22 - Questions - Access Control Lists (ACL)

Which range of addresses is included in the matching criteria 10.220.56.0 0.0.7.255?

10.220.56.0 to 10.220.63.255

Which statement about ACLs is true?

An ACL must have at least one permit action, or else it blocks all traffic.

The network administrator is trying to configure a standard access list using the commands shown below. The administrator encounters an issue explained with the CLI error message shown. What does this error message mean? R1(config)# access-list 10 deny 10.10.2.0 0.0.0.255 R1(config)# access-list 10 permit host 10.10.2.20 % Access rule can't be configured at higher sequence num as it is part of the existing rule at sequence num 30

The administrator is adding a more restrictive statement after a less restrictive one.

Which address and wildcard uniquely matches the host address 192.168.1.111?

The correct answer is "192.168.1.111 0.0.0.0." The mask of 255.255.255.255 will ignore all the bits in the IP address. The wildcard mask of 255.255.255.255 translates to all ones in binary. All four octets consist only of ones, which means that the whole IP address is ignored. No bit is matched. A mask of 0.0.0.0 (all zeros in binary) would match the value of all address bits and identify host 192.168.1.111 exclusively.

The administrator wants to configure an extended access list and wants to use ip access-list extended 99 command. What will happen when she enters this command?

The correct answer is "Cisco IOS will warn that there is an error in the command." The syntax of the command will not allow specifying the word extended along a number that indicates a standard access list. Numbers for standard ACLs range from 1 to 99 and 1300 to 1999, while numbers for extended ACLs range from 100 to 199 and 2000 to 2699.

Regarding the following ACL statements, what will be the result? Router(config)# access-list 20 permit 192.168.1.1 Router(config)# access-list 20 deny 192.168.1.0 0.0.0.255 Router(config)# access-list 20 permit 192.0.0.0 0.255.255.255

The correct answer is "Everything within 192.168.1.0 except 192.168.1.1 will be denied. Other hosts within 192.0.0.0/8 will be permitted." Access-list is a list of statements evaluated top-down. In this case, we have the first statement permitting IP Address 192.168.1.1. Router(config)# access-list 20 permit 192.168.1.1. Next: in case the address is not IP 192.168.1.1 we have a second statement, denying all addresses from 192.168.1.0/24. Router(config)# access-list 20 deny 192.168.1.0 0.0.0.255. The 3^rd^ statement permits all address from 192.0.0.0/8. Router(config)# access-list 20 permit 192.0.0.0 0.255.255.255. And important: the last statement is an implicit deny to all other addresses. Everything within 192.168.1.0 except 192.168.1.1 will be denied. Other hosts within 192.0.0.0/8 will be permitted.

Which statement describes the named configuration method?

The correct answer is "It is possible to add and delete an individual ACL entry." Named configuration mode is convenient because it allows all the modifying actions to be performed on individual entries. It also enables specifying a number as a name, extending the modification capabilities to numbered access lists also.

Which three matching criteria could be used to match traffic from the 10.0.0.0/8 network? (Choose three.)

The correct answers are "10.10.10.10 0.255.255.255," "10.10.0.0 0.255.255.255," and "10.0.0.0 0.255.255.255." All IP address in the 10.0.0.0/8 range, have the first octet value 10. The remaining three octets can be of any value. Therefore, the wildcard mask must "require" exact matching of the first octet only and is 0.255.255.255. The reference IP address can be any address having the first octet value of 10.

Which two statements about standard and extended ACLs are true? (Choose two.)

The correct answers are "Both standard and extended IP ACLs can filter entire Transmission Control Protocol (TCP)/IP suite" and "Named IP ACLs can only be configured with the named configuration mode." When using named configuration method, you can specify the number as a name.

The administrator wants to allow only PC1 to have remote access to the file server, using SSH. Other devices from the 192.168.10.0/24 network should not be allowed SSH remote access, but other traffic should be permitted. Where would you place this access list for most efficient implementation?

router R1, interface Gi0/1 in

Which two numbers could you use in the numbered configuration method, or a number as a name in the named configuration method, to configure standard IPv4 access lists? (Choose two.)

75 1305

Which statement about the ACL operation is true?

The correct answer is "ACL statements are processed sequentially." ACL statements operate in a sequential, logical order. When a packet matches a rule in the statement, the corresponding action is executed and ACL processing stops. For instance, in an access list with 15 statements, if a packet matches the first statement, the packet is not evaluated against other 14 statements. Only the instruction of the first matching statement is executed, even if the packet would match subsequent ones.

Refer to the exhibit. The security policy requires that only PC1 (of all the devices connected to SW1) can remotely access other devices using the SSH protocol and to perform ping connectivity test. All devices connected to SW2 should still have access to all services. You have configured extended ACL 115 on R1. On R1, which interface and traffic direction would you choose to correctly and most efficiently apply ACL 115?

The correct answer is "R1 interface Gi0/1 in the inbound direction." The extended access lists should be place as close to the source of the denied traffic as possible. The ACL 115 denies traffic for network 192.168.10.0/24, except for the PC1. The interface closest to the 192.168.10.0/24 is Gi0/1 interface. The traffic direction is inbound. It would be correct to apply ACL 115 on Gi0/0 interface in the outbound direction, but that is not the most efficient solution because it would allow denied traffic to consume R1 resources while being routed (unnecessarily).

