A.
access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp
access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp-data
access-list 101 permit ip any any
B.
access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp-data
access-list 101 permit ip any any
C.
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.252
ip access-group 101 out
D.
access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp
access-list 101 permit ip any any
E.
interface GigabitEthernet0/0
ip address 10.0.101.1 255.255.255.252
ip access-group 101 in
I suspect errors in the provided options. I would expect to see options like these based on the topology:
C. interface GigabitEthernet0/0 ip address 10.0.101.1 255.255.255.0 ip access-group 101 out <<< applied for traffic leaving R1 on LAN facing interface
E. interface interface Serial 0/0/0 ip address 10.0.0.1 255.255.255.0 ip access-group 101 in <<< applied for traffic coming to R1 on WAN facing interface
I think the big confusion here is on which router are we configuring the ACLs. A and C might make sense if we are configuring this on R2. A and E makes sense if we are configuring this on R1. The question is not clear which Router we are configuring this on.
E is wrong
interface GigabitEthernet0/0 ip address 10.0.101.1 255.255.255.252 ip access-group 101 in
interface GigabitEthernet0/0: This refers to the interface on R1 connected to the WAN (10.0.0.0/24).
ip access-group 101 in: This applies access list 101 to incoming traffic on the GigabitEthernet0/0 interface. This would block traffic coming from the WAN to R1, which is not what we want. We need to block traffic going out of R1 towards the FTP server.
Are you crazy? that's exactly what we want. The question says "Block FTP traffic to R1", for instance, if you had a Firewall and wanted to allow FTP traffic to a server on your inside Zone, you absolutely allow it INTO your network "permit Outside / Inside FTP". In this instance, our Router is wide-open, so we deny FTP traffic on the R1 WAN facing interface (e0/0) and allow everything else. Abso-Fing-lutely.
It's E because even tough it's says g0/0 and we don't see what interface is that , ACL placement and logic dictates if you are going to drop traffic DO IT BEFORE the ROUTER PROCESS IT . Why use resources if you are going to drop traffic?
So int g0/0
ip access-group 101 in (trafic entering the router from WAN direction )
Options B, C, and D are incorrect.
FTP uses 2 ports, port 20, and port 21, and to block ftp we need to block both ports.
Options B and D can't be used together. If option B is installed first, it will work fine. But when option D is configured, the ACL entry "access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp" will be overridden by the previous entry "permit ip any any" entry from option B.
Option C is incorrect, we're using GigabitEthernet interfaces for LAN, and serial interfaces for WAN to connect the routers.
Option A is correct, we need to use this configuration to deny all TCP ports (port 20 & 21, or eq ftp-data & FTP."
Option E is correct, but it should be"out" not "in," I think there's a typo in the answers.
- FTP traffic will travel as ingress traffic at the WAN interface interface and as egress traffic at the LAN interface towards the FTP server.
The correct configuration: interface GigabitEthernet0/0 ip address 10.0.101.1 255.255.255.252 ip access-group 101 out
access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp
access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp-data
access-list 101 permit ip any any
Assuming GigabitEthernet0/0 is the interface connected to the WAN.
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.252
ip access-group 101 in
the answer need to include A option (https://www.cisco.com/c/es_mx/support/docs/ip/access-lists/26448-ACLsamples.html)
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 permit ip any any
(as example)
Guys just pass this question go to the next one. Most suitable answers are B and D. C and E are wrong, bad mask and bad in/out configuration, so we cannot even select answer A. We have to think as the ACL was already apply, and then B and D.
I'm voting first for A because it denies both FTP ports and is the only sane answer.
My second vote goes for option C. Interface Gig 0/0 MUST be the interface facing SW1. Because the other interface has to be a serial interface as per the squiggly line and the cloud marked "WAN". This option applies access list 101 in an outward direction from R1 towards SW1 and therefore makes sense.
This section is not available anymore. Please use the main Exam Page.350-401 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
dragonwise
Highly Voted 2 years, 2 months agoHungarianDish_111
Highly Voted 2 years, 5 months agoKZM
1 year, 3 months agoPaladin17
4 months, 1 week agotltechcert
Most Recent 1 month agoDoopfenel
3 months agotltechcert
1 month agomatass_md
4 months agoa57ab39
6 months, 3 weeks agoAbdullahMohammad251
9 months agoAbdullahMohammad251
9 months ago[Removed]
1 year ago[Removed]
1 year, 1 month agoShri_Fcb10
1 year, 1 month agoIgorLVG
1 year, 3 months agoHaidary
1 year, 4 months agosledgey121
1 year, 6 months agosergiosolotrabajo
1 year, 7 months agodjedeen
1 year, 10 months agoJochenStacker
1 year, 10 months agoalex711
1 year, 10 months ago