Professional Documents
Culture Documents
What two functions describe uses of an access control list? (Choose two.)
ACLs assist the router in determining the best path to a destination.
Standard ACLs can restrict access to specific applications and ports.
ACLs provide a basic level of security for network access.
ACLs can permit or deny traffic based upon the MAC address originating on the router.
ACLs can control which areas a host can access on a network.
Observable
Description
Max Value
correctness of response
2
What are two possible uses of access control lists in an enterprise network? (Choose two.)
limiting debug outputs
reducing the processing load on routers
allowing Layer 2 traffic to be filtered by a router
controlling virtual terminal access to routers
controlling the physical status of router interfaces
Observable
Description
Max Value
correctness of response
1 point for each correct option.
3
Which two characteristics are shared by both standard and extended ACLs? (Choose two.)
Both kinds of ACLs can filter based on protocol type.
Both can permit or deny specific services by port number.
Both include an implicit deny as a final ACE.
Both filter packets for a specific destination host IP address.
Both can be created by using either a descriptive name or number.
Standard ACLs filter traffic based solely on a specified source IP address. Extended ACLs can filter by
source or destination, protocol, or port. Both standard and extended ACLs contain an implicit deny as a
final ACE. Standard and extended ACLs can be identified by either names or numbers.
Observable
Description
Max Value
correctness of response
4
Which statement describes a characteristic of standard IPv4 ACLs?
They are configured in the interface configuration mode.
They filter traffic based on source IP addresses only.
They can be created with a number but not with a name.
They can be configured to filter traffic based on both source IP addresses and source ports.
A standard IPv4 ACL can filter traffic based on source IP addresses only. Unlike an extended ACL, it
cannot filter traffic based on Layer 4 ports. However, both standard and extended ACLs can be identified
with either a number or a name, and both are configured in global configuration mode.
Observable
Description
Max Value
correctness of response
5
A network administrator needs to configure a standard ACL so that only the workstation of the
administrator with the IP address 192.168.15.23 can access the virtual terminal of the main router.
Which two configuration commands can achieve the task? (Choose two.)
Router1(config)# access-list 10 permit host 192.168.15.23
Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.0
Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.255
Router1(config)# access-list 10 permit 192.168.15.23 255.255.255.0
Router1(config)# access-list 10 permit 192.168.15.23 255.255.255.255
To permit or deny one specific IP address, either the wildcard mask 0.0.0.0 (used after the IP address) or
the wildcard mask keyword host (used before the IP address) can be used.
Observable
Description
Max Value
correctness of response
6
Which IPv4 address range covers all IP addresses that match the ACL filter specified by 172.16.2.0 with
wildcard mask 0.0.1.255?
172.16.2.0 to 172.16.2.255
172.16.2.1 to 172.16.3.254
172.16.2.0 to 172.16.3.255
172.16.2.1 to 172.16.255.255
The wildcard mask 0.0.1.255 means the first 23 bits are matched and the last 9 bits are ignored. That is,
a matching IP address should be from 172.16.2.0 to 172.16.3.255 (where last 9 bits are from all 0s to all
1s and any value between).
Observable
Description
Max Value
correctness of response
7
If a router has two interfaces and is routing both IPv4 and IPv6 traffic, how many ACLs could be created
and applied to it?
4
6
8
12
16
In calculating how many ACLs can be configured, use the rule of "three Ps": one ACL per protocol, per
direction, per interface. In this case, 2 interfaces x 2 protocols x 2 directions yields 8 possible ACLs.
Observable
Description
Max Value
correctness of response
8
Which three statements are generally considered to be best practices in the placement of ACLs?
(Choose three.)
Description
Max Value
correctness of response
Refer to the exhibit. A router has an existing ACL that permits all traffic from the 172.16.0.0 network.
The administrator attempts to add a new ACE to the ACL that denies packets from host 172.16.0.1 and
receives the error message that is shown in the exhibit. What action can the administrator take to block
packets from host 172.16.0.1 while still permitting all other traffic from the 172.16.0.0 network?