Which statement about the filtering result of the following ACL is true? Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.100.1 eq 80 Router(config-ext-nacl)# deny tcp any host 192.168.100.1 eq 80

The correct answer is "The ACL blocks all traffic except for the HTTP traffic from clients in 192.168.1.0/24 network to the server 192.168.100.1." All ACLs have an implicit deny statement at the end. Therefore, the ACL will block all traffic that did not match ACL statements. There is only one permit statement allowing HTTP traffic from the server only to the network 192.168.1.0/24, therefore all other traffic, and not only HTTP traffic, would be blocked. An HTTP server uses the well-known port 80 for HTTP connections.

In this example, which IPv4 addresses would match if this entry is placed in an ACL? 10.1.0.0 0.0.0.255

The correct answer is "anything that starts with 10.1.0.X." With wildcard masking, zeros in binary mean an exact match; ones in binary mean do not check. The fourth byte would equal 11111111 in binary, meaning that you can ignore the numbers that are found here.

Which three matching criteria are written correctly for a standard ACL? (Choose three.)

The correct answers are "host 172.14.5.2," "172.14.5.2," and "any." When using the host keyword, you specify the reference IP after the keyword and no wildcard mask is needed. When no wildcard or keyword is specified with the reference IP, Cisco IOS Software assumes the wildcard mask 0.0.0.0. With the any keyword, you do not specify the reference IP, because it is irrelevant for filtering. The keyword any is used on its own.

The ACL statement has the matching criteria specified as 192.168.122.128 0.0.0.63. Which two IPv4 addresses would match the criteria? (Choose two.)

192.168.122.140 192.168.122.191

Which three commands would enable you to enter extended ACL statements on a router? (Choose three.)

Router(config)# access-list 101 Router(config)# ip access-list extended 101 Router(config)# ip access-list extended EXT_ACL

Referring to the figure, the security policy for the network requires you to prevent PC2 from accessing the network 192.168.10.0/24. The access list shown in the figure is configured on router R1. What option would correctly apply the access list?

R1(config)# interface Gi0/1 R1(config-if)# ip access-group 15 out

A network administrator is writing a standard IPv4 ACL that will deny traffic from the 172.16.0.0/16 network and permit all other traffic. Which two commands should be used? (Choose two.)

Router(config)# access-list 95 deny 172.16.0.0 0.0.255.255 Router(config)# access-list 95 permit any

The network administrator is reviewing the ACL 15 configuration on a router. The figure shows the output of the show access-lists command, where the administrator notices that the deny statement 20 is typed with the wrong wildcard mask of 0.0.0.255. The administrator wants to change it to wildcard mask 0.0.255.255. Which sequence of commands should the administrator use to modify the ACL?

Router(config)# ip access-list standard 15 Router(config-std-nacl)# no 20 Router(config-std-nacl)# 20 deny 10.0.0.0 0.0.255.255

Which three ACL statements are written correctly? (Choose three.)

Router(config-ext-nacl)# permit icmp any host 200.165.201.1 Router(config-ext-nacl)# deny tcp host 209.165.201.0 host 192.168.1.1 eq 22 Router(config-ext-nacl)#10 permit tcp host 192.168.1.1 host 209.165.201.1 eq 22

Which matching criteria could be used to match traffic from or to IPv4 address 192.168.5.7?

The correct answer is "192.168.5.7 0.0.0.0." To provide a matching criteria for a single IP address, the wildcard mask must include all must-match bits (such as all 0s), and the reference IP must be the same as the one you want to match.

The exhibit shows an example network and the content of the standard access list 15, which is configured on the R1 router. The security policy blocks access to file server 192.168.30.10 and the internet for PC2. PC2 should only have access to the resources on PC1. You have administrative access only to the R1 router. What is the appropriate placement of the access list?

The correct answer is "router R1 interface Gi0/0." The access list 15 is a standard access list and it should be placed closest to the destination. The router closest to the File Server and the internet, is R2 and R3 routers, respectively. However, you do not have administrative access to it nor to the R3 router. If you would put the access list on the Gi0/2 interface of R1, you would also block traffic going to the 192.168.10.0/24 network. Placing ACL 15 on Gi0/1 interface would have no effect on traffic going to the file server.

Which three options are uses of an ACL? (Choose three.)

The correct answers are "ACLs can allow or prevent certain host to access network resources," "ACLs can allow traffic to be selected so that it can be prioritized," and "ACLs can filter traffic based on traffic type." ACLs improve network performance by discarding unallowed traffic and preventing it from crossing the network infrastructure and consuming resources. ACLs are not used to group interfaces. To determine the best path to a destination, devices are using routing protocol algorithms and not ACLs, but ACLs can influence what routing information will be available to these algorithms.

Which application of an ACL is indicated by the statement "ACLs can permit or deny user access to FTP or HTTP servers?"

filtering of traffic to control access to network services