Which of the following access-list denies packets with a UDP header, any source IP address with source port greater than 10455, a destination IP address 30.3.3.3 and a destination port equal to 25?

(A) access-list 101 deny udp any gt 10455 host 30.3.3.3 eq 28
(B) access-list 101 deny udp any gt 10455 host 30.3.3.3 eq 25
(C) access-list 101 deny tcp any gt 10455 host 30.3.3.3 eq 25
(D) access-list 101 deny udp any gt 25 host 30.3.3.3 eq 25

access-list 101 deny udp any gt 10455 host 30.3.3.3 eq 25 is the correct answer.

The configuration process for extended ACLs mostly matches the same process used for standard ACLs. You must choose the location and direction in which to enable the ACL, particularly the direction, so that you can characterize whether certain addresses and ports will be either the source or destination.

Configure the ACL using access-list commands, and when complete, then enable the ACL using the same ip accessgroup command used with standard ACLs. All these steps mirror what you do with standard ACLs; however, when configuring, keep the following differences in mind:

• Place extended ACLs as close as possible to the source of the packets that will be filtered. Filtering close to the source of the packets saves some bandwidth.
• Remember that all fields in one access-list command must match a packet for the packet to be considered to match that access-list statement.
• Use numbers of 100–199 and 2000–2699 on the accesslist commands; no one number is inherently better than another.