Manually add the new deny ACE with a sequence number of 5.
Manually add the new deny ACE with a sequence number of 15.
Create a second access list denying the host and apply it to the same interface.
Add a deny any any ACE to access-list 1.
Because the new deny ACE is a host address that falls within the existing 172.16.0.0 network that is
permitted, the router rejects the command and displays an error message. For the new deny ACE to
take effect, it must be manually configured by the administrator with a sequence number that is less
than 10.
Observable
Description
Max Value
correctness of response
10
An administrator has configured an access list on R1 to allow SSH administrative access from host
172.16.1.100. Which command correctly applies the ACL?
R1(config-if)# ip access-group 1 in
R1(config-if)# ip access-group 1 out
R1(config-line)# access-class 1 in
R1(config-line)# access-class 1 out
Administrative access over SSH to the router is through the vty lines. Therefore, the ACL must be applied
to those lines in the inbound direction. This is accomplished by entering line configuration mode and
issuing the access-class command.
Observable
Description
Max Value
correctness of response
11
Refer to the exhibit. The network administrator that has the IP address of 10.0.70.23/25 needs to have
access to the corporate FTP server (10.0.54.5/28). The FTP server is also a web server that is accessible
to all internal employees on networks within the 10.x.x.x address. No other traffic should be allowed to
this server. Which extended ACL would be used to filter this traffic, and how would this ACL be applied?
(Choose two.)
access-list 105 permit ip host 10.0.70.23 host 10.0.54.5
access-list 105 permit tcp any host 10.0.54.5 eq www
access-list 105 permit ip any any
access-list 105 permit tcp host 10.0.54.5 any eq www
access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 20
access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 21
access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 20
access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 21
access-list 105 permit tcp 10.0.0.0 0.255.255.255 host 10.0.54.5 eq www
access-list 105 deny ip any host 10.0.54.5
access-list 105 permit ip any any
R2(config)# interface gi0/0
R2(config-if)# ip access-group 105 in
R1(config)# interface gi0/0
R1(config-if)# ip access-group 105 out
R1(config)# interface s0/0/0
R1(config-if)# ip access-group 105 out
The first two lines of the ACL allow host 10.0.70.23 FTP access to the server that has the IP address of
10.0.54.5. The next line of the ACL allows HTTP access to the server from any host that has an IP address
that starts with the number 10. The fourth line of the ACL denies any other type of traffic to the server
from any source IP address. The last line of the ACL permits anything else in case there are other servers
or devices added to the 10.0.54.0/28 network. Because traffic is being filtered from all other locations
and for the 10.0.70.23 host device, the best place to put this ACL is closest to the server.
Observable
Description
Max Value
correctness of response
12
Consider the following access list that allows IP phone configuration file transfers from a particular host
to a TFTP server:
R1(config)# access-list 105 permit udp host 10.0.70.23 host 10.0.54.5 range 1024 5000
R1(config)# access-list 105 deny ip any any
R1(config)# interface gi0/0
R1(config-if)# ip access-group 105 out
Which method would allow the network administrator to modify the ACL and include FTP transfers from
any source IP address?
R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 20
R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 21
R1(config)# interface gi0/0
R1(config-if)# no ip access-group 105 out
R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 20
R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 21
To modify an extended numbered ACL remove the ACL from the interface. Copy the ACL into a text
document. Delete the ACL from the router. Modify the ACL within the text document and re-enter the
ACL into the router and apply it to the interface.
Observable
Description
Max Value
correctness of response
13
Which statement describes a difference between the operation of inbound and outbound ACLs?
In contrast to outbound ALCs, inbound ACLs can be used to filter packets with multiple criteria.
Inbound ACLs can be used in both routers and switches but outbound ACLs can be used only on
routers.
Inbound ACLs are processed before the packets are routed while outbound ACLs are processed
after the routing is completed.
