Network Security 1.0 Modules 8-10: ACLs and Firewalls Group Exam Answers Answers
A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255 . Which two IP addresses will match this ACL statement? (Choose two.) 172.16.0.255 172.16.15.36 172.16.16.12 172.16.31.24 172.16.65.21
172.16.0.255 172.16.15.36
Which three statements describe ACL processing of packets? (Choose three.) -An implicit deny any rejects any packet that does not match any ACE. -A packet can either be rejected or forwarded as directed by the ACE that is matched. -A packet that has been denied by one ACE can be permitted by a subsequent ACE. -A packet that does not match the conditions of any ACE will be forwarded by default. -Each statement is checked only until a match is detected or until the end of the ACE list.
An implicit deny any rejects any packet that does not match any ACE. A packet can either be rejected or forwarded as directed by the ACE that is matched. Each statement is checked only until a match is detected or until the end of the ACE list.
Refer to the exhibit. What is the result of adding the established argument to the end of the ACE? Network Security (Version 1) - Network Security 1.0 Modules 8-10 ACLs and Firewalls Group Exam Answers Answers 01 -Any traffic is allowed to reach the 192.168.254.0 255.255.254.0 network. -Any IP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network as long as it is in response to an originated request. -192.168.254.0 /23 traffic is allowed to reach any network. -Any TCP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network if it is in response to an originated request.
Any TCP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network if it is in response to an originated request.
Which two characteristics are shared by both standard and extended ACLs? (Choose two.) Both kinds of ACLs can filter based on protocol type. Both can permit or deny specific services by port number. Both include an implicit deny as a final statement. Both filter packets for a specific destination host IP address. Both can be created by using either a descriptive name or number.
Both include an implicit deny as a final statement. Both can be created by using either a descriptive name or number.
What are two characteristics of ACLs? (Choose two.) Extended ACLs can filter on destination TCP and UDP ports. Standard ACLs can filter on source TCP and UDP ports. Extended ACLs can filter on source and destination IP addresses. Standard ACLs can filter on source and destination IP addresses.
Extended ACLs can filter on destination TCP and UDP ports. Extended ACLs can filter on source and destination IP addresses.
What two statements describe characteristics of IPv6 access control lists? (Choose two.) They can be named or numbered. They are applied to an interface with the ip access-group command . They use prefix lengths to indicate how much of an address to match. They include two implicit permit statements by default. They permit ICMPv6 router advertisements by default.
They use prefix lengths to indicate how much of an address to match. They include two implicit permit statements by default.
What two steps provide the quickest way to completely remove an ACL from a router? (Choose two.) Use the no keyword and the sequence number of every ACE within the named ACL to be removed. Use the no access-list command to remove the entire ACL. Copy the ACL into a text editor, add no before each ACE, then copy the ACL back into the router. Modify the number of the ACL so that it doesn't match the ACL associated with the interface. Remove the inbound/outbound reference to the ACL from the interface. Removal of the ACEs is the only step required.
Use the no access-list command to remove the entire ACL. Remove the inbound/outbound reference to the ACL from the interface.
What is one benefit of using a stateful firewall instead of a proxy server? prevention of Layer 7 attacks better performance ability to perform user authentication ability to perform packet filtering
better performance
What single access list statement matches all of the following networks? 192.168.16.0 192.168.17.0 192.168.18.0 192.168.19.0 access-list 10 permit 192.168.16.0 0.0.3.255 access-list 10 permit 192.168.16.0 0.0.0.255 access-list 10 permit 192.168.16.0 0.0.15.255 access-list 10 permit 192.168.0.0 0.0.15.255
access-list 10 permit 192.168.16.0 0.0.3.255
A security specialist designs an ACL to deny access to a web server from all sales staff. The sales staff are assigned addressing from the IPv6 subnet 2001:db8:48:2c::/64. The web server is assigned the address 2001:db8:48:1c::50/64. Configuring the WebFilter ACL on the LAN interface for the sales staff will require which three commands? (Choose three.) -permit tcp any host 2001:db8:48:1c::50 eq 80 -deny tcp host 2001:db8:48:1c::50 any eq 80 -deny tcp any host 2001:db8:48:1c::50 eq 80 -permit ipv6 any any -deny ipv6 any any -ip access-group WebFilter in -ipv6 traffic-filter WebFilter in
deny tcp any host 2001:db8:48:1c::50 eq 80 permit ipv6 any any ipv6 traffic-filter WebFilter in
To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface? echo request echo reply time-stamp request time-stamp reply router advertisement
echo reply
Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair? (Choose two.) most host all any some gt
host any
What is one limitation of a stateful firewall? poor log information weak user authentication cannot filter unnecessary traffic not as effective with UDP- or ICMP-based traffic
not as effective with UDP- or ICMP-based traffic
Refer to the exhibit. A network administrator created an IPv6 ACL to block the Telnet traffic from the 2001:DB8:CAFE:10::/64 network to the 2001:DB8:CAFE:30::/64 network. What is a command the administrator could use to allow only a single host 2001:DB8:CAFE:10::A/64 to telnet to the 2001:DB8:CAFE:30::/64 network? Network Security (Version 1) - Network Security Modules 5-7 Monitoring and Managing Devices Group Exam Answers 03 permit tcp 2001:DB8:CAFE:10::A/64 2001:DB8:CAFE:30::/64 eq 23 permit tcp 2001:DB8:CAFE:10::A/64 eq 23 2001:DB8:CAFE:30::/64 permit tcp host 2001:DB8:CAFE:10::A eq 23 2001:DB8:CAFE:30::/64 permit tcp host 2001:DB8:CAFE:10::A 2001:DB8:CAFE:30::/64 eq 23 sequence 5
permit tcp host 2001:DB8:CAFE:10::A 2001:DB8:CAFE:30::/64 eq 23 sequence 5
f the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice? -permit ip any any -permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap -permit tcp 172.16.0.0 0.0.3.255 any established -permit udp any any range 10000 20000 -deny udp any host 172.16.1.5 eq snmptrap -deny tcp any any eq telnet
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
Which two types of addresses should be denied inbound on a router interface that attaches to the Internet? (Choose two.) private IP addresses public IP addresses NAT translated IP addresses any IP address that starts with the number 127 any IP address that starts with the number 1
private IP addresses any IP address that starts with the number 127
When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device? eq established remark description
remark
Which two pieces of information are required when creating a standard access control list? (Choose two.) destination address and wildcard mask source address and wildcard mask subnet mask and wildcard mask access list number between 100 and 199 access list number between 1 and 99
source address and wildcard mask access list number between 1 and 99
In the creation of an IPv6 ACL, what is the purpose of the implicit final command entries, permit icmp any any nd-na and permit icmp any any nd-ns ? to allow IPv6 to MAC address resolution to allow forwarding of IPv6 multicast packets to allow automatic address configuration to allow forwarding of ICMPv6 packets
to allow IPv6 to MAC address resolution
What are two characteristics of a stateful firewall? (Choose two.) uses static packet filtering techniques uses connection information maintained in a state table analyzes traffic at Layers 3, 4 and 5 of the OSI model uses complex ACLs which can be difficult to configure prevents Layer 7 attacks
uses connection information maintained in a state table analyzes traffic at Layers 3, 4 and 5 of the OSI model