Notifications
Clear all
Topic starter
13/07/2022 3:33 am
An engineer must configure an ACL that permits packets which include an ACK in the TCP header.
Which entry must be included in the ACL?
- A . access-list 10 permit ip any any eq 21 tcp-ack
- B . access-list 110 permit tcp any any eq 21 tcp-ack
- C . access-list 10 permit tcp any any eq 21 established
- D . access-list 110 permit tcp any any eq 21 established
Suggested Answer: D
Explanation:
The established keyword is only applicable to TCP access list entries to match TCP segments that have the ACK and/or RST control bit set (regardless of the source and destination ports), which assumes that a TCP connection has already been established in one direction only.
Let’s see an example below:
Explanation:
The established keyword is only applicable to TCP access list entries to match TCP segments that have the ACK and/or RST control bit set (regardless of the source and destination ports), which assumes that a TCP connection has already been established in one direction only.
Let’s see an example below:
Suppose you only want to allow the hosts inside your company to telnet to an outside server but not vice versa, you can simply use an ”established” access-list like this:
access-list 100 permit tcp any any established
access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 100 in
ip access-group 101 out
Note: Suppose host A wants to start communicating with host B using TCP. Before they can send real data, a three-way handshake must be established first.
Let‘s see how this process takes place:
