Denying Telnet to a specific destination network Which extended ACL line denies all Telnet (TCP port 23) traffic <em>to</em> the 192.168.10.0/24 network while leaving other traffic unaffected?
-
Aaccess-list 100 deny tcp 192.168.10.0 255.255.255.0 eq telnet
-
Baccess-list 100 deny tcp 192.168.10.0 0.255.255.255 eq telnet
-
Caccess-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23
-
Daccess-list 100 deny 192.168.10.0 0.0.0.255 any eq 23
-
Eaccess-list 10 deny tcp any 192.168.10.0 0.0.0.255 eq telnet
Answer
Correct Answer: access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23
Explanation
Introduction / Context:Extended IPv4 ACLs can filter based on protocol and ports with precise source and destination fields. To block Telnet to a destination network, you must set the source to any, the destination to the target subnet with a wildcard mask, the protocol to TCP, and the destination port to 23 (telnet).
Given Data / Assumptions:
- Target destination network: 192.168.10.0/24.
- Traffic to block: Telnet (TCP 23).
- Using a numbered extended ACL (100 range).
Concept / Approach:
Correct format: access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23. This denies Telnet sessions to any host in that /24. Place appropriate permit statements after it to allow desired traffic and avoid implicit deny of all else.
Step-by-Step Solution:
Select extended ACL number (100).Use protocol tcp.Specify source any.Specify destination network 192.168.10.0 with wildcard 0.0.0.255.Specify destination port eq 23 (telnet).Verification / Alternative check:
Attempt a Telnet connection to any host in 192.168.10.0/24; the ACL counter should increment and the session should fail, while other protocols succeed if permitted later in the ACL.
Why Other Options Are Wrong:
- Option A uses a subnet mask instead of a wildcard and reverses fields.
- Option B has an invalid wildcard.
- Option D omits the protocol keyword and reverses positions.
- Option E uses ACL 10 (standard), which cannot match ports.
Common Pitfalls:
- Forgetting that ACLs end with an implicit deny; add permits as needed.
- Reversing source and destination fields.
Final Answer:
access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23