M4-5 (ACL Concepts and IPv4 Configuration) Flashcards
review
What are the permit or deny statements in an ACL called?
Access control entries
What packet filtering statement is true?
Standard ACLs filter at Layer 3 only
Which statement about the operation of a standard ACL is incorrect?
The router extracts the source IPv4 address from the packet header.
The router starts at the top of the ACL and compares the address to each ACE in sequential order.
When a match is made, the ACE either permits or denies the packet, and any remaining ACEs are not analyzed.
If there are no matching ACEs in the ACL, the packet is forwarded because there is an implicit permit ACE automatically applied to all ACLs.
When a match is made, the ACE either permit or denies the packet, and any remaining ACEs are not analyzed
What wildcard mask would permit only host 10.10.10.1?
0.0.0.0
0.0.0.31
0.0.0.255
0.0.255.255
255.255.255.255
0.0.0.0
What wildcard mask would permit only hosts from the 10.10.10.0/16 network?
0.0.0.0
0.0.0.31
0.0.0.255
0.0.255.255
255.255.255.255
0.0.255.255
What wildcard mask would permit all hosts?
0.0.0.0
0.0.0.31
0.0.0.255
0.0.255.255
255.255.255.255
255.255.255.255
What wildcard mask would permit all hosts from the 192.168.10.0/24 network?
0.0.0.0
0.0.0.31
0.0.0.255
0.0.255.255
255.255.255.255
0.0.0.255
How many total ACLs (both IPv4 and IPv6) can be configured on an interface?
4
What is the best practice of ACL?
Always test ACLs on a production network.
Create your ACLs on a production router.
Document the ACLs using the description ACL command
Write the ACL before configuring it on a router.
Write the ACL before configuring it on a router.
What ACL is capable of filtering based on TCP port number?
Extended ACL
What statement about ACLs is true?
Extended ACLs are numbered 1300 - 2699.
Named ACLs can be standard or extended.
Numbered ACLs is the preferred method to use when configuring ACLs.
Standard ACLs are numbered 1 - 199.
Named ACLs can be standard or extended.
What should be the standard ACL be placed?
Standard ACL location is not important.
Standard ACLs should be placed as close to the destination as possible.
Standard ACLs should be placed as close to the source as possible.
Standard ACLs should be placed on serial interfaces.
Standard ACLs should be placed as close to the destination as possible.
When is an extended ACL be placed?
Extended ACL location is not important.
Extended ACLs should be located as close to the destination as possible.
Extended ACLs should be located as close to the source as possible.
Extended ACLs should be located on serial interfaces.
Extended ACLs should be located as close to the source as possible.
Which two conditions would cause a router to drop a packet? (Choose two.)
No inbound ACL exists on the interface where the packet enters the router.
The ACL that is affecting the packet does not contain at least one deny ACE.
The packet source address does not match the source as permitted in a standard inbound ACE.
No outbound ACL exists on the interface where the packet exits the router.
No routing table entry exists for the packet destination, but the packet matches a permitted address in an outbound ACL.
The packet source address does not match the source as permitted in a standard inbound ACE and No routing table entry exists for the packet destination, but the packet matches a permitted address in an outbound ACL
A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255. Which two IP addresses will match this ACL statement? (Choose two.)
172.16.0.255
172.16.15.36
172.16.16.12
172.16.31.24
172.16.65.21
172.16.0.255 and 172.16.156.36
What two statement describe appropriate general guidelines for configuring and applying ACLs? (Choose two.)
Multiple ACLs per protocol and per direction can be applied to an interface.
If an ACL contains no permit statements, all traffic is denied by default.
The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs.
Standard ACLs are placed closest to the source, whereas extended ACLs are placed closest to the destination.
If a single ACL is to be applied to multiple interfaces, it must be configured with a unique number for each interface.
If an ACL contains no permit statements, all traffic is denied by default and The most specific ACL statement should be entered first because of the top-down sequential nature of ACLs.
What single access list statement matches all of the following networks?
192.168.16.0
192.168.17.0
192.168.18.0
192.168.19.0
access-list 10 permit 192.168.16.0 0.0.3.255
access-list 10 permit 192.168.16.0 0.0.0.255
access-list 10 permit 192.168.16.0 0.0.15.255
access-list 10 permit 192.168.0.0 0.0.15.255
access-list 10 permit 192.168.16.0 0.0.3.255
Which three statements describe ACL processing of packets? (Choose three.)
