Introducing Cisco Data Center Networking (DCICN) — Question 16

What is the correct format of an access control list on a Cisco Nexus switch to deny hosts on the 172.16.1.0/21 network from accessing HTTP proxy servers listening on port 8080?

Answer options

• A. N5K-A(config)# ip access-list 101 N5K-A(config-acl)# deny tcp 172.16.1.0 0.0.7.255 any eq 8080 N5K-A(config-acl)# permit ip any any
• B. N5K-A(config)# ip access-list 101 N5K-A(config-acl)# deny tcp any 172.16.1.0 255.255.248.0 eq 8080 N5K-A(config-acl)# permit ip any any
• C. N5K-A(config)# access-list 101 deny tcp 172.16.1.0 0.0.15.255 eq 8080
• D. N5K-A(config)# ip access-list 101 N5K-A(config-acl)# deny tcp any host 172.16.1.0/21 eq 8080

Correct answer: A

Explanation

Option A is correct because it correctly specifies the source network and the port to deny access to, allowing all other traffic. Option B incorrectly uses 'any' as the source address, which would deny traffic from all sources instead of just the specified network. Option C has an incorrect wildcard mask that would not accurately match the desired subnet. Option D uses 'host' with a subnet mask, which is not the appropriate syntax for defining a network range.