350-501 Question #235: Real Exam Question with Answer & Explanation

Question

Refer to the exhibit. An engineer is scripting ACLs to handle traffic on the given network. The engineer must block users on the network between R1 and R2 from leaving the network through R5, but these users must still be able to access all resources within the administrative domain. How must the engineer implement the ACL configuration?

Options

• AConfigure a permit any ACL on the R1 interface to R2 in the egress direction, and a deny any
• BConfigure an ACL that permits traffic to any internal address, and apply it to the R5 interfaces to
• CConfigure an ACL that denies traffic to any internal address and denies traffic to any external
• DConfigure an ACL that permits traffic to all internal networks and denies traffic to any external

Explanation

To allow users within an administrative domain to access internal resources but block them from exiting the network, an access control list must explicitly permit internal traffic and deny all external traffic.

Common mistakes.

• A. A 'permit any' ACL on the R1 interface to R2 in the egress direction would allow all traffic between R1 and R2, and if applied at R5, it would permit all external traffic, which contradicts the goal of blocking external access.
• B. Applying an ACL that only permits traffic to any internal address 'to the R5 interfaces to' (presumably facing the external network) would not explicitly deny external traffic, relying solely on an implicit deny, and the application point is ambiguous.
• C. An ACL that denies traffic to any internal address would prevent users from accessing internal resources, which directly violates the requirement that users 'must still be able to access all resources within the administrative domain'.

Concept tested. ACL logic for filtering internal vs. external traffic

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_acl/configuration/xe-16/sec-acl-xe-16-book/sec-acl-overview.html

No community discussion yet for this question.