On a network interface, more than one inbound ACL can be configured but only one outbound
ACL can be configured.
With an inbound ACL, incoming packets are processed before they are routed. With an outbound ACL,
packets are first routed to the outbound interface, then they are processed. Thus processing inbound is
more efficient from the router perspective. The structure, filtering methods, and limitations (on an
interface, only one inbound and one outbound ACL can be configured) are the same for both types of
ACLs.
Observable
Description
Max Value
correctness of response
14
Which feature is unique to IPv6 ACLs when compared to those of IPv4 ACLs?
the use of wildcard masks
an implicit deny any any ACE
the use of named ACL entries
an implicit permit of neighbor discovery packets
One of the major differences between IPv6 and IPv4 ACLs are two implicit permit ACEs at the end of any
IPv6 ACL. These two permit ACEs allow neighbor discovery operations to function on the router
interface.
Observable
Description
Max Value
correctness of response
15
Which three statements describe ACL processing of packets? (Choose three.)
An implicit deny any rejects any packet that does not match any ACE.
A packet can either be rejected or forwarded as directed by the ACE that is matched.
A packet that has been denied by one ACE can be permitted by a subsequent ACE.
A packet that does not match the conditions of any ACE will be forwarded by default.
Each statement is checked only until a match is detected or until the end of the ACE list.
Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision
is made.
Observable
Description
Max Value
correctness of response
16
Which three implicit access control entries are automatically added to the end of an IPv6 ACL? (Choose
three.)
deny ip any any
deny ipv6 any any
permit ipv6 any any
deny icmp any any
permit icmp any any nd-ns
permit icmp any any nd-na
All IPv6 ACLs automatically include two implicit permit statements; permit icmp any any nd-ns and
permit icmp any any nd-na. These statements allow the router interface to perform neighbor discovery
operations. There is also an implicit deny ipv6 any any automatically included at the very end of any IPv6
ACL that blocks all IPv6 packets not otherwise permitted.
Observable
Description
Max Value
correctness of response
17
What is the only type of ACL available for IPv6?
named standard
named extended
numbered standard
numbered extended
Unlike IPv4, IPv6 has only one type of access list and that is the named extended access list.
Observable
Description
Max Value
correctness of response
18
Which IPv6 ACL command entry will permit traffic from any host to an SMTP server on network
2001:DB8:10:10::/64?
permit tcp any host 2001:DB8:10:10::100 eq 25
Description
Max Value
correctness of response
19
Refer to the exhibit. The IPv6 access list LIMITED_ACCESS is applied on the S0/0/0 interface of R1 in the
inbound direction. Which IPv6 packets from the ISP will be dropped by the ACL on R1?
HTTPS packets to PC1
ICMPv6 packets that are destined to PC1
packets that are destined to PC1 on port 80
Description
Max Value
correctness of response
Converting the wildcard mask 0.0.3.255 to binary and subtracting it from 255.255.255.255 yields a
subnet mask of 255.255.252.0.
Using the host parameter in a wildcard mask requires that all bits match the given address.
192.168.15.65 is the first valid host address in a subnetwork beginning with the subnetwork address
192.168.15.64. The subnet mask contains 4 host bits, yielding subnets with 16 addresses.
192.168.15.144 is a valid subnetwork address in a similar subnetwork. Change the wildcard mask
0.0.0.15 to binary and subtract it from 255.255.255.255, and the resulting subnet mask is
255.255.255.240.
192.168.3.64 is a subnetwork address in a subnet with 8 addresses. Convert 0.0.0.7 to binary and
subtract it from 255.255.255.255, and the resulting subnet mask is 255.255.255.248. That mask contains
3 host bits, and yields 8 addresses.
21
The PT initialization was skipped. You will not be able to view the PT activity.
Open the PT Activity. Perform the tasks in the activity instructions and then answer the question.
Description
Max Value
correctness of response