denying all other traffic due to the implicit deny any at the end of every access list.

Concept tested: Standard IP Access List configuration (outbound)

Source: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_acl_overview.html

Topics

#Access Control Lists#IP Access Lists#Router traffic filtering#Wildcard masks

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice