CCNA Training » CCNA – Access List Questions 2

9/17/13

CCNA Tr ai ni ng » CCNA – Access Li st Questi ons 2

Type text to search here...

Home > CCNA – Access List Questions 2

CCNA – Access List Questions 2 April 30th, 2011 Go to comments Here you will find answers to Access list Questions – Part 2 Note: If you are not not sure sure about about Access Access list, please please read read my my Access list tutorial. tutorial. Question 1 Refer to the exhibit. What will happen to HTTP traffic coming from the Internet that is destined for 172.16.12.10 if the traffic is processed by this ACL? router#show access-lists Extended IP access list 110 10 deny tcp 172.16.0.0 0.0.255.255 any eq telnet 20 deny tcp 172.16.0.0 0.0.255.255 any eq smtp 30 deny tcp 172.16.0.0 0.0.255.255 any eq http 40 permit tcp 172.16.0.0 0.0.255.255 any

A. Traffic will be dropped per line 30 of the ACL. B. Traffic will be accepted per line 40 of the ACL. C. Traffic will be dropped, because of the implicit deny all at the end of the ACL. D. Traffic will be accepted, because the source address is not covered by the ACL.

Answer: C Explanation The syntax of an extended access list is: access-list-number {permit | deny} protocol source protocol source {source-m {source- mask} destinati destination on {desti {des tinati nation-mask} on-mask} access-list access-list-number {permit [eq destination-port] Notice Notice that that in in our access list, th the netw network ork 172.16.0.0 0.0.255.255 is is specif specified as th the source source but but the the questi question on asks about “HTTP traffic coming from the Internet that is destined for 172.16.12.10″, which means 172.16.0.0 0.0.255.255 is the destination network. So in this case there is no match in our access list and the traffic will be dropped because of the implicit deny all at the end of the ACL. It is surely a tricky question! Question 2 www.9tut.com/ccna- access- l i st- q uesti ons- 2

1/12

9/17/13


Refer to the exhibit. Which statement describes the effect that the Router1 configuration has on devices in the 172.16.16.0 subnet when they try to connect to SVR-A using Telnet or SSH?

A. Devices will not be able to use Telnet or SSH. B. Devices will be able to use SSH, but not Telnet. C. Devices will be able to use Telnet, but not SSH. D. Devices will be able to use Telnet and SSH.

Answer: B Explanation Let’s analyze the access list 100: + 10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22: allows TCP traffic from network 172.16.16.0 172.1 6.16.0/28 /28 to access host 172.16.48.63 172.16 .48.63 with with a destinat destinatiion port of 22 (SSH) (S SH) + 20 permit tcp 172.16.16.0 0.0.0.15 eq telnet host 172.16.48.63: allows TCP traffic from network 172.16.16.0/28 with a source port of 23 (telnet) to access host 172.16.48.63 Notice Notice that that if if a devi device want wantss to tel telne nett (or SSH) to SVR-A SVR-A serv server er itit mu must use use the the destina destinati tion on port of 23 (or 22), not a source port of 23 (or 22). Access list 100 is applied on the inbound direction of Fa0/0 so it will only filter traffic from 172.16.16.0 subnet to the SVR-A server. www.9tut.com/ccna- access- l i st- q uesti ons- 2

2/12

9/17/13


Access list 101 is very similar to access list 100 but it is applied on the inbound direction of Fa0/1 so it will filter traffic from SVR-A server to 172.16.16.0 subnet. In ACL 101: + 10 permi permit tcp host 172.16.48.6 172.1 6.48.63 3 eq 22 172.16. 1 72.16.16.0 16.0 0.0.0.15: 0.0.0.1 5: all allows TCP traffi traffic from host 172.16.48.63 172.16.48 .63 with a source port of 22 (SSH) to access network 172.16.16.0/28. + 20 2 0 perm p ermiit tcp host 172.16.48.63 172.16.4 8.63 172.16.16.0 172.1 6.16.0 0.0.0.15 0.0.0.1 5 eq telnet telnet:: all allows TCP traff traffic from host host 172.16.4 17 2.16.48.63 8.63 to access network 172.16.16.0/28 with a destination port of telnet. Notice Notice that that th the return returned ed traf traffic from from SVR-A SVR-A to netw network ork 172.16.16.0/28 (resu (resulltin ting from telne telnett or SSH session session)) will have a source port of 23 (Telnet) or 22 (SSH) In conclusion, the first statements of each ACL will allow devices to “SSH” to SVR-A. But they can’t telnet because because of the the im impli plicit cit deny deny all all at the the end end of the the ACL. ACL. In this question, the second statements of each ACL can be considered “wrong” if we intend to filter telnet or SSH traffic and they have no effect on the Telnet or SSH traffic. Question 3 Refer to the exhibit. Which three variables (router, protocol port, and router ACL direction) apply to an extended ACL that will prevent student 01 from securely browsing the internet?

A. OUT B. Router 3 C. HTTPS D. IN E. Router 1

www.9tut.com/ccna- access- l i st- q uesti ons- 2

3/12

9/17/13


Answer: B C D Explanation There are 3 routers we can place this access list: Router 1, Router Main and Router 3 but in theory, an extended access list should be placed close to the source -> Router 3 is the best choice -> B is correct. The traffic we need to filter here is “securely browsing the internet” so it is HTTPS -> C is correct. Finally we should apply this access list to the inbound direction so that Router 3 will filter this traffic before making routing decision. It helps save processing resources on Router 3 -> D is correct. Question 4 Which two statements apply to dynamic access lists? (choose two) A. they offer simpler management in large internetworks. B. you can control logging messages. C. they all allow packe p ackets ts to be filtered based base d on o n upper-l upper- layer sessi sess ion inf information. ormation. D. you can set a time-based security policy. E. they provide a level of security against spoofing. F. they are used to authenticate individual users.

Answer: A F Explanation Dynamic ACLs have the following security benefits over standard and static extended ACLs: + Use of a challenge mechanism to authenticate individual users + Simplified management in large internetworks + In many cases, reduction of the amount of router processing that is required for ACLs + Reduction of the opportunity for network break-ins by network hackers + Creation of dynamic user access through a firewall, without compromising other configured security restrictions (Reference: CCNA Exploration 4 – Dynamic ACLs) Question 5 Which command shows if an access list is assigned to an interface? A. show ip interface [interface] access-lists B. show ip access-lists interface [interface] C. show ip interface [interface] D. show ip access-lists [interface]


4/12

9/17/13


Answer: C Explanation The output of “show ip interface [interface]” command is shown below:

In the output we can see the access list 1 is applied to this interface on inbound direction. Question 6 Which item represents the standard IP ACL? A. access-list 50 deny 192.168.1.1 0.0.0.255 B. access-list 110 permit ip any any C. access-list 2500 deny tcp any host 192.168.1.1 eq 22 D. access-l access- list 101 deny tcp any host 192.168.1.1 192.168 .1.1 www.9tut.com/ccna- access- l i st- q uesti ons- 2

5/12

9/17/13


Answer: A Explanation The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only access list 50 is a standard access acce ss list. Question 7 Which statement about access lists that are applied to an interface is true? A. you can apply only one access list on any interface B. you can configure one access list, per direction, per layer 3 protocol C. you can place as many access lists as you want on any interface D. you can configure one access list, per direction, per layer 2 protocol

Answer: B Explanation We can have only 1 access list per protocol, per direction and per interface. It means: + We can not have 2 inbound access lists on an interface + We can have 1 inbound and 1 outbound access list on an interface Question 8 A network engineer wants to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet. Which ACL can be used? A. reflexive B. extended C. standard D. dynamic

Answer: D Explanation We can use a dynamic access list to authenticate a remote user with a specific username and password. The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server. The configuration of dynamic ACL can be read here: http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml www.9tut.com/ccna- access- l i st- q uesti ons- 2

6/12

9/17/13


Question 9 Which parameter standard access list takes into consideration for traffic filtering decisions? A. Source MAC address B. Destination IP address C. Destination MAC address D. Source IP address

Answer: D Question 10 In which solution is a router ACL used? A. protecting a server from unauthorized access B. controlling path selection, based on the route metric C. reducing router CPU utilization D. filtering packets that are passing through a router

Answer: D

Comments (364) Comments Comment pages « Previous 1 … 6 7 8 981 1. ian_arvi ian_ar vin n from the phili philipp ppin ines es September 10th, 2013 Hi guys for those who have passed ccna 640-802 which dump is more reliable the one from spike or acme? If u have new dumps kindly send to [email protected] 2. tani10 September 10th, 2013 Question 4 correct answers A, D 3. ad September 10th, 2013 www.9tut.com/ccna- access- l i st- q uesti ons- 2

7/12

9/17/13


q no 1…. ans should be A..its match….. 4. ad September 10th, 2013 9tut…i love u :) 5. ad September 10th, 2013 9tut…i love u :) 6. ad September 10th, 2013 9tut…i love u :). 7. ad September 10th, 2013 9tut…i love u :).. 8. ad September 10th, 2013 9tut…i love u :)… 9. Richard September 11th, 2013 tani 10, pls. pls. make make sure sure you yourr read about about ACL, ACL, parti particu cullarly, arly, tim time-based and and dynam dynamiic :) 10. jasostrong September 11th, 2013 Thanks 9tut. I made it. I passed my CCNA 200-120 today. The sim is Access-list 1 , Access-list 2 & EIGRP. A lot of new questions like Netflow, Syslog, SNMP, VRRP, and GLBP. 11. 11 . inayat shah September 13th, 2013 I am going to sit my CCNA exam on 28 Sep. Could anybody send me the latest Sim or all the Sim at 9tut is still enough for CCNA 640-802 exam? please do inform and support me. Thank you. E-mail: [email protected] best reg regard! ard! www.9tut.com/ccna- access- l i st- q uesti ons- 2

