Explaining Basics of ACL Flashcards
Which three options are uses of an ACL? (Choose three.)
A. ACLs can allow or prevent certain host to access network resources.
B. ACLs are used to populate the routing table.
C. ACLs can allow traffic to be selected so that it can be prioritized.
D. ACLs are used to group interfaces and so increase the efficiency of the network links.
E. ACLs can filter traffic based on traffic type.
A. ACLs can allow or prevent certain host to access network resources.
C. ACLs can allow traffic to be selected so that it can be prioritized.
E. ACLs can filter traffic based on traffic type.
Which statement about the ACL operation is true?
A. ACL statements are processed sequentially.
B. If a match is not found, the packet is not processed and its forwarded to the default gateway.
C. ACL statements are evaluated one by one, in a sequential order from the last to the first.
D. ACL operates in a way that is looking for the longest path match.
A. ACL statements are processed sequentially.
Which matching criteria could be used to match traffic from or to IPv4 address 192.168.5.7?
A. 192.168.5.7 255.255.255.255
B. 192.168.5.7 0.0.0.0
C. 192.168.5.7 255.255.255.0
D. 192.168.5.0 0.0.0.0
B. 192.168.5.7 0.0.0.0
The correct answer is “192.168.5.7 0.0.0.0.” To provide a matching criteria for a single IP address, the wildcard mask must include all must-match bits (such as all 0s), and the reference IP must be the same as the one you want to match.
Which three matching criteria could be used to match traffic from the 10.0.0.0/8 network? (Choose three.)
A. 10.0.0.0 255.255.255.0
B. 10.10.10.10 0.255.255.255
C. 10.10.0.0 255.255.0.0
D. 10.0.0.0 0.0.0.0
E. 10.10.0.0 0.255.255.255
F. 10.255.255.255 0.0.0.0
G. 10.0.0.0 0.255.255.255
H. 100.10.10.0 0.255.255.255
B. 10.10.10.10 0.255.255.255
E. 10.10.0.0 0.255.255.255
G. 10.0.0.0 0.255.255.255
The correct answers are “10.10.10.10 0.255.255.255,” “10.10.0.0 0.255.255.255,” and “10.0.0.0 0.255.255.255.” All IP address in the 10.0.0.0/8 range, have the first octet value 10. The remaining three octets can be of any value. Therefore, the wildcard mask must “require” exact matching of the first octet only and is 0.255.255.255. The reference IP address can be any address having the first octet value of 10.
Which three matching criteria are written correctly for a standard ACL? (Choose three.)
A. host 172.14.5.2
B. 172.14.5.2
C. host 172.14.5.2 0.0.0.0
D. any 172.14.5.0
E. any
F. any 172.0.0.0
A. host 172.14.5.2
B. 172.14.5.2
E. any
Which two statements about standard and extended ACLs are true? (Choose two.)
A. Both standard and extended IP ACLs can filter the entire TCP/IP suite.
B. Named IP ACLs can only be configured with the named configuration mode.
C. Numbered IP ACLs can only be used for standard IP ACLs.
D. Standard access lists can filter TCP traffic based only on its destination IP address.
E. Extended access lists can filter different traffic types only based on the destination port.
A. Both standard and extended IP ACLs can filter the entire TCP/IP suite.
B. Named IP ACLs can only be configured with the named configuration mode.
The correct answers are “Both standard and extended IP ACLs can filter entire Transmission Control Protocol (TCP)/IP suite” and “Named IP ACLs can only be configured with the named configuration mode.” When using named configuration method, you can specify the number as a name.
Regarding the following ACL statements, what will be the result?
Router(config)# access-list 20 permit 192.168.1.1
Router(config)# access-list 20 deny 192.168.1.0 0.0.0.255
Router(config)# access-list 20 permit 192.0.0.0 0.255.255.255
A. Everything within 192.168.1.0 except 192.168.1.1 will be permitted. Other hosts within 192.0.0.0/8 will be blocked.
B. Everything within 192.168.1.0 except 192.168.1.1 will be permitted. Other hosts within 192.0.0.0/8 will be permitted as well.
C. Everything within 192.168.1.0 except 192.168.1.1 will be denied. Other hosts within 192.0.0.0/8 will be permitted.
D. Everything except 192.168.1.1 will be blocked.
C. Everything within 192.168.1.0 except 192.168.1.1 will be denied. Other hosts within 192.0.0.0/8 will be permitted.
Which statement about the filtering result of the following ACL is true?
Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.100.1 eq 80
Router(config-ext-nacl)# deny tcp any host 192.168.100.1 eq 80
A. The ACL is blocking only HTTP traffic.
B. The ACL blocks all traffic except for the HTTP traffic from clients in 192.168.1.0/24 network to the server 192.168.100.1.
C. The ACL permits HTTP communication with the server 192.168.100.1 to clients outside 192.168.1.0/24 network.
D. The ACL blocks all traffic except for the traffic from the HTTP server 192.168.100.1 to clients in 192.168.1.0/24 network.
E. The ACL blocks only HTTP traffic from the HTTP server 192.168.100.1 to the clients in the 192.168.1.0/24 network.
B. The ACL blocks all traffic except for the HTTP traffic from clients in 192.168.1.0/24 network to the server 192.168.100.1.
Which statement describes the named configuration method?
A. It is only possible to add an individual ACL statement.
B. It is only possible to delete an individual ACL statement.
C. It is only possible to modify an individual ACL entry.
D. It is possible to add and delete an individual ACL entry.
D. It is possible to add and delete an individual ACL entry.
The correct answer is “It is possible to add and delete an individual ACL entry.” Named configuration mode is convenient because it allows all the modifying actions to be performed on individual entries. It also enables specifying a number as a name, extending the modification capabilities to numbered access lists also.
Refer to the exhibit. The security policy requires that only PC1 can remotely access other devices using the SSH protocol and to perform ping connectivity test. You have configured extended ACL 115 on R1. On R1, which interface and traffic direction would you choose to correctly and most efficiently apply ACL 115?
R1#show access-list
Extended IP access list 115
10 permit tcp host 192.168.10.10 any eq ssh
20 permit icmp host 192.168.10.10 any
30 deny tcp any any eq ssh
40 deny icmp any any
50 permit ip any any
A. R1 interface Gi0/1 in the outbound direction
B. R1 interface Gi0/1 in the inbound direction
C. R1 interface Gi0/2 in the outbound direction
D. R1 interface Gi0/2 in the inbound direction
E. R1 interface Gi0/0 in the outbound direction
B. R1 interface Gi0/1 in the inbound direction
The correct answer is “R1 interface Gi0/1 in the inbound direction.” The extended access lists should be place as close to the source of the denied traffic as possible. The ACL 115 denies traffic for network 192.168.10.0/24, except for the PC1. The interface closest to the 192.168.10.0/24 is Gi0/1 interface. The traffic direction is inbound. It would be correct to apply ACL 115 on Gi0/0 interface in the outbound direction, but that is not the most efficient solution because it would allow denied traffic to consume R1 resources while being routed (unnecessarily).
The exhibit shows an example network and the content of the standard access list 15, which is configured on the R1 router. The security policy blocks access to file server 192.168.30.10 for PC2. You have administrative access only to the R1 router. What is the appropriate placement of the access list?
R1#show access-lists
Standard IP access list 15
10 deny 192.168.20.10
20 permit any
A. router R1 interface Gi0/2
B. router R1 interface Gi0/1
C. router R1 interface Gi0/0
D. router R3 interface Gi0/0
E. router R3 interface Gi0/1
F. router R2 interface Gi0/0
G. router R2 interface Gi0/1
C. router R1 interface Gi0/0
The correct answer is “router R1 interface Gi0/0.” The access list 15 is a standard access list and it should be placed closest to the destination. The router closest to the File Server is R2 router, however you do not have administrative access to it nor to the R3 router. If you would put the access list on the Gi0/2 interface of R1, you would also block traffic going to the 192.168.10.0/24 network. Placing ACL 15 on Gi0/1 interface would have no effect on traffic going to the file server.