Introduction / Context: Standard IPv4 ACLs (numbered 1–99 and 1300–1999) filter traffic based solely on the source IPv4 address. They do not check destination addresses, ports, or protocols. Identifying valid syntax is essential when writing quick filters at the edge or near a destination interface.
Given Data / Assumptions:
We are using classic numbered standard ACLs.
Standard ACLs use wildcard masks, not subnet masks.
They do not include protocol or port keywords (those are extended ACL features).
Concept / Approach:
A valid standard ACL entry looks like: access-list <1–99|1300–1999> {permit|deny} or uses host for a single address. The line access-list 1 deny 172.16.10.1 0.0.0.0 denies exactly that host (equivalent to host 172.16.10.1) and matches standard ACL rules.
Step-by-Step Solution:
Check the ACL number range to ensure it is standard, not extended.Verify only a source address (and wildcard) is used.Confirm there are no protocol or port qualifiers.Select the line that meets all three conditions.
Verification / Alternative check:
Replacing 0.0.0.0 with the keyword host yields the same match: access-list 1 deny host 172.16.10.1.
Why Other Options Are Wrong:
110 and 2001: extended or named ranges; 110 also typically represents an extended ACL.
Option C uses a subnet mask, not a wildcard mask, and mixes addressing incorrectly for a host.
“access-list standard …”: invalid IOS syntax.
Common Pitfalls:
Using subnet masks in place of wildcard masks.
Accidentally writing extended-style entries in a standard ACL.
Discussion & Comments