Chapter 25 - Basic IPv4 Access Control Lists Flashcards
Barney is a host with IP address 10.1.1.1 in subnet 10.1.1.0/24. Which of the following are things that a standard IP ACL could be configured to do?
(Choose two answers.)
a. Match the exact source IP address.
b. Match IP addresses 10.1.1.1 through 10.1.1.4 with one access-list command without matching other IP addresses.
c. Match all IP addresses in Barney’s subnet with one access-list command without matching other IP addresses.
d. Match only the packet’s destination IP address.
A and C.
Standard ACLs check the source IP address. The address range 10.1.1.1 – 10.1.1.4 can be matched by an ACL, but it requires multiple access-list commands. Matching all hosts in Barney’s subnet can be accomplished with the access-list 1 permit 10.1.1.0 0.0.0.255 command.
Which of the following answers list a valid number that can be used with standard
numbered IP ACLs?
(Choose two answers.)
a. 1987
b. 2187
c. 187
d. 87
A and D.
The range of valid ACL numbers for standard numbered IP ACLs is 1–99 and 1300–1999, inclusive.
Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.255.0?
a. 0.0.0.0
b. 0.0.0.31
c. 0.0.0.240
d. 0.0.0.255
e. 0.0.15.0
f. 0.0.248.255
D.
0.0.0.255 matches all packets that have the same first three octets. This is useful when you want to match a subnet in which the subnet part comprises the first three octets, as in this case.
Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.240.0?
a. 0.0.0.0
b. 0.0.0.31
c. 0.0.0.240
d. 0.0.0.255
e. 0.0.15.255
f. 0.0.248.255
E.
0.0.15.255 matches all packets with the same first 20 bits. This is useful when you want to match a subnet in which the subnet part comprises the first 20 bits, as in this case.
ACL 1 has three statements, in the following order, with address and wildcard mask values as follows: 1.0.0.0 0.255.255.255, 1.1.0.0 0.0.255.255, and 1.1.1.0 0.0.0.255. If a router tried to match a packet sourced from IP address 1.1.1.1 using this ACL, which ACL statement does a router consider the packet to have matched?
a. First
b. Second
c. Third
d. Implied deny at the end of the ACL
A.
The router always searches the ACL statements in order, and stops trying to match ACL statements after a statement is matched. In other words, it uses first-match logic. A packet with source IP address 1.1.1.1 would match any of the three explicitly configured commands described in the question. As a result, the first statement will be used.
Which of the following access-list commands matches all packets sent from hosts in subnet 172.16.4.0/23?
a. access-list 1 permit 172.16.0.5 0.0.255.0
b. access-list 1 permit 172.16.4.0 0.0.1.255
c. access-list 1 permit 172.16.5.0
d. access-list 1 permit 172.16.5.0 0.0.0.127
B.
One wrong answer, with wildcard mask 0.0.255.0, matches all packets that begin with 172.16, with a 5 in the last octet. One wrong answer matches only specific IP address 172.16.5.0. One wrong answer uses a wildcard mask of 0.0.0.128, which has only one wildcard bit (in binary) and happens to only match addresses 172.16.5.0 and 172.16.5.128. The correct answer matches the range of addresses 172.16.4.0 – 172.16.5.255.