An implicit deny any rejects any packet that does not match any ACE.
A packet can either be rejected or forwarded as directed by the ACE that is matched.
A packet that has been denied by one ACE can be permitted by a subsequent ACE.
A packet that does not match the conditions of any ACE will be forwarded by default.
Each statement is checked only until a match is detected or until the end of the ACE list.
Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made.
An implicit deny any rejects any packet that does not match any ACE, A packet can either be rejected or forwarded as directed by the ACE that is matched and Each statement is checked only until a match is detected or until the end of the ACE list.
A network administrator is configuring an ACL to restrict access to certain servers in the data center. The intent is to apply the ACL to the interface connected to the data center LAN. What happens if the ACL is incorrectly applied to an interface in the inbound direction instead of the outbound direction?
All traffic is denied.
All traffic is permitted.
The ACL does not perform as designed.
The ACL will analyze traffic after it is routed to the outbound interface.
The ACL does not perform as designed.
What scenario would cause an ACL misconfiguration and deny all traffic?
Apply a standard ACL in the inbound direction.
Apply a named ACL to a VTY line.
Apply an ACL that has all deny ACE statements.
Apply a standard ACL using the ip access-group outcommand.
Apply an ACL that has all deny ACE statements.
In applying an ACL to a router interface, which traffic is designated as outbound?
Traffic that is coming from the source IP address into the router
Traffic that is leaving the router and going toward the destination host
Traffic that is going from the destination IP address into the router
Traffic for which the router can find no routing table entry
Traffic that is leaving the router and going toward the destination host
When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device?
eq
established
remark
description
remark
What location is recommended for extended numbered or extended named ACLs?
A location as close to the destination of traffic as possible.
A location as close to the source of traffic as possible.
A location centered between traffic destinations and sources to filter as much traffic as possible.
If using the established keyboard, a location close to the destination to ensure that return traffic is allowed.
A location as close to the source of traffic as possible
What range represents all the IP addresses that are affected when network 10.120.160.0 with a wildcard mask of 0.0.7.255 is used in an ACE?
10.120.160.0 to 10.127.255.255
10.120.160.0 to 10.120.167.255
10.120.160.0 to 10.120.168.0
10.120.160.0 to 10.120.191.255
10.120.160.0 to 10.120.167.255
The computers used by the network administrators for a school are on the 10.7.0.0/27 network. Which two commands are needed at a minimum to apply an ACL that will ensure that only devices that are used by the network administrators will be allowed Telnet access to the routers? (Choose two.)
access-class 5 in
access-list 5 deny any
access-list standard VTY
permit 10.7.0.0 0.0.0.127
access-list 5 permit 10.7.0.0 0.0.0.31
ip access-group 5 out
ip access-group 5 in
(access-class 5 in) and (access-list 5 permit 10.7.0.0 0.0.0.31)
Consider the configured access list.
R1#show access-lists
extended IP access list 100
deny tcp host 10.1.1.2 host 10.1.1.1 eq telnet
deny tcp host 10.1.2.2 host 10.1.2.1 eq telnet
permit ip any any (15 matches)
What are two characteristics of this access list? (Choose two.)
The access list has been applied to an interface.
A network administrator would not be able to tell if the access list has been applied to an interface or not.
The 10.1.2.1 device is not allowed to telnet to the 10.1.2.2 device.
Any device on the 10.1.1.0/24 network (except the 10.1.1.2 device) can telnet to the router that has the IP address 10.1.1.1 assigned.
Only the 10.1.1.2 device can telnet to the router that has the 10.1.1.1 IP address assigned.
Any device can telnet to the 10.1.2.1 device.
(The access list has been applied to an interface.) and (Any device on the 10.1.1.0/24 network (except the 10.1.1.2 device) can telnet to the router that has the IP address 10.1.1.1 assigned.)
What command will verify the number of packets that are permitted or denied by an ACL that restricts SSH access?
show running-config
show ip interface brief
show access-lists
show ip ssh
show access-lists
What access list statement permits HTTP traffic that is sourced from host 10.1.129.100 port 4300 and destined to host 192.168.30.10?
access-list 101 permit tcp any eq 4300
access-list 101 permit tcp 192.168.30.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.30.10 0.0.0.eq www
access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 4300 192.168.30.0 0.0.0.15 eq www
access-list 101 permit tcp host 192.168.30.10 eq 80 10.1.0.0 0.0.255.255 eq 4300
access-list 101 permit tcp 10.1.129.0 0.0.1.255 eq 4300 192.168.30.10 0.0.0.15 eq www
When configuring router security, which statement describes the most effective way to use ACLs to control Telnet traffic that is destined to the router itself?
The ACL must be applied to each vty line individually.
The ACL is applied to the Telnet port with the ip access-group command.
Apply the ACL to the vty lines without the in or out option required when applying ACLs to interfaces.
The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.
The ACL should be applied to all vty lines in the in direction to prevent an unwated user from connecting to an unsecured port.
What packets would match the access control list statement that is shown below?
access-list 110 permit tcp 172.16.0.0 0.0.0.255 any eq 22
SSH traffic from the 172.16.0.0 network to any destination network
SSH traffic from any source network to the 172.16.0.0 network
Any TCP traffic from any host to the 172.16.0.0 network
Any TCP traffic from the 172.16.0.0 network to any destination network
SSH traffic from the 172.16.0.0 network to any destination network
Consider the access list command applied outbound on a router serial interface.
access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo reply
What is the effect of applying this access list command?
The only traffic denied is ICMP-based traffic. All other traffic is allowed.
The only traffic denied is echo-replies sourced from the 192.168.10.0/24 network. All other traffic is allowed.
Users on the 192.168.10.0/24 network are not allowed to transmit traffic to any other destination.
No traffic will be allowed outbound on the serial interface.
No traffic will be allowed outbound on the serial interface.
Consider the following output for an ACL that has been applied to a router via the access-class in command. What can a network administrator determine from the output that is shown?
R1# <output>
Standard IP access list 2
10 permit 192.168.10.0, wildcard bits 0.0.0.255 (2 matches)
20 deny any (1 match)</output>
Two devices connected to the router have IP addresses of 192.168.10.x.
Traffic from one device was not allowed to come into one router port and be routed outbound a different router port.
Two devices were able to use SSH or Telnet to gain access to the router.
Traffic from two devices was allowed to enter one router port and be routed outbound to a different router port
Two devices were able to use SSH or Telnet to gain access to the router.
Which two commands will configure a standard ACL? (Choose two.)
Router(config)# access-list 20 permit host 192.168.5.5 any any
Router(config)# access-list 90 permit 192.168.10.5 0.0.0.0
Router(config)# access-list 45 permit 192.168.200.4 host
Router(config)# access-list 10 permit 10.20.5.0 0.255.255.255 any
Router(config)# access-list 35 permit host 172.31.22.7
(Router(config)# access-list 90 permit 192.168.10.5 0.0.0.0) and (Router(config)# access-list 35 permit host 172.31.22.7
To faciliate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?
Echo request
Echo reply
Time-stamp request
Time-stamp reply
Router advertisement
Echo reply
What two ACEs could be used to deny IP traffic from a single source host 10.1.1.1 to the 192.168.0.0/16 network? (Choose two.)
Access-list 100 deny ip host 10.1.1.1 192.168.0.0 0.0.255.255
Access-list 100 deny ip 192.168.0.0 0.0.255.255 host 10.1.1.1
Access-list 100 deny ip 10.1.1.1 255.255.255.255 192.168.0.0 0.0.255.255
Access-list 100 deny ip 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255
Access-list 100 deny ip 192.168.0.0 0.0.255.255 10.1.1.1 255.255.255.255
Access-list 100 deny ip 192.168.0.0 0.0.255.255 10.1.1.1 0.0.0.0
(Access-list 100 deny ip host 10.1.1.1 192.168.0.0 0.0.255.255) and (Access-list 100 deny ip 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255)
An adminstrator has configured an access list on R1 to allow SSH adminstrative access from host 172.16.1.100. Which command correctly applies the ACL?
R1(config-if)# ip access-group 1 in
R1(config-if)# ip access-group 1 out
R1(config-line)# access-class 1 in
R1(config-line)# access-class 1 out
R1(config-line)# access-class 1 in
