Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Wendell Odom ICND1 100-105 DIKTA > Chapter 26 - Advanced IPv4 Access Control Lists > Flashcards

Chapter 26 - Advanced IPv4 Access Control Lists Flashcards

1
Q

Which of the following fields cannot be compared based on an extended IP ACL?
(Choose two answers.)

a. Protocol
b. Source IP address
c. Destination IP address
d. TOS byte
e. URL
f. Filename for FTP transfers

A

E and F.

Extended ACLs can look at the Layer 3 (IP) and Layer 4 (TCP, UDP) headers and a few others, but not any application layer information. Named extended ACLs can look for the same fields as numbered extended ACLs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following access-list commands permit packets going from host 10.1.1.1 to all web servers whose IP addresses begin with 172.16.5?
(Choose two
answers.)

a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
c. access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
d. access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
e. access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www

A

A and E.

The correct range of ACL numbers for extended IP access lists is 100 to 199 and 2000 to 2699. The answers that list the eq www parameter after 10.1.1.1 match the source port number, and the packets are going toward the web server, not away from it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following access-list commands permits packets going to any web client from all web servers whose IP addresses begin with 172.16.5?

a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
c. access-list 2523 permit tcp any eq www 172.16.5.0 0.0.0.255
d. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www 172.16.5.0
0. 0.0.255
e. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www any

A

E.

Because the packet is going toward any web client, you need to check for the web server’s port number as a source port. The client IP address range is not specified in the question but the servers are, so the source address beginning with 172.16.5 is the correct answer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In a router running a recent IOS version (at least version 15.0), an engineer needs to delete the second line in ACL 101, which currently has four commands configured. Which of the following options could be used?
(Choose two answers.)

a. Delete the entire ACL and reconfigure the three ACL statements that should remain in the ACL.
b. Delete one line from the ACL using the no access-list… global command.
c. Delete one line from the ACL by entering ACL configuration mode for the ACL and then deleting only the second line based on its sequence number.
d. Delete the last three lines from the ACL from global configuration mode, and then add the last two statements back into the ACL.

A

A and C.

Before IOS 12.3, numbered ACLs must be removed and then reconfigured to remove a line from the ACL. As of IOS 12.3, you can also use ACL configuration mode and sequence numbers to delete one ACL line at a time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An engineer is considering configuring an ACL on Router R1. The engineer could use ACL A which would be enabled with the ip access-group A out command on interface G0/1, or ACL B, which would be enabled with the ip access-group B in command on that same interface. R1’s G0/1 interface uses IPv4 address 1.1.1.1. Which of the answers is true when comparing these options?
(Choose two answers.)

a. ACL A creates more risk of filtering important overhead traffic than ACL B.
b. ACL B creates more risk of filtering important overhead traffic than ACL A.
c. A ping 1.1.1.1 command on R1 would bypass ACL A even if enabled.
d. A ping 1.1.1.1 command on R1 would bypass ACL B even if enabled.

A

B and C.

A router bypasses the ACL logic for its own outbound ACLs for packets created by that router. Routers do not make any kind of exception for inbound packets. As a result, ACL B creates more risk than ACL A, because B is enabled as an inbound ACL.

The ping 1.1.1.1 command in two answers is a self-ping of a router’s Ethernet interface. As a result, the router would bypass any outbound ACL logic on that interface but consider any inbound ACL logic. So Router R1 would bypass the logic of ACL A, which would be enabled as an outbound ACL on R1’s G0/1 interface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An engineer configures an ACL but forgets to save the configuration. At that point, which of the following commands displays the configuration of an IPv4 ACL, including line numbers?
(Choose two answers.)

a. show running-config
b. show startup-config
c. show ip access-lists
d. show access-lists

A

C and D.

The show ip access-lists and show access-lists commands both display the configuration of IPv4 access lists, including ACL line numbers. Neither the show running-config nor show startup-config commands list the ACL line numbers; in this case, the startup-config file would not contain the ACL configuration at all.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Wendell Odom ICND1 100-105 DIKTA (36 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions