Exam 350-401 topic 1 question 575 discussion

A. access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp-data access-list 101 permit ip any any B. access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp-data access-list 101 permit ip any any C. interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.252 ip access-group 101 out D. access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp access-list 101 permit ip any any E. interface GigabitEthernet0/0 ip address 10.0.101.1 255.255.255.252 ip access-group 101 in

I suspect errors in the provided options. I would expect to see options like these based on the topology: C. interface GigabitEthernet0/0 ip address 10.0.101.1 255.255.255.0 ip access-group 101 out <<< applied for traffic leaving R1 on LAN facing interface E. interface interface Serial 0/0/0 ip address 10.0.0.1 255.255.255.0 ip access-group 101 in <<< applied for traffic coming to R1 on WAN facing interface

It surely be AE

Options B, C, and D are incorrect. FTP uses 2 ports, port 20, and port 21, and to block ftp we need to block both ports. Options B and D can't be used together. If option B is installed first, it will work fine. But when option D is configured, the ACL entry "access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp" will be overridden by the previous entry "permit ip any any" entry from option B. Option C is incorrect, we're using GigabitEthernet interfaces for LAN, and serial interfaces for WAN to connect the routers.

A & C are correct, even if the it should be made differently

A & C are correct, even if the it should be made differently

access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp access-list 101 deny tcp 10.0.2.0 0.0.0.255 host 10.0.101.3 eq ftp-data access-list 101 permit ip any any Assuming GigabitEthernet0/0 is the interface connected to the WAN. interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.252 ip access-group 101 in

the answer need to include A option (https://www.cisco.com/c/es_mx/support/docs/ip/access-lists/26448-ACLsamples.html) access-list 102 deny tcp any any eq ftp access-list 102 deny tcp any any eq ftp-data access-list 102 permit ip any any (as example)

DE In D we define our access list and in E we apply our access list on router g0/0 inside interface.

AC It can't be any other answers.

Guys just pass this question go to the next one. Most suitable answers are B and D. C and E are wrong, bad mask and bad in/out configuration, so we cannot even select answer A. We have to think as the ACL was already apply, and then B and D.

A) need to block both FTP ports, and Gig intf must be towards the switch (not a WAN intf) so the direction is out.

I'm voting first for A because it denies both FTP ports and is the only sane answer. My second vote goes for option C. Interface Gig 0/0 MUST be the interface facing SW1. Because the other interface has to be a serial interface as per the squiggly line and the cloud marked "WAN". This option applies access list 101 in an outward direction from R1 towards SW1 and therefore makes sense.

Voting for DE https://community.cisco.com/t5/other-network-architecture-subjects/acl-to-block-ftp-servers/td-p/72508

I go with the provided answer with this one as the most correct. C and D - Wrong, they would filter traffic coming from the server and not from the host. The ACL options configure the host as the source, so it will not work. A - Wrong, After discarding C and E, all others configuration are about configuring the ACL. Choosing A will make B and D redundant. It is technically correct, but I will discard it just because the question ask for two answers, not one. B - C: Each one block one of the two ports used by FTP. They are part of the configuration one needs to apply in order to block the FTP traffic. We will need to assume that the ACL is already applied to the correct port and we are just adding the indexes. Certainly an awful question, but from all possible answers combination, B and D seems the most correct.

The exhibit does not show what interface is what...

A and C A because you need to block port 20, and 21 and C is because that traffic should go out of gi0/0 according to IP scheme so request with port 20 and 21 tcp will be blocked.