ccna training » ccna – access list questions 2

12
9/17/13 CCNA Training » CCNA – Access List Questions 2 www.9tut.com/ccna-access-list-questions-2 1/12 Type text to search here... Home > CCNA – Access List Questions 2 CCNA – Access List Questions 2 April 30th, 2011 Go to comments Here you will find answers to Access list Questions – Part 2 Note: If you are not sure about Access list, please read my Access list tutorial . Question 1 Refer to the exhibit. What will happen to HTTP traffic coming from the Internet that is destined for 172.16.12.10 if the traffic is processed by this ACL? router#show access-lists Extended IP access list 110 10 deny tcp 172.16.0.0 0.0.255.255 any eq telnet 20 deny tcp 172.16.0.0 0.0.255.255 any eq smtp 30 deny tcp 172.16.0.0 0.0.255.255 any eq http 40 permit tcp 172.16.0.0 0.0.255.255 any A. Traffic will be dropped per line 30 of the ACL. B. Traffic will be accepted per line 40 of the ACL. C. Traffic will be dropped, because of the implicit deny all at the end of the ACL. D. Traffic will be accepted, because the source address is not covered by the ACL. Answer: C Explanation The syntax of an extended access list is: access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port] Notice that in our access list, the network 172.16.0.0 0.0.255.255 is specified as the source but the question asks about “HTTP traffic coming from the Internet that is destined for 172.16.12.10″, which means 172.16.0.0 0.0.255.255 is the destination network. So in this case there is no match in our access list and the traffic will be dropped because of the implicit deny all at the end of the ACL. It is surely a tricky question! Question 2

Upload: dauzayl3529

Post on 27-Oct-2015

153 views

Category:

Documents


7 download

TRANSCRIPT

9/17/13 CCNA Training » CCNA – Access List Questions 2

www.9tut.com/ccna-access-list-questions-2 1/12

Type text to search here...

Home > CCNA – Access List Questions 2

CCNA – Access List Questions 2

April 30th, 2011 Go to comments

Here you will find answers to Access list Questions – Part 2

Note: If you are not sure about Access list, please read my Access list tutorial.

Question 1

Refer to the exhibit. What will happen to HTTP traffic coming from the Internet that is destined for 172.16.12.10

if the traffic is processed by this ACL?

router#show access-lists

Extended IP access list 110

10 deny tcp 172.16.0.0 0.0.255.255 any eq telnet 20 deny tcp 172.16.0.0 0.0.255.255 any eq smtp

30 deny tcp 172.16.0.0 0.0.255.255 any eq http

40 permit tcp 172.16.0.0 0.0.255.255 any

A. Traffic will be dropped per line 30 of the ACL.B. Traffic will be accepted per line 40 of the ACL.

C. Traffic will be dropped, because of the implicit deny all at the end of the ACL.

D. Traffic will be accepted, because the source address is not covered by the ACL.

Answer: C

Explanation

The syntax of an extended access list is:

access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask}

[eq destination-port]

Notice that in our access list, the network 172.16.0.0 0.0.255.255 is specified as the source but the questionasks about “HTTP traffic coming from the Internet that is destined for 172.16.12.10″, which means 172.16.0.0

0.0.255.255 is the destination network. So in this case there is no match in our access list and the traffic will be

dropped because of the implicit deny all at the end of the ACL. It is surely a tricky question!

Question 2

9/17/13 CCNA Training » CCNA – Access List Questions 2

www.9tut.com/ccna-access-list-questions-2 2/12

Refer to the exhibit. Which statement describes the effect that the Router1 configuration has on devices in the

172.16.16.0 subnet when they try to connect to SVR-A using Telnet or SSH?

A. Devices will not be able to use Telnet or SSH.B. Devices will be able to use SSH, but not Telnet.

C. Devices will be able to use Telnet, but not SSH.D. Devices will be able to use Telnet and SSH.

Answer: B

Explanation

Let’s analyze the access list 100:

+ 10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22: allows TCP traffic from network

172.16.16.0/28 to access host 172.16.48.63 with a destination port of 22 (SSH)+ 20 permit tcp 172.16.16.0 0.0.0.15 eq telnet host 172.16.48.63: allows TCP traffic from network

172.16.16.0/28 with a source port of 23 (telnet) to access host 172.16.48.63

Notice that if a device wants to telnet (or SSH) to SVR-A server it must use the destination port of 23 (or 22),not a source port of 23 (or 22).

Access list 100 is applied on the inbound direction of Fa0/0 so it will only filter traffic from 172.16.16.0 subnet

to the SVR-A server.

9/17/13 CCNA Training » CCNA – Access List Questions 2

www.9tut.com/ccna-access-list-questions-2 3/12

Access list 101 is very similar to access list 100 but it is applied on the inbound direction of Fa0/1 so it will filter

traffic from SVR-A server to 172.16.16.0 subnet. In ACL 101:

+ 10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15: allows TCP traffic from host 172.16.48.63with a source port of 22 (SSH) to access network 172.16.16.0/28.

+ 20 permit tcp host 172.16.48.63 172.16.16.0 0.0.0.15 eq telnet: allows TCP traffic from host 172.16.48.63to access network 172.16.16.0/28 with a destination port of telnet.

Notice that the returned traffic from SVR-A to network 172.16.16.0/28 (resulting from telnet or SSH session)

will have a source port of 23 (Telnet) or 22 (SSH)

In conclusion, the first statements of each ACL will allow devices to “SSH” to SVR-A. But they can’t telnetbecause of the implicit deny all at the end of the ACL.

In this question, the second statements of each ACL can be considered “wrong” if we intend to filter telnet or

SSH traffic and they have no effect on the Telnet or SSH traffic.

Question 3

Refer to the exhibit. Which three variables (router, protocol port, and router ACL direction) apply to anextended ACL that will prevent student 01 from securely browsing the internet?

A. OUTB. Router 3

C. HTTPS

D. IN

E. Router 1

9/17/13 CCNA Training » CCNA – Access List Questions 2

www.9tut.com/ccna-access-list-questions-2 4/12

Answer: B C D

Explanation

There are 3 routers we can place this access list: Router 1, Router Main and Router 3 but in theory, an extended

access list should be placed close to the source -> Router 3 is the best choice -> B is correct.

The traffic we need to filter here is “securely browsing the internet” so it is HTTPS -> C is correct.

Finally we should apply this access list to the inbound direction so that Router 3 will filter this traffic before

making routing decision. It helps save processing resources on Router 3 -> D is correct.

Question 4

Which two statements apply to dynamic access lists? (choose two)

A. they offer simpler management in large internetworks.

B. you can control logging messages.

C. they allow packets to be filtered based on upper-layer session information.D. you can set a time-based security policy.

E. they provide a level of security against spoofing.

F. they are used to authenticate individual users.

Answer: A F

Explanation

Dynamic ACLs have the following security benefits over standard and static extended ACLs:

+ Use of a challenge mechanism to authenticate individual users+ Simplified management in large internetworks

+ In many cases, reduction of the amount of router processing that is required for ACLs

+ Reduction of the opportunity for network break-ins by network hackers+ Creation of dynamic user access through a firewall, without compromising other configured security restrictions

(Reference: CCNA Exploration 4 – Dynamic ACLs)

Question 5

Which command shows if an access list is assigned to an interface?

A. show ip interface [interface] access-listsB. show ip access-lists interface [interface]

C. show ip interface [interface]

D. show ip access-lists [interface]

9/17/13 CCNA Training » CCNA – Access List Questions 2

www.9tut.com/ccna-access-list-questions-2 5/12

Answer: C

Explanation

The output of “show ip interface [interface]” command is shown below:

In the output we can see the access list 1 is applied to this interface on inbound direction.

Question 6

Which item represents the standard IP ACL?

A. access-list 50 deny 192.168.1.1 0.0.0.255

B. access-list 110 permit ip any anyC. access-list 2500 deny tcp any host 192.168.1.1 eq 22

D. access-list 101 deny tcp any host 192.168.1.1

9/17/13 CCNA Training » CCNA – Access List Questions 2

www.9tut.com/ccna-access-list-questions-2 6/12

Answer: A

Explanation

The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only access list 50 is a standardaccess list.

Question 7

Which statement about access lists that are applied to an interface is true?

A. you can apply only one access list on any interface

B. you can configure one access list, per direction, per layer 3 protocolC. you can place as many access lists as you want on any interface

D. you can configure one access list, per direction, per layer 2 protocol

Answer: B

Explanation

We can have only 1 access list per protocol, per direction and per interface. It means:

+ We can not have 2 inbound access lists on an interface+ We can have 1 inbound and 1 outbound access list on an interface

Question 8

A network engineer wants to allow a temporary entry for a remote user with a specific username and password

so that the user can access the entire network over the internet. Which ACL can be used?

A. reflexive

B. extended

C. standard

D. dynamic

Answer: D

Explanation

We can use a dynamic access list to authenticate a remote user with a specific username and password. The

authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server.

The configuration of dynamic ACL can be read here:http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml

9/17/13 CCNA Training » CCNA – Access List Questions 2

www.9tut.com/ccna-access-list-questions-2 7/12

Question 9

Which parameter standard access list takes into consideration for traffic filtering decisions?

A. Source MAC address

B. Destination IP address

C. Destination MAC address

D. Source IP address

Answer: D

Question 10

In which solution is a router ACL used?

A. protecting a server from unauthorized access

B. controlling path selection, based on the route metric

C. reducing router CPU utilization

D. filtering packets that are passing through a router

Answer: D

Comments (364) Comments

Comment pages

« Previous 1 … 6 7 8 981

1. ian_arvin from the philippines

September 10th, 2013

Hi guys for those who have passed ccna 640-802 which dump is more reliable the one from spike or

acme? If u have new dumps kindly send to [email protected]

2. tani10

September 10th, 2013

Question 4

correct answers

A, D

3. adSeptember 10th, 2013

9/17/13 CCNA Training » CCNA – Access List Questions 2

www.9tut.com/ccna-access-list-questions-2 8/12

q no 1…. ans should be A..its match…..

4. ad

September 10th, 2013

9tut…i love u :)

5. ad

September 10th, 2013

9tut…i love u :)

6. ad

September 10th, 2013

9tut…i love u :).

7. ad

September 10th, 2013

9tut…i love u :)..

8. ad

September 10th, 2013

9tut…i love u :)…

9. Richard

September 11th, 2013

tani 10,

pls. make sure your read about ACL, particularly, time-based and dynamic:)

10. jasostrong

September 11th, 2013

Thanks 9tut. I made it. I passed my CCNA 200-120 today. The sim is Access-list 1 , Access-list 2 &

EIGRP. A lot of new questions like Netflow, Syslog, SNMP, VRRP, and GLBP.

11. inayat shah

September 13th, 2013

I am going to sit my CCNA exam on 28 Sep. Could anybody send me the latest Sim or all the Sim at 9tut

is still enough for CCNA 640-802 exam? please do inform and support me. Thank you.

E-mail: [email protected]

best regard!

9/17/13 CCNA Training » CCNA – Access List Questions 2

www.9tut.com/ccna-access-list-questions-2 9/12

12. Anonymous

September 13th, 2013

Which two statements apply to dynamic access lists? (choose two)

A. they offer simpler management in large internetworks.

B. you can control logging messages.

C. they allow packets to be filtered based on upper-layer session information.D. you can set a time-based security policy.

E. they provide a level of security against spoofing.

F. they are used to authenticate individual users.

*** THE ACME 486 DUMP SAYS THAT D & F ARE THE ANSWERS … CAN SOMEONE

EXPLAIN TO ME WHATS GOING ON ?? ***

Reposted… Please explain sir 9tut. Thank you.

13. Franz

September 13th, 2013

Which two statements apply to dynamic access lists? (choose two)

A. they offer simpler management in large internetworks.

B. you can control logging messages.C. they allow packets to be filtered based on upper-layer session information.

D. you can set a time-based security policy.

E. they provide a level of security against spoofing.

F. they are used to authenticate individual users.

*** THE ACME 486 DUMP SAYS THAT D & F ARE THE ANSWERS … CAN SOMEONE

EXPLAIN TO ME WHATS GOING ON ?? ***

14. Joe

September 13th, 2013

Franz/Anon, try a google…. https://supportforums.cisco.com/thread/2187794

Comment pages

« Previous 1 … 6 7 8 981Add a Comment

Name

9/17/13 CCNA Training » CCNA – Access List Questions 2

www.9tut.com/ccna-access-list-questions-2 10/12

Submit Comment

Subscribe to comments feedCCNA – Access List Questions CCNA – WAN

Premium Membership

Become a member to interact with all questions and read all tutorials, labs!

Find out more or Sign In

CCNA 640-802

CCNA Lab SimCCNA – Basic Questions

CCNA – Basic Questions 2

CCNA – Cisco IOS Questions

CCNA – Cisco IOS Questions 2

CCNA – Cisco IOS Questions 3

CCNA – OSI Model Questions

CCNA – TCP/IP Model & OperationCCNA – Show Command Questions

CCNA – Protocols & Services

CCNA – Access List Questions

CCNA – Access List Questions 2

CCNA – WAN

CCNA – WAN 2

CCNA – IP Address Questions

CCNA – IP Routing QuestionsCCNA – IP Routing Questions 2

9/17/13 CCNA Training » CCNA – Access List Questions 2

www.9tut.com/ccna-access-list-questions-2 11/12

CCNA – RIP Questions

CCNA – OSPF Questions

CCNA – OSPF Questions 2

CCNA – EIGRP Questions

CCNA – EIGRP Questions 2

CCNA – Security Questions

CCNA – DHCP Questions

DHCP Group of Four QuestionsCCNA – NAT & PAT Questions

CCNA – Drag and Drop 1

CCNA – Drag and Drop 2

CCNA – Drag and Drop 3

CCNA – Drag and Drop 4

CCNA – Drag and Drop 5

CCNA – Switch QuestionsCCNA – Switch Questions 2

CCNA – Switch Questions 3

CCNA – VLAN Questions

CCNA – VLAN Questions 2

CCNA – VTP Questions

CCNA – Hotspot

CCNA – STP QuestionsCCNA – STP Questions 2

CCNA – IPv6 Questions

CCNA – Subnetting

CCNA – Subnetting Questions 2

CCNA – Subnetting Questions 3

CCNA – Subnetting Questions 4

CCNA – Operations 1CCNA – Operations 2

CCNA – Operations 3

CCNA – Troubleshooting 1

CCNA – Troubleshooting 2

CCNA – Wireless

CCNA FAQs & Tips

Share your CCNA Experience

New CCNA 200-120

Share your (new) CCNA Experience

9/17/13 CCNA Training » CCNA – Access List Questions 2

www.9tut.com/ccna-access-list-questions-2 12/12

CCNA Self-Study

Practice CCNA GNS3 Labs

CCNA Knowledge

Network Resources

Free Router Simulators

ICND1/ICND2 Website

CCNP - ROUTE Website

CCNP - SWITCH Website

CCNP - TSHOOT Website

CCNA Voice Website

CCNA Wireless Website

CCNA Security Website

CCDA Website

CCIP Website

CCIE Written Website

Support 9tut

Your contribution will help keep this site updated!

TopCopyright © 2010-2013 CCNA Training

Site Privacy Policy. Valid XHTML 1.1 and CSS 3.UV