5.5.4 Module Quiz – ACLs for IPv4 Configuration Answers
1. The computers used by the network administrators for a school are on the 10.7.0.0/27 network. Which two commands are needed at a minimum to apply an ACL that will ensure that only devices that are used by the network administrators will be allowed Telnet access to the routers? (Choose two.)
- access-class 5 in
- access-list standard VTY
permit 10.7.0.0 0.0.0.127 - access-list 5 permit 10.7.0.0 0.0.0.31
- ip access-group 5 in
- ip access-group 5 out
- access-list 5 deny any
2. Consider the configured access list.
R1# show access-lists extended IP access list 100 deny tcp host 10.1.1.2 host 10.1.1.1 eq telnet deny tcp host 10.1.2.2 host 10.1.2.1 eq telnet permit ip any any (15 matches)
What are two characteristics of this access list? (Choose two.)
- Only the 10.1.1.2 device can telnet to the router that has the 10.1.1.1 IP address assigned.
- The 10.1.2.1 device is not allowed to telnet to the 10.1.2.2 device.
- Any device can telnet to the 10.1.2.1 device.
- A network administrator would not be able to tell if the access list has been applied to an interface or not.
- Any device on the 10.1.1.0/24 network (except the 10.1.1.2 device) can telnet to the router that has the IP address 10.1.1.1 assigned.
- The access list has been applied to an interface.
3. Which command will verify the number of packets that are permitted or denied by an ACL that restricts SSH access?
- show ip interface brief
- show ip ssh
- show running-config
- show access-lists
4. Which access list statement permits HTTP traffic that is sourced from host 10.1.129.100 port 4300 and destined to host 192.168.30.10?
- access-list 101 permit tcp any eq 4300
- access-list 101 permit tcp 192.168.30.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
- access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.30.10 0.0.0.0 eq www
- access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 4300 192.168.30.0 0.0.0.15 eq www
- access-list 101 permit tcp host 192.168.30.10 eq 80 10.1.0.0 0.0.255.255 eq 4300
5. When configuring router security, which statement describes the most effective way to use ACLs to control Telnet traffic that is destined to the router itself?
- The ACL must be applied to each vty line individually.
- The ACL is applied to the Telnet port with the ip access-group command.
- The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.
- Apply the ACL to the vty Ilines without the in or out option required when applying ACLS to interfaces.
6. What packets would match the access control list statement that is shown below?
access-list 110 permit tcp 172.16.0.0 0.0.0.255 any eq 22
- any TCP traffic from the 172.16.0.0 network to any destination network
- SSH traffic from the 172.16.0.0 network to any destination network
- SSH traffic from any source network to the 172.16.0.0 network
- any TCP traffic from any host to the 172.16.0.0 network
7. Consider the access list command applied outbound on a router serial interface.
access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo reply
What is the effect of applying this access list command?
- Users on the 192.168.10.0/24 network are not allowed to transmit traffic to any other destination.
- The only traffic denied is ICMP-based traffic. All other traffic is allowed.
- The only traffic denied is echo-replies sourced from the 192.168.10.0/24 network. All other traffic is allowed.
- No traffic will be allowed outbound on the serial interface.
8. Consider the following output for an ACL that has been applied to a router via the access-class in command. What can a network administrator determine from the output that is shown?
R1# <output omitted> Standard IP access list 2 10 permit 192.168.10.0, wildcard bits 0.0.0.255 (2 matches) 20 deny any (1 match)
- Traffic from one device was not allowed to come into one router port and be routed outbound a different router port.
- Two devices were able to use SSH or Telnet to gain access to the router.
- Two devices connected to the router have IP addresses of 192.168.10.x.
- Traffic from two devices was allowed to enter one router port and be routed outbound to a different router port.
9. Which two commands will configure a standard ACL? (Choose two.)
- Router(config)# access-list 45 permit 192.168.200.4 host
- Router(config)# access-list 10 permit 10.20.5.0 0.255.255.255 any
- Router(config)# access-list 20 permit host 192.168.5.5 any any
- Router(config)# access-list 35 permit host 172.31.22.7
- Router(config)# access-list 90 permit 192.168.10.5 0.0.0.0
10. To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?
- time-stamp reply
- time-stamp request
- echo request
- echo reply
- router advertisement
11. What two ACEs could be used to deny IP traffic from a single source host 10.1.1.1 to the 192.168.0.0/16 network? (Choose two.)
- access-list 100 deny ip 192.168.0.0 0.0.255.255 10.1.1.1 0.0.0.0
- access-list 100 deny ip 192.168.0.0 0.0.255.255 host 10.1.1.1
- access-list 100 deny ip host 10.1.1.1 192.168.0.0 0.0.255.255
- access-list 100 deny ip 192.168.0.0 0.0.255.255 10.1.1.1 255.255.255.255
- access-list 100 deny ip 10.1.1.1 255.255.255.255 192.168.0.0 0.0.255.255
- access-list 100 deny ip 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255
12. An administrator has configured an access list on R1 to allow SSH administrative access from host 172.16.1.100. Which command correctly applies the ACL?
- R1(config-line)# access-class 1 in
- R1(config-line)# access-class 1 out
- R1(config-if)# ip access-group 1 out
- R1(config-if)# ip access-group 1 in
13. Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair? (Choose two.)
- all
- any
- gt
- host
- most
- some
14. Which two packet filters could a network administrator use on an IPv4 extended ACL? (Choose two.)
- Computer type
- Destination MAC address
- Destination UDP port number
- ICMP message type
- Source TCP hello address
15. In the second ACE shown in the following example