An engineer must configure a ACL that permits packets which include an ACK In the TCP header. Which entry must be Included In the ACL?

IT Questions BankCategory: CCNPAn engineer must configure a ACL that permits packets which include an ACK In the TCP header. Which entry must be Included In the ACL?
An engineer must configure a ACL that permits packets which include an ACK In the TCP header. Which entry must be Included In the ACL? 1ITExamAnswers Staff asked 9 months ago

Question:
An engineer must configure a ACL that permits packets which include an ACK In the TCP header. Which entry must be Included In the ACL?

  • A. access-list 110 permit tcp any any eq 21 tcp-ack
  • B. access-list 10 permit ip any any eq 21 tcp-ack
  • C. access-list 10 permit tcp any any eq 21 established
  • D. access-list 110 permit tcp any any eq 21 established

Explanation: The established keyword is only applicable to TCP access list entries to match TCP segments that have the ACK and/or RST control bit set (regardless of the source and destination ports), which assumes that a TCP connection has already been established in one direction only. Let’s see an example below:

An engineer must configure a ACL that permits packets which include an ACK In the TCP header. Which entry must be Included In the ACL? 2

Suppose you only want to allow the hosts inside your company to telnet to an outside server but not vice versa, you can simply use an ― ”established” access-list like this:

access-list 100 permit tcp any any established
access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 100 in
ip access-group 101 out

Note: Suppose host A wants to start communicating with host B using TCP. Before they can send real data, a three-way handshake must be established first. Let‘s see how this process takes place:

An engineer must configure a ACL that permits packets which include an ACK In the TCP header. Which entry must be Included In the ACL? 3

1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is short for SYNchronize) to indicate it wants to setup a connection with host B. This message includes a sequence (SEQ) number for tracking purpose. This sequence number can be any 32-bit number (range from 0 to 232) so we use ―”x” to represent it.

2. After receiving SYN message from host A, host B replies with SYN-ACK message (some books may call it ―SYN/ACK‖ or ―SYN, ACK‖ message. ACK is short for ACKnowledge). This message includes a SYN sequence number and an ACK number:

+ SYN sequence number (let‘s called it “y”) is a random number and does not have any relationship with Host A‘s SYN SEQ number.

+ ACK number is the next number of Host A‘s SYN sequence number it received, so we represent it with “x+1″. It means ―I received your part. Now send me the next part (x + 1)”.

The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if host A still wants to talk to it as well (via SYN part).

3. After Host A received the SYN-ACK message from host B, it sends an ACK message with ACK number “y+1” to host B. This confirms host A still wants to talk to host B.

More Questions: CCNP 350-401 Dumps


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments