Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Networking 3 > M4-5 (ACL Concepts and IPv4 Configuration) > Flashcards

M4-5 (ACL Concepts and IPv4 Configuration) Flashcards

review

1
Q

What are the permit or deny statements in an ACL called?

A

Access control entries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What packet filtering statement is true?

A

Standard ACLs filter at Layer 3 only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which statement about the operation of a standard ACL is incorrect?

The router extracts the source IPv4 address from the packet header.

The router starts at the top of the ACL and compares the address to each ACE in sequential order.

When a match is made, the ACE either permits or denies the packet, and any remaining ACEs are not analyzed.

If there are no matching ACEs in the ACL, the packet is forwarded because there is an implicit permit ACE automatically applied to all ACLs.

A

When a match is made, the ACE either permit or denies the packet, and any remaining ACEs are not analyzed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What wildcard mask would permit only host 10.10.10.1?

0.0.0.0

0.0.0.31

0.0.0.255

0.0.255.255

255.255.255.255

A

0.0.0.0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What wildcard mask would permit only hosts from the 10.10.10.0/16 network?

0.0.0.0

0.0.0.31

0.0.0.255

0.0.255.255

255.255.255.255

A

0.0.255.255

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What wildcard mask would permit all hosts?

0.0.0.0

0.0.0.31

0.0.0.255

0.0.255.255

255.255.255.255

A

255.255.255.255

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What wildcard mask would permit all hosts from the 192.168.10.0/24 network?

0.0.0.0

0.0.0.31

0.0.0.255

0.0.255.255

255.255.255.255

A

0.0.0.255

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How many total ACLs (both IPv4 and IPv6) can be configured on an interface?

A

4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the best practice of ACL?

Always test ACLs on a production network.

Create your ACLs on a production router.

Document the ACLs using the description ACL command

Write the ACL before configuring it on a router.

A

Write the ACL before configuring it on a router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What ACL is capable of filtering based on TCP port number?

A

Extended ACL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What statement about ACLs is true?

Extended ACLs are numbered 1300 - 2699.

Named ACLs can be standard or extended.

Numbered ACLs is the preferred method to use when configuring ACLs.

Standard ACLs are numbered 1 - 199.

A

Named ACLs can be standard or extended.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What should be the standard ACL be placed?

Standard ACL location is not important.

Standard ACLs should be placed as close to the destination as possible.

Standard ACLs should be placed as close to the source as possible.

Standard ACLs should be placed on serial interfaces.

A

Standard ACLs should be placed as close to the destination as possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When is an extended ACL be placed?

Extended ACL location is not important.

Extended ACLs should be located as close to the destination as possible.

Extended ACLs should be located as close to the source as possible.

Extended ACLs should be located on serial interfaces.

A

Extended ACLs should be located as close to the source as possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which two conditions would cause a router to drop a packet? (Choose two.)

No inbound ACL exists on the interface where the packet enters the router.

The ACL that is affecting the packet does not contain at least one deny ACE.

The packet source address does not match the source as permitted in a standard inbound ACE.

No outbound ACL exists on the interface where the packet exits the router.

No routing table entry exists for the packet destination, but the packet matches a permitted address in an outbound ACL.

A

The packet source address does not match the source as permitted in a standard inbound ACE and No routing table entry exists for the packet destination, but the packet matches a permitted address in an outbound ACL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255. Which two IP addresses will match this ACL statement? (Choose two.)

172.16.0.255

172.16.15.36

172.16.16.12

172.16.31.24

172.16.65.21

A

172.16.0.255 and 172.16.156.36

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What two statement describe appropriate general guidelines for configuring and applying ACLs? (Choose two.)

Multiple ACLs per protocol and per direction can be applied to an interface.

If an ACL contains no permit statements, all traffic is denied by default.

The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs.

Standard ACLs are placed closest to the source, whereas extended ACLs are placed closest to the destination.

If a single ACL is to be applied to multiple interfaces, it must be configured with a unique number for each interface.

A

If an ACL contains no permit statements, all traffic is denied by default and The most specific ACL statement should be entered first because of the top-down sequential nature of ACLs.

17
Q

What single access list statement matches all of the following networks?
192.168.16.0
192.168.17.0
192.168.18.0
192.168.19.0

access-list 10 permit 192.168.16.0 0.0.3.255

access-list 10 permit 192.168.16.0 0.0.0.255

access-list 10 permit 192.168.16.0 0.0.15.255

access-list 10 permit 192.168.0.0 0.0.15.255

A

access-list 10 permit 192.168.16.0 0.0.3.255

18
Q

Which three statements describe ACL processing of packets? (Choose three.)

An implicit deny any rejects any packet that does not match any ACE.

A packet can either be rejected or forwarded as directed by the ACE that is matched.

A packet that has been denied by one ACE can be permitted by a subsequent ACE.

A packet that does not match the conditions of any ACE will be forwarded by default.

Each statement is checked only until a match is detected or until the end of the ACE list.

Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made.

A

An implicit deny any rejects any packet that does not match any ACE, A packet can either be rejected or forwarded as directed by the ACE that is matched and Each statement is checked only until a match is detected or until the end of the ACE list.

19
Q

A network administrator is configuring an ACL to restrict access to certain servers in the data center. The intent is to apply the ACL to the interface connected to the data center LAN. What happens if the ACL is incorrectly applied to an interface in the inbound direction instead of the outbound direction?

All traffic is denied.

All traffic is permitted.

The ACL does not perform as designed.

The ACL will analyze traffic after it is routed to the outbound interface.

A

The ACL does not perform as designed.

20
Q

What scenario would cause an ACL misconfiguration and deny all traffic?

Apply a standard ACL in the inbound direction.

Apply a named ACL to a VTY line.

Apply an ACL that has all deny ACE statements.

Apply a standard ACL using the ip access-group outcommand.

A

Apply an ACL that has all deny ACE statements.

21
Q

In applying an ACL to a router interface, which traffic is designated as outbound?

Traffic that is coming from the source IP address into the router

Traffic that is leaving the router and going toward the destination host

Traffic that is going from the destination IP address into the router

Traffic for which the router can find no routing table entry

A

Traffic that is leaving the router and going toward the destination host

22
Q

When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device?

eq

established

remark

description

A

remark

23
Q

What location is recommended for extended numbered or extended named ACLs?

A location as close to the destination of traffic as possible.

A location as close to the source of traffic as possible.

A location centered between traffic destinations and sources to filter as much traffic as possible.

If using the established keyboard, a location close to the destination to ensure that return traffic is allowed.

A

A location as close to the source of traffic as possible

24
Q

What range represents all the IP addresses that are affected when network 10.120.160.0 with a wildcard mask of 0.0.7.255 is used in an ACE?

10.120.160.0 to 10.127.255.255

10.120.160.0 to 10.120.167.255

10.120.160.0 to 10.120.168.0

10.120.160.0 to 10.120.191.255

A

10.120.160.0 to 10.120.167.255

25
Q

The computers used by the network administrators for a school are on the 10.7.0.0/27 network. Which two commands are needed at a minimum to apply an ACL that will ensure that only devices that are used by the network administrators will be allowed Telnet access to the routers? (Choose two.)

access-class 5 in

access-list 5 deny any

access-list standard VTY
permit 10.7.0.0 0.0.0.127

access-list 5 permit 10.7.0.0 0.0.0.31

ip access-group 5 out

ip access-group 5 in

A

(access-class 5 in) and (access-list 5 permit 10.7.0.0 0.0.0.31)

26
Q

Consider the configured access list.

R1#show access-lists
extended IP access list 100
deny tcp host 10.1.1.2 host 10.1.1.1 eq telnet
deny tcp host 10.1.2.2 host 10.1.2.1 eq telnet
permit ip any any (15 matches)

What are two characteristics of this access list? (Choose two.)

The access list has been applied to an interface.

A network administrator would not be able to tell if the access list has been applied to an interface or not.

The 10.1.2.1 device is not allowed to telnet to the 10.1.2.2 device.

Any device on the 10.1.1.0/24 network (except the 10.1.1.2 device) can telnet to the router that has the IP address 10.1.1.1 assigned.

Only the 10.1.1.2 device can telnet to the router that has the 10.1.1.1 IP address assigned.

Any device can telnet to the 10.1.2.1 device.

A

(The access list has been applied to an interface.) and (Any device on the 10.1.1.0/24 network (except the 10.1.1.2 device) can telnet to the router that has the IP address 10.1.1.1 assigned.)

27
Q

What command will verify the number of packets that are permitted or denied by an ACL that restricts SSH access?

show running-config

show ip interface brief

show access-lists

show ip ssh

A

show access-lists

28
Q

What access list statement permits HTTP traffic that is sourced from host 10.1.129.100 port 4300 and destined to host 192.168.30.10?

access-list 101 permit tcp any eq 4300

access-list 101 permit tcp 192.168.30.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255

access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.30.10 0.0.0.eq www

access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 4300 192.168.30.0 0.0.0.15 eq www

access-list 101 permit tcp host 192.168.30.10 eq 80 10.1.0.0 0.0.255.255 eq 4300

A

access-list 101 permit tcp 10.1.129.0 0.0.1.255 eq 4300 192.168.30.10 0.0.0.15 eq www

29
Q

When configuring router security, which statement describes the most effective way to use ACLs to control Telnet traffic that is destined to the router itself?

The ACL must be applied to each vty line individually.

The ACL is applied to the Telnet port with the ip access-group command.

Apply the ACL to the vty lines without the in or out option required when applying ACLs to interfaces.

The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.

A

The ACL should be applied to all vty lines in the in direction to prevent an unwated user from connecting to an unsecured port.

30
Q

What packets would match the access control list statement that is shown below?

access-list 110 permit tcp 172.16.0.0 0.0.0.255 any eq 22

SSH traffic from the 172.16.0.0 network to any destination network

SSH traffic from any source network to the 172.16.0.0 network

Any TCP traffic from any host to the 172.16.0.0 network

Any TCP traffic from the 172.16.0.0 network to any destination network

A

SSH traffic from the 172.16.0.0 network to any destination network

31
Q

Consider the access list command applied outbound on a router serial interface.

access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo reply

What is the effect of applying this access list command?

The only traffic denied is ICMP-based traffic. All other traffic is allowed.

The only traffic denied is echo-replies sourced from the 192.168.10.0/24 network. All other traffic is allowed.

Users on the 192.168.10.0/24 network are not allowed to transmit traffic to any other destination.

No traffic will be allowed outbound on the serial interface.

A

No traffic will be allowed outbound on the serial interface.

32
Q

Consider the following output for an ACL that has been applied to a router via the access-class in command. What can a network administrator determine from the output that is shown?

R1# <output>
Standard IP access list 2
10 permit 192.168.10.0, wildcard bits 0.0.0.255 (2 matches)
20 deny any (1 match)</output>

Two devices connected to the router have IP addresses of 192.168.10.x.

Traffic from one device was not allowed to come into one router port and be routed outbound a different router port.

Two devices were able to use SSH or Telnet to gain access to the router.

Traffic from two devices was allowed to enter one router port and be routed outbound to a different router port

A

Two devices were able to use SSH or Telnet to gain access to the router.

33
Q

Which two commands will configure a standard ACL? (Choose two.)

Router(config)# access-list 20 permit host 192.168.5.5 any any

Router(config)# access-list 90 permit 192.168.10.5 0.0.0.0

Router(config)# access-list 45 permit 192.168.200.4 host

Router(config)# access-list 10 permit 10.20.5.0 0.255.255.255 any

Router(config)# access-list 35 permit host 172.31.22.7

A

(Router(config)# access-list 90 permit 192.168.10.5 0.0.0.0) and (Router(config)# access-list 35 permit host 172.31.22.7

34
Q

To faciliate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?

Echo request

Echo reply

Time-stamp request

Time-stamp reply

Router advertisement

A

Echo reply

35
Q

What two ACEs could be used to deny IP traffic from a single source host 10.1.1.1 to the 192.168.0.0/16 network? (Choose two.)

Access-list 100 deny ip host 10.1.1.1 192.168.0.0 0.0.255.255

Access-list 100 deny ip 192.168.0.0 0.0.255.255 host 10.1.1.1

Access-list 100 deny ip 10.1.1.1 255.255.255.255 192.168.0.0 0.0.255.255

Access-list 100 deny ip 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255

Access-list 100 deny ip 192.168.0.0 0.0.255.255 10.1.1.1 255.255.255.255

Access-list 100 deny ip 192.168.0.0 0.0.255.255 10.1.1.1 0.0.0.0

A

(Access-list 100 deny ip host 10.1.1.1 192.168.0.0 0.0.255.255) and (Access-list 100 deny ip 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255)

36
Q

An adminstrator has configured an access list on R1 to allow SSH adminstrative access from host 172.16.1.100. Which command correctly applies the ACL?

R1(config-if)# ip access-group 1 in

R1(config-if)# ip access-group 1 out

R1(config-line)# access-class 1 in

R1(config-line)# access-class 1 out

A

R1(config-line)# access-class 1 in

Networking 3 (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions