4.5.2 Module Quiz – ACL Concepts Answers
1. Which two conditions would cause a router to drop a packet? (Choose two.)
- The ACL that is affecting the packet does not contain at least one deny ACE.
- No routing table entry exists for the packet destination, but the packet matches a permitted address in an outbound ACL.
- No outbound ACL exists on the interface where the packet exits the router.
- No inbound ACL exists on the interface where the packet enters the router.
- The packet source address does not match the source as permitted in a standard inbound ACE.
2. A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255. Which two IP addresses will match this ACL statement? (Choose two.)
3. Which two statements describe appropriate general guidelines for configuring and applying ACLs? (Choose two.)
- Multiple ACLs per protocol and per direction can be applied to an interface.
- If a single ACL is to be applied to multiple interfaces, it must be configured with a unique number for each interface.
- The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs.
- If an ACL contains no permit statements, all traffic is denied by default.
- Standard ACLs are placed closest to the source, whereas extended ACLs are placed closest to the destination.
4. What single access list statement matches all of the following networks?
- access-list 10 permit 192.168.16.0 0.0.3.255
- access-list 10 permit 192.168.0.0 0.0.15.255
- access-list 10 permit 192.168.16.0 0.0.0.255
- access-list 10 permit 192.168.16.0 0.0.15.255
5. Which three statements describe ACL processing of packets? (Choose three.)
- A packet can either be rejected or forwarded as directed by the ACE that is matched.
- A packet that does not match the conditions of any ACE will be forwarded by default.
- Each statement is checked only until a match is detected or until the end of the ACE list.
- Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made.
- An implicit deny any rejects any packet that does not match any ACE.
- A packet that has been denied by one ACE can be permitted by a subsequent ACE.
6. A network administrator is configuring an ACL to restrict access to certain servers in the data center. The intent is to apply the ACL to the interface connected to the data center LAN. What happens if the ACL is incorrectly applied to an interface in the inbound direction instead of the outbound direction?
- All traffic is denied.
- All traffic is permitted.
- The ACL does not perform as designed.
- The ACL will analyze traffic after it is routed to the outbound interface.
7. Which scenario would cause an ACL misconfiguration and deny all traffic?
- Apply a standard ACL using the ip access-group outcommand.
- Apply a named ACL to a VTY line.
- Apply an ACL that has all deny ACE statements.
- Apply a standard ACL in the inbound direction.
8. In applying an ACL to a router interface, which traffic is designated as outbound?
- traffic that is leaving the router and going toward the destination host
- traffic that is coming from the source IP address into the router
- traffic for which the router can find no routing table entry
- traffic that is going from the destination IP address into the router
9. When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device?
10. Which location is recommended for extended numbered or extended named ACLs?
- a location as close to the destination of traffic as possible
- a location as close to the source of traffic as possible
- a location centered between traffic destinations and sources to filter as much traffic as possible
- if using the established keyword, a location close to the destination to ensure that return traffic is allowed
11. Which range represents all the IP addresses that are affected when network 10.120.160.0 with a wildcard mask of 0.0.7.255 is used in an ACE?
- 10.120.160.0 to 10.120.167.255
- 10.120.160.0 to 10.127.255.255
- 10.120.160.0 to 10.120.191.255
- 10.120.160.0 to 10.120.168.0
12. A college student is studying for the Cisco CCENT certification and is visualizing extended access lists. Which three keywords could immediately follow the keywords permit or deny as part of an extended access list? (Choose three.)
13. If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?
- permit tcp 172.16.0.0 0.0.3.255 any established
- deny tcp any any eq telnet
- deny udp any host 172.16.1.5 eq snmptrap
- permit udp any any range 10000 20000
- permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
- permit ip any any
14. Which operator is used in an ACL statement to match packets of a specific application?
15. What two functions describe uses of access control lists? (Choose two.)
- ACLs assist a router in determining the best path to a destination.
- ACLs can control which areas a host can access on a network.
- ACLs provide a basic level of security for network access.
- Standard ACLs can filter traffic based on source and destination network addresses.
- Standard ACLs can restrict access to specific applications and ports.
16. Which three statements describe how an ACL processes packets? (Choose three.)
- A packet is compared with all ACEs in the ACL before a forwarding decision is made.
- A packet that has been denied by one ACE can be permitted by a subsequent ACE.
- An implicit deny at the end of an ACL rejects any packet that does not match an ACE.
- Each ACE is checked only until a match is detected or until the end of the ACL.
- If an ACE is matched, the packet is either rejected or forwarded, as directed by the ACE.
- If an ACE is not matched, the packet is forwarded by default.
17. Which three statements are best practices related to placement of ACLs? (Choose three.)
- Filter unwanted traffic before it travels onto a low-bandwidth link.
- For every inbound ACL placed on an interface, ensure that there is a matching outbound ACL.
- Place extended ACLs close to the destination IP address of the traffic.
- Place extended ACLs close to the source IP address of the traffic.
- Place standard ACLs close to the destination IP address of the traffic.
- Place standard ACLs close to the source IP address of the traffic.
18. Which two characteristics are shared by standard and extended ACLs? (Choose two.)
- Both filter packets for a specific destination host IP address.
- Both include an implicit deny as a final entry.
- Both permit or deny specific services by port number.
- They both filter based on protocol type.
- They can be created by using either descriptive names or numbers.
19. Which two statement describes a difference between the operation of inbound and outbound ACLs? (Choose two.)
- Inbound ACLs are processed before the packets are routed.
- Inbound ACLs can be used in both routers and switches.
- Multiple inbound ACLs can be applied to an interface.
- Multiple outbound ACLs can be applied to an interface.
- Outbound ACLs are processed after the routing is completed.
- Outbound ACLs can be used only on routers.
- Unlike outbound ACLs, inbound ACLs can be used to filter packets with multiple criteria.
20. In which configuration would an outbound ACL placement be preferred over an inbound ACL placement?
- When a router has more than one ACL
- When an interface is filtered by an outbound ACL and the network attached to the interface is the source network being filtered within the ACL
- When an outbound ACL is closer to the source of the traffic flow
- When the ACL is applied to an outbound interface to filter packets coming from multiple inbound interfaces before the packets exit the interface
21. What wildcard mask will match networks 10.16.0.0 through 10.19.0.0?
22. What type of ACL offers increased flexibility and control over network traffic?
- Named standard
- Numbered standard
23. Which statement describes a characteristic of standard IPv4 ACLs?
- They can be configured to filter traffic based on both source IP addresses and source ports.
- They can be created with a number but not with a name.
- They filter traffic based on destination IP addresses only.
- They filter traffic based on source IP addresses only.
24. What wildcard mask will match network 10.10.100.64/26?