单选题 在Cisco路由器上,用扩展访问控制列表封禁IP地址为211.102.33.24的主机,正确的配置语句是______。
  • A.access-list 99 deny ip host 211.102.33.24 any access-list 99 deny ip any host 211.102.33.24 access-list 99 permit ip any any
  • B.access-list 100 permit ip any any access-list 100 deny ip host 211.102.33.24 any access-list 100 deny ip any host 211.102.33.24
  • C.access-list 199 deny ip host 211.102.33.24 any access-list 199 deny ip any host 211.102.33.24 access-list 199 permit ip any any
  • D.access-list 166 deny ip host 211.102.33.24 any access-list 166 permit ip any any
【正确答案】 C
【答案解析】[解析] 使用access-list命令配置扩展访问控制列表的命令格式为access-list access-list-number{permit | deny}protocol source wildcard-mask destination wildcard-mask[oporator][operand]。需要注意的是,IP扩展访问控制列表表号的范围为100~199,2000~2699。ACL是按照配置的访问控制列表中的条件语句,从第一条开始顺序执行的,首先执行access-list 100 permit ip any any,那么所有的IP地址都不封禁,后面的两条语句便不起作用。选项D中,只是拒绝转发源地址为211.102.33.24的数据包,并不阻止目的地址为211.102.33.24的数据包,故D错误。