Networking - Security - Discussion

Discussion :: Security - Security (Q.No.17)

17. 

If you wanted to deny FTP access from network 200.200.10.0 to network 200.199.11.0 but allow everything else, which of the following command strings is valid?

[A]. access-list 110 deny 200.200.10.0 to network 200.199.11.0 eq ftp
access-list 111 permit ip any 0.0.0.0 255.255.255.255
[B]. access-list 1 deny ftp 200.200.10.0 200.199.11.0 any any
[C]. access-list 100 deny tcp 200.200.10.0 0.0.0.255 200.199.11.0 0.0.0.255 eq ftp
[D]. access-list 198 deny tcp 200.200.10.0 0.0.0.255 200.199.11.0 0.0.0.255 eq ftp
access-list 198 permit ip any 0.0.0.0 255.255.255.255

Answer: Option D

Explanation:

Extended IP access lists use numbers 100-199 and 2000-2699 and filter based on source and destination IP address, protocol number, and port number. The last option is correct because of the second line that specifies permit ip any any. (I used 0.0.0.0 255.255.255.255, which is the same as the any option.) The third option does not have this, so it would deny access but not allow everything else.

Ashu said: (Jul 28, 2018)  
Can anyone explain this?

Post your comments here:

Name *:

Email   : (optional)

» Your comments will be displayed only after manual approval.