Permitting SMTP to a single host with an extended ACL Which ACL line correctly permits only SMTP (TCP port 25) traffic destined for host 1.1.1.1?
-
Aaccess-list 10 permit smtp host 1.1.1.1
-
Baccess-list 110 permit ip smtp host 1.1.1.1
-
Caccess-list 10 permit tcp any host 1.1.1.1 eq smtp
-
Daccess-list 110 permit tcp any host 1.1.1.1 eq smtp
-
Eaccess-list 110 permit udp any host 1.1.1.1 eq smtp
Answer
Correct Answer: access-list 110 permit tcp any host 1.1.1.1 eq smtp
Explanation
Introduction / Context:Extended ACLs can filter traffic based on Layer-3 and Layer-4 criteria such as protocol and port numbers. SMTP uses TCP port 25. To allow only SMTP traffic to a specific destination while denying other protocols by default, you write a precise extended ACL entry and apply it in the proper direction.
Given Data / Assumptions:
- Destination host: 1.1.1.1.
- Protocol/port: TCP port 25 (smtp).
- Numbered extended ACL syntax is being used.
Concept / Approach:
The canonical extended ACL format is: access-list <100–199|2000–2699> {permit|deny} tcp
Step-by-Step Solution:
Select extended ACL range (110 is valid).Specify protocol tcp.Define source as any.Define destination as host 1.1.1.1 and port eq smtp.Apply appropriately (typically inbound on the target host’s subnet interface).Verification / Alternative check:
After applying, verify counters with show access-lists 110 while generating SMTP test traffic and ensure other protocols are blocked by implicit deny if no other permits follow.
Why Other Options Are Wrong:
- Options A and C use ACL 10, which is a standard ACL number and cannot match ports.
- Option B’s syntax is invalid: “ip smtp” is not a valid qualifier.
- Option E uses UDP; SMTP relies on TCP, not UDP.
Common Pitfalls:
- Applying the ACL in the wrong direction or at the wrong interface.
- Forgetting that there is an implicit deny at the end of every ACL.
Final Answer:
access-list 110 permit tcp any host 1.1.1.1 eq smtp