If you want to deny all Telnet connections destined for the IPv4 network 192.168.10.0/24 while allowing other traffic, which extended access list command would you use on a Cisco router?

Introduction / Context:
Extended IP access lists on Cisco routers allow you to filter traffic based on protocol, source address, destination address and even specific port numbers. Telnet uses TCP port 23, and a common requirement is to block Telnet access to a particular subnet for security reasons while still allowing other protocols. This question asks you to identify the correct extended ACL line that will deny all Telnet connections to the 192.168.10.0 slash 24 network.

Given Data / Assumptions:

The target network to protect is 192.168.10.0 with subnet mask 255.255.255.0, so the wildcard mask is 0.0.0.255.
You want to deny Telnet, which uses TCP port 23, destined to that network from any source.
You are using an extended ACL number in the 100 to 199 range, such as 100.
Syntax must include protocol, source, destination and port information correctly.

Concept / Approach:
For this requirement the ACL line must specify protocol tcp, a source of any, a destination of 192.168.10.0 0.0.0.255 and the destination port equal to 23. The keyword eq 23 or eq telnet can be used. The ACL number 100 places the list in the extended range. Standard ACLs would not be adequate here because they match only source addresses and cannot inspect ports or destination addresses.

Step-by-Step Solution:
Determine the protocol: Telnet uses TCP, so the ACL line must begin with access-list 100 deny tcp. Define the source: because you want to deny Telnet from any host, the source part should be any. Define the destination: the network 192.168.10.0 with mask 255.255.255.0 uses wildcard 0.0.0.255, so the destination field should be 192.168.10.0 0.0.0.255. Specify the destination port: Telnet uses port 23, so the end of the line should read eq 23 or eq telnet. Putting these pieces together gives access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23, which matches option c.

Verification / Alternative check:
In a lab, you could configure this ACL, apply it inbound on the interface that leads toward 192.168.10.0 slash 24 and test. Telnet sessions to any host in that subnet would fail, while other traffic such as ping or HTTP could still succeed if permitted by subsequent ACL entries. This confirms that the syntax correctly targets only Telnet traffic.

Why Other Options Are Wrong:
Option a uses 192.168.10.0 255.255.255.0, which looks like a subnet mask, not a wildcard mask, and also omits a source field, so it is not valid extended ACL syntax.
Option b uses an invalid wildcard 0.255.255.255, which would match an overly broad and incorrect range of addresses.
Option d omits the protocol keyword tcp and reverses the order of source and destination, which is not correct for Cisco IOS ACLs.
Option e uses access-list 10, which is in the standard ACL range, and would be interpreted as a standard access list that cannot match ports or destination addresses in the extended way required.

Common Pitfalls:
Students often forget that ACL syntax always lists source before destination, or they mistakenly use subnet masks instead of wildcard masks. Another common error is placing the ACL in the standard range when they need extended capabilities. Practising the correct order of parameters and remembering that wildcards are inverse masks will help avoid these issues.

Final Answer:
The correct extended ACL line is access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23.