Chapter 7
access-list 1 permit 192.168.10.96 0.0.0.31
Refer to the exhibit. Which command would be used in a standard ACL to allow only devices on the network attached to R2 G0/0 interface to access the networks attached to R1?
Four packets have been allowed through the router from PCs in the network of 192.168.1.64.
Refer to the following output. What is the significance of the 4 match(es) statement? R1# <output omitted> 10 permit 192.168.1.56 0.0.0.7 20 permit 192.168.1.64 0.0.0.63 (4 match(es)) 30 deny any (8 match(es))
False
T/F: ACLs should filter unwanted traffic after it travels onto a low-bandwidth link.
address with subnet 255.255.255.248
192.168.3.64 0.0.0.7
source
Extended ACLs should be placed close to the ____________ IP address of the traffic.
access-list 10 permit 192.168.16.0 0.0.3.255
What single access list statement matches all of the following networks? 192.168.16.0 192.168.17.0 192.168.18.0 192.168.19.0
A packet can either be rejected or forwarded as directed by the ACE that is matched.
When ACL processing a packet, what are two outcomes?
before the packets are routed
When are inbound ACLs processed?
after the routing is completed
When are outbound ACLs processed?
when troubleshooting an ACL and needing to know how many packets matched
When would a network administrator use the clear access-list counters command?
named standard ACL
Which ACL will give the ability to add additional ACEs in the middle of the ACL without deleting and re-creating the list?
source IP address
Which address is required in the command syntax of a standard ACL?
host
Which type of ACL statements are commonly reordered by the Cisco IOS as the first ACEs?
vty
Which type of router connection can be secured by the access-class command?
deny any
an ACE that is added to the end of every standard ACL
easy to modify
an advantage of using a named ACL
ACE
one line in an ACL
goes to the next ACE
the action taken when the criteria specified in an ACE does not match
permit (allow the packet to pass) or deny
the actions that can be taken when a router matches an address in an ACE
host
the common keyword that is used when only one IP address is to be matched
closest to destination
the common placement location for a standard ACL
any
the keyword that is the same as using an address of 0.0.0.0 255.255.255.255
one
the number of IP-based ACLs that can be applied to one router interface in the inbound direction
match the same bit value in the address
the purpose of a zero in a wildcard mask
0.0.0.31
the wildcard mask for a /27 network
The ACL does not perform as designed
A network administrator is configuring an ACL to restrict access to certain servers in the data center. The intent is to apply the ACL to the interface connected to the data center LAN. What happens if the ACL is incorrectly applied to an interface in the inbound direction instead of the outbound direction?
access-list 10 permit 192.168.15.23 0.0.0.0
A network administrator needs to configure a standard ACL so that only the workstation of the administrator with the IP address 192.168.15.23 can access the virtual terminal of the main router. Which configuration command can achieve the task?
R1(config-line)# access-class 1 in
An administrator has configured an access list on R1 to allow SSH administrative access from host 172.16.1.100. Which command correctly applies the ACL?
Use the no keyword and the sequence number of the ACE to be removed.
What is the quickest way to remove a single ACE from a named ACL?
subnetwork address of a subnet with 14 valid host addresses
What is the wildcard for 192.168.15.144 0.0.0.15
Two devices were able to use SSH or Telnet to gain access to the router.
Consider the following output for an ACL that has been applied to a router via the access-class in command. What can a network administrator determine from the output that is shown? R1# <output omitted> Standard IP access list 2 10 permit 192.168.10.0, wildcard bits 0.0.0.255 (2 matches) 20 deny any (1 match)
first valid host address in a subnet
What is the wildcard for 192.168.15.65 255.255.255.240
Each statement is checked only until a match is detected or until the end of the ACE list.
How are packets checked in ACL processing?
standard ACL
IP-based ACLs that can be numbered 1 to 99
8
If a router has two interfaces and is routing both IPv4 and IPv6 traffic, how many ACLs could be created and applied to it?
Rejects any packet that does not match any ACE.
In ACL processing, what is the outcome of an implicit deny?
when the ACL is applied to an outbound interface to filter packets coming from multiple inbound interfaces before the packets exit the interface
In which configuration would an outbound ACL placement be preferred over an inbound ACL placement?
hosts in a subnet with SM 255.255.252.0
What is the wildcard for 192.168.5.0 0.0.3.255
all IP address bits must match exactly
What is the wildcard for host 192.168.15.2
on the router that has the ACL configured
On which router should the show access-lists command be executed?
The ACEs of access list 10 will be renumbered.
Refer to the exhibit. What will happen to the access list 10 ACEs if the router is rebooted before any other commands are implemented?
All traffic will be blocked, not just traffic from the 172.16.4.0/24 subnet.
Refer to the exhibit. An ACL was configured on R1 with the intention of denying traffic from subnet 172.16.4.0/24 into subnet 172.16.3.0/24. All other traffic into subnet 172.16.3.0/24 should be permitted. This standard ACL was then applied outbound on interface Fa0/0. Which conclusion can be drawn from this configuration?
Manually add the new deny ACE with a sequence number of 5
Refer to the exhibit. A router has an existing ACL that permits all traffic from the 172.16.0.0 network. The administrator attempts to add a new ACE to the ACL that denies packets from host 172.16.0.1 and receives the error message that is shown in the exhibit. What action can the administrator take to block packets from host 172.16.0.1 while still permitting all other traffic from the 172.16.0.0 network?
destination
Standard ACLs should be placed close to the ___________ IP address of the traffic.
outbound on the R1 G0/1 interface
Refer to the exhibit. If the network administrator created a standard ACL that allows only devices that connect to the R2 G0/0 network access to the devices on the R1 G0/1 interface, how should the ACL be applied?
The ACL will block all traffic
What is the effect of configuring an ACL with only ACEs that deny traffic?
ip access-group
a command that is used to apply a standard ACL to a serial interface
access-class
a command that is used to apply a standard ACL to one or more VTY ports
source IP address
a filter used by a numbered ACL that uses the number 5
ACL
a method of controlling packet flow