Thursday, October 9, 2008

Access list

ACCESS-LIST

1. On your newly installed router, you apply the access list illustrated below to interface Ethernet 0 on a
Cisco router. The interface is connected to the 192.168.1.8/29 LAN.
access-list 123 deny tcp 192.168.166.18 0.0.0.7 eq 20 any
access-list 123 deny tcp 192.168.166.18 0.0.0.7 eq 21 any
How will the above access lists affect traffic?

A. All traffic will be allowed to exit E0 except FTP traffic.
B. FTP traffic from 192.168.166.19 to any host will be denied.
C. FTP traffic from 192.168.166.22 to any host will be denied.
D. All traffic exiting E0 will be denied.
E. All FTP traffic to network 192.168.166.18/29 from any host will be denied.

Answer: D

2. On a newly installed router, the following access list is added to the HSSI interface for incoming traffic:
Access-list 101 permit tcp any 10.18.10.0 0.0.0.255 eq tcp
What is the effect of the "any" keyword in the above access list?

A. check any of the bits in the source address
B. permit any wildcard mask for the address
C. accept any source address
D. check any bit in the destination address
E. permit 255.255.255.255 0.0.0.0
F. accept any destination

Answer: C

3. The relevant portion of the Barrymore router configuration is displayed below:
Barrymore#show running-config

enable password cisco
!
username Central password 0 cisco
!
interface BRI0/0
ip address 192.168.0.1 255.255.255.0
encapsulation ppp
dialer idle-timeout 180
dialer map ip 192.168.0.2 name Remote 5552000
dialer-group 1
isdn switch-type basic-ni
no fair-queue
ppp authentication chap
!
ip route 192.168.20.0 255.255.255.0 192.168.0.2
!
router rip
network 192.168.0.0
!
access-list 129 deny tcp 192.168.0.0 0.0.0 255 host 192.168.20.5 eq www
access-list 128 permit ip any any
dialer-list 1 protocol ip list 128
In your effort to conserve precious bandwidth, you set up some ACL's to deny internet access to the
remote server located at 192.168.20.5. A few minutes after reconfiguring (as shown in the exhibit above)
you notice that some web traffic is still going through.
Based on the above output, what do you suspect as to why the trafficstill traveling over the ISDN link?

A. Broadcasts are creating "interesting" traffic.
B. The access-list is not configured correctly.
C. The command ip access-group 129 out is missing from the bri0/0 interface.
D. The dialer-group has not been applied to outbound traffic.

Answer: B

4. You are securing a network for TestKing and want to apply an ACL (access control list) to an interface
of a router. Which one of the following commands would you use?

A. permit access-list 101 out
B. ip access-group 101 out
C. apply access-list 101 out
D. access-class 101 out
E. ip access-list e0 out

Answer: B

5. Which of the following statements regarding the use of multiple access lists are valid when configuring a
single interface on a Cisco router?

A. Application of up to three access lists per protocol to a single interface.
B. No more than two access lists per interface.
C. One access list may be configured per direction for each Layer 3 protocol configured on an interface.
D. The maximum number allowed varies due to RAM availability in the router.
E. An infinite number of access lists that can be applied to an interface, from most specific to most general.
F. Cisco IOS allows only one access list to an interface.

Answer: C

6. On the serial interface of a router, an inbound access list is configured to deny all traffic from UDP and
TCP ports 21, 23, and 25. All other traffic is permitted. Based on this information, which types of traffic
will be allowed through this interface? (Choose threee)

A. SMTP
B. DNS
C. FTP
D. Telnet
E. HTTP
F. POP3

Answer: B, E, F

7. The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29
LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?

A. FTP traffic from 192.169.1.22 will be denied.
B. No traffic, except for FTP traffic will be allowed to exit E0.
C. FTP traffic from 192.169.1.9 to any host will be denied.
D. All traffic exiting E0 will be denied.
E. All FTP traffic to network 192.169.1.9/29 will be denied.

Answer: D

8. Which of the following commands would successfully implement an access list on a routers virtual
terminal line? (Select only one answer choice)

A. RouterTK(config-line)# access-class 10 in
B. RouterTK(config-if)# ip access-class 23 out
C. RouterTK(config-line)# access-list 150 in
D. RouterTK(config-if)# ip access-list 128 out
E. RouterTK(config-line)# access-group 15 out
F. RouterTK(config-if)# ip access-group 110 in

Answer: A

9. What are some general guidelines regarding the placement of access control lists? (Select two answer
choices)

A. You should place standard ACLS as close as possible to the source of traffic to be denied.
B. You should place extended ACLS as close as possible to the source of traffic to be denied.
C. You should place standard ACLS as close as possible to the destination of traffic to be denied.
D. You should place extended ACLS should be places as close as possible to the destination of traffic to be
denied.

Answer: B, C

10. A network administrator wants to add a line to an access list that will block only Telnet access by the
hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to
accomplish this task?

A. access-list 101 deny tcp 192.168.1.128 0.0.015 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B. access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
C. access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D. access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
E. access-list 101 deny ip 192.168.1.128 0.0.0.240 192.158.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
F. access-list 101 deny ip 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any

Answer: A

11. You are the network administrator at TestKing. You apply the following access list on the E0 outbound
interface connected to the 192.168.1.8/29 LAN:
access-list 21 deny tcp 192.168.1.8 0.0.0.7 eq 20 any
access-list 21 deny tcp 192.168.1.8 0.0.0.7 eq 21 any
What will the effect of this access list be?

A. All traffic will be allowed to out of E0 except FTP traffic.
B. FTP traffic from 192.168.1.22 to any host will be blocked.
C. FTP traffic from 192.168.1.9 to any host will be blocked.
D. All traffic will be prevented from leaving E0.
E. All FTP traffic to network 192.168.1.9/29 from any host will be blocked.

Answer: D

12. A network administrator has configured access list 172 to prevent Telnet and ICMP traffic from
reaching a server with the address if 192.168.13.26. Which command can the administrator issue to
verify that the access list is working properly? (Choose three)

A. Router# ping 192.168.13.26
B. Router# debug access-list 172
C. Router# show open ports 192.168.13.26
D. Router# show access-list
E. Router# show ip interface

Answer: A, D, E

13. When are packets processed in an inbound access list?

A. Before they are routed to an outbound interface.
B. After they are routed for outbound traffic.
C. After they are routed to an outbound interface while queuing.
D. Before and after they are routed to an outbound interface.
E. Depends on the configuration of the interface
F. None of the above

Answer: A

14. Which of the following are benefits provided with access control lists (ACLs)? (Select all that apply)

A. ACLs monitor the number of bytes and packets.
B. Virus detection.
C. ACLs dentify interesting traffic for DDR.
D. ACLs provide IP route filtering.
E. ACLs provide high network availability.
F. ACLs classify and organize network traffic.

Answer: C, D

15. Which one of the access control list statements below will deny all telnet connections to subnet
10.10.1.0/24?

A. access-list 15 deny telnet any 10.10.1.0 0.0.0.255 eq 23
B. access-list 115 deny udp any 10.10.1.0 eq telnet
C. access-list 15 deny tcp 10.10.1.0 255.255.255.0 eq telnet
D. access-list 115 deny tcp any 10.10.1.0 0.0.0.255 eq 23
E. access-list 15 deny udp any 10.10.1.0 255.255.255.0 eq 23

Answer: D

16. Which of the following answer choices are correct characteristics of named access list? (Select all that
apply)

A. You can delete individual statements in a named access list
B. Named access lists require a numbered range from 1000 to 1099.
C. Named access lists must be specified as standard or extended.
D. You can use the ip access-list command to create named access lists.
E. You cannot delete individual statements in a named access list.
F. You can use the ip name-group command to apply named access lists.

Answer: A, C, D

17. Which of the following access list statements would deny traffic from a specific host?

A. Router(config)# access-list 1 deny 172.31.212.74 any
B. Router(config)# access-list 1 deny 10.6.111.48 host
C. Router(config)# access-list 1 deny 172.16.4.13 0.0.0.0
D. Router(config)# access-list 1 deny 192.168.14.132 255.255.255.0
E. Router(config)# access-list 1 deny 192.168.166.127 255.255.255.255

Answer: C

18. Which IP address and wildcard mask would you use in your ACL to block all the hosts in the subnet
192.168.16.43/28?

A. 192.168.16.32 0.0.0.16
B. 192.168.16.43 0.0.0.212
C. 192.168.16.0 0.0.0.15
D. 192.168.16.32 0.0.0.15
E. 192.168.16.0 0.0.0.31
F. 192.168.16.16 0.0.0.31

Answer: D

19. A standard IP access list is applied to an Ethernet interface of a router. What does this standard access
list filter on?

A. The source and destination addresses
B. The destination port number
C. The destination address
D. The source address
E. All of the above

Answer: D

20. The TestKing network is subnetted using 29 bits for the subnet mask. Which wild card mask should be
used to configure an extended access list to permit or deny access to an entire subnetwork?

A. 255.255.255.224
B. 255.255.255.248
C. 0.0.0.224
D. 0.0.0.8
E. 0.0.0.7
F. 0.0.0.3

Answer: E

21. Which of the following are valid tyoes of access-lists?(choose all that apply)

A. Standard
B. global
C. Extended
D. Named
E. Interface
F. Routing

Answer: A,C,D

22. Choose the valid number ranges for ip extended access lists.(choose all that apply)

A. 1 to 99
B. 199 to 2699
C. 100 to 199
D. 1300 to 1399
E. 2000 to 2699
F. 2000 to 2999

Answer: C,E

23. Which of the following are true satements?(choose all that apply)

A. If a packet does not match any explicit condition in the list,an implicit permit allows
the packet to be forwarded.
B. After a packet matches an entry,it is acted upon by that statement and no other entries
are checked.
C. When an interface receives a packet,all entries in the access list are checked before
any decision is made.
D. A condition can test only against source and destinaiton address.
E. If no entry is matched,the packet is denied by an implicit deny all.
F. All access lists acting as packet filters should have at least one permit statement.

Answer: B,E,F

24. Which command creates a standard access list?(choose all that apply)

A. access-list 101
B. access-list 1 standard
C. access-list 1
D. access-list 1 standard mylist
E. standard access-list 1

Answer: C,D

25. Which of the following commands would you use to allow traffic from the 192.168.255.0
subnet to be allowed in on interface Ethernet 0?(choose all that apply)

A. access-list 1 permit 192.168.255.0
B. ip access-group 1 in
C. access-group 101 permit 192.168.255.0 0.0.0.255
D. interface Ethernet 0
E. access-list standard OK-Traffic permit 192.168.255.0 0.0.0.255

Answer: D,E

26. Which of the following statement are true ?

A. Access lists can be applied only to an interface.
B. An interface can only have one access list,per protocol,per direction.
C. If you delete an access list ,the mapping will be automatically deleted.
D. All access lists have an implict deny any at the bottom.
E. Extended access lists should be placed close to the source.
F. Standard access lists should be placed close to the source.
G. Access list placement does not matter.

Answer: B,C,E


27. Which of the following are not features of ACLs?

A. Restricting telnet access to a router.
B. Prioritizing WAN traffic.
C. Filtering traffic from the router.
D. Triggering dialup phone calls.

Answer: D
Posted by at
Subscribe to: Post Comments (Atom)