350-501 · Question #508
350-501 Question #508: Real Exam Question with Answer & Explanation
The correct answer is D: access-list 198 deny ip any host 172.16.15.18 fragments. The correct ACL ensures that: 1. Fragmented packets destined for the web server are denied (deny ip any host 172.16.15.18 fragments) to avoid potential attack vectors that exploit fragmented traffic. 2. Only HTTP traffic (TCP port 80) from RFC 1918 private IP ranges (10.0.0.0/8,
Question
A network engineer must implement an ACL-based solution to mitigate availability issues on a web service that is hosted on a server at IP address 172.16.15.18/23. Access to the web server should be allowed over HTTP from RFC 1918 addresses only. The network architect has already enabled PMTUD in the network. Which ACL configuration must the engineer implement to complete the task?
Options
- Aaccess-list 199 deny ip any host 172.16.15.18 tcp-fragments
- Baccess-list 199 deny tcp any host 172.16.15.18 http-fragments
- Caccess-list 198 deny ip any host 172.16.15.18 ip-fragments
- Daccess-list 198 deny ip any host 172.16.15.18 fragments
Explanation
The correct ACL ensures that: 1. Fragmented packets destined for the web server are denied (deny ip any host 172.16.15.18 fragments) to avoid potential attack vectors that exploit fragmented traffic. 2. Only HTTP traffic (TCP port 80) from RFC 1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) is permitted to the web server at 172.16.15.18/23. This is achieved using permit 6 (protocol 6 for TCP) with the correct source and destination masks. 3. All other traffic is denied by the final deny ip any any statement. This configuration aligns with the requirement to allow access to the web service over HTTP only from RFC 1918 addresses while denying any other traffic, including fragmented packets.
Topics
Community Discussion
No community discussion yet for this question.