8/12

9/17/13


12. Anonymous September 13th, 2013 Which two statements apply to dynamic access lists? (choose two) A. they offer simpler management in large internetworks. B. you can control logging messages. C. they allow packets to be filtered based on upper-layer session information. D. you can set a time-based security policy. E. they provide a level of security against spoofing. F. they are used to authenticate individual users. *** THE ACME 486 DUMP SAYS THAT D & F ARE THE ANSWERS … CAN SOMEONE EXPLAIN TO ME WHATS GOING ON ?? *** Reposted… Please explain sir 9tut. Thank you. 13. Franz September 13th, 2013 Which two statements apply to dynamic access lists? (choose two) A. they offer simpler management in large internetworks. B. you can control logging messages. C. they allow packets to be filtered based on upper-layer session information. D. you can set a time-based security policy. E. they provide a level of security against spoofing. F. they are used to authenticate individual users. *** THE ACME 486 DUMP SAYS THAT D & F ARE THE ANSWERS … CAN SOMEONE EXPLAIN TO ME WHATS GOING ON ?? *** 14. Joe September 13th, 2013 Franz/Anon, try a google…. https://supportforums.cisco.com/thread/2187794 Comment pages « Previous 1 … 6 7 8 981 Add a Comment Name


9/12

9/17/13


Submit Comment

Subscribe to comm comments ents feed CCNA – Access List Questions CCNA – WAN

Premiu Pre mium m Memb Me mbers ership hip Become a member to interact with all questions and read all tutorials, labs!

Find out more or Sign or Sign In

CCNA 640-802 CCNA Lab Sim CCNA – Basic Questions CCNA – Basic Questions 2 CCNA – Cisco IOS Questions CCNA – Cisco IOS Questions 2 CCNA – Cisco IOS Questions 3 CCNA – OSI Model Questions CCNA – TCP/IP Model & Operation CCNA – Show Command Questions CCNA – Protocols & Services CCNA – Access List Questions CCNA – Access List Questions 2 CCNA – WAN CCNA – WAN 2 CCNA – IP Address Questions CCNA – IP Routing Questions CCNA – IP Routing Questions 2 www.9tut.com/ccna- access- l i st- q uesti ons- 2

10/12

9/17/13


CCN A – RIP Questi CCNA Questions ons CCNA – OSPF Questions CCNA – OSPF Questions 2 CCNA – EIGRP Questions CCNA – EIGRP Questions 2 CCNA – Security Questions CCNA – DHCP Questions DHCP Group of Four Questions CCNA – NAT & PAT Questions CCNA – Drag and Drop 1 CCNA – Drag and Drop 2 CCNA – Drag and Drop 3 CCNA – Drag and Drop 4 CCNA – Drag and Drop 5 CCNA – Switch Questions CCNA – Switch Questions 2 CCNA – Switch Questions 3 CCNA – VLAN Questions CCNA – VLAN Questions 2 CCNA – VTP Questions CCNA CCN A – Hotspot Hotspot CCNA – STP Questions CCNA – STP Questions 2 CCNA CCN A – IPv6 IP v6 Questions Questions CCNA – Subnetting CCNA – Subnetting Questions 2 CCNA – Subnetting Questions 3 CCNA – Subnetting Questions 4 CCNA – Operations 1 CCNA – Operations 2 CCNA – Operations 3 CCNA – Troubleshooting 1 CCNA – Troubleshooting 2 CCNA – Wireless CCNA FAQs & Tips Share your CCNA Experience

New CCNA 200-120 Share your (new) CCNA Experience


11/12

9/17/13


CCNA Self-Study Practice CCNA GNS3 Labs CCNA CCN A Know K nowlledge

Network Resource Resourcess Free Router Simulators ICND1/ICND2 Website CCNP - ROUTE Website CCNP - SWITCH Website CCNP CCN P - TSH TSHOO OOT T Website Website CCNA Voice Website CCNA Wireless Website CCNA Security Website CCDA Website CCIP Website CCIE Written Website

Support 9tut

Your contribution will help keep this site updated!

Top Copyright © 2010-2013 CCNA Training Site Privacy Policy. Policy. Valid XHTML 1.1 and CSS 3.UV


12/12

CCNA Training » CCNA – Access List Questions 2

Recommend Documents