To tighten up security, your company is locking down access to the Cisco device vty ports. They have already shut down telnet access with: "`transport input ssh`" configurations on all devices. Now, they want a 3-line access-list that will restrict SSH access to just 30 addresses from the IT-Admins subnet-zero range of 172.16.200.0. As a help, they've already written out "most" of the last two lines for you already: Line#2- "`deny ssh traffic: any-source, any destination`" Line#3- "`permit any, any`". **Which of the following would work for the first line?**

To tighten up security, your company is locking down access to the Cisco device vty ports. They have already shut down telnet access with: "transport input ssh" configurations on all devices.

Now, they want a 3-line access-list that will restrict SSH access to just 30 addresses from the IT-Admins subnet-zero range of 172.16.200.0.

As a help, they've already written out "most" of the last two lines for you already:
Line#2- "deny ssh traffic: any-source, any destination"
Line#3- "permit any, any".
Which of the following would work for the first line?

access-list 100 permit tcp 172.16.0.0 0.0.0.31 any eq 22

access-list 1 permit tcp 172.16.0.0 0.0.0.31 any eq 23

access-list 100 deny tcp 172.16.0.0 0.0.0.31 any eq 22

access-list 100 permit icmp 172.16.0.0 0.0.0.31 any eq 23

access-list 1 permit tcp 172.16.0.0 0.0.0.255 any eq 22

access-list 1 permit tcp 172.16.0.0 0.0.0.31 any eq 22

Explanation

This might look hard, but shouldn't take more than 15 seconds to answer; - - - - >All you have to do is "PERMIT" the 30 specified addresses for SSH(and they are mostly all the same addresses) - - - - - - - - - > (1) To filter on a specific protocol (ssh) requires Extended ACL. which eliminates half of the choices that have ACL-Numbers=1, - - - - - (2) Ultimately you are going to "filter" on ssh/ which is port#22, (end of the line is: "eq 22") which leaves only 2 choices, - - - - - - - (3) out of the remaining 2 choices, one denies ssh-traffic from the source, and the correct on permits it - - - - - - - - - - [Wrapup]: Line#2 would block any other SSH traffic= "access-list 100 deny tcp any any eq 22 " / - - - - -/ Line#3 Standard= "access-list 100 permit ip any any"