You are connected to R1. The network uses a single router with two subnets: 192.168.1.0/24 (connected to GigabitEthernet0/0) and 10.0.0.0/30 (connected to GigabitEthernet0/1). Configure an extended named ACL called 'FILTER_HTTP' that permits HTTP traffic (TCP port 80) from the 192.168.1.0/24 subnet to any destination, and includes an explicit deny statement to deny all other IP traffic. Apply the ACL inbound on GigabitEthernet0/0. Then verify that HTTP traffic is allowed and all other traffic is blocked.
Hints
- •Remember the implicit deny at the end of every ACL – you may not need an explicit deny, but the question asks to deny all other IP traffic.
- •Use the correct wildcard mask for the subnet 192.168.1.0/24: 0.0.0.255.
- •Apply the ACL to the interface that receives traffic from the internal subnet.
! R1 ip access-list extended FILTER_HTTP permit tcp 192.168.1.0 0.0.0.255 any eq 80 deny ip any any interface GigabitEthernet0/0 ip access-group FILTER_HTTP in
Why this answer
The task requires creating an extended named ACL 'FILTER_HTTP' that permits TCP port 80 from source 192.168.1.0/24 to any destination, and then denies all other IP traffic (the implicit deny will block everything else, but you must explicitly add a deny ip any any statement to make the intent clear). The ACL must be applied inbound on GigabitEthernet0/0. The solution uses the commands: ip access-list extended FILTER_HTTP, permit tcp 192.168.1.0 0.0.0.255 any eq 80, deny ip any any, and interface GigabitEthernet0/0, ip access-group FILTER_HTTP in.
Verification with show access-lists and show ip interface GigabitEthernet0/0 confirms the ACL and its application.
Exam trap
Pay attention to the requirement for a named ACL versus numbered ACL. Also, note that while the implicit deny exists, the question explicitly asks for a deny statement, so you must include it. Finally, ensure the ACL is applied to the correct interface and direction.
Why the other options are wrong
The specific factual error is that the ACL must be named 'FILTER_HTTP', but this option uses a numbered ACL (100).
The specific factual error is that the ACL does not include an explicit deny ip any any, which is needed to satisfy the requirement of denying all other IP traffic.
The specific factual error is that the ACL is applied to the wrong interface (GigabitEthernet0/1 instead of GigabitEthernet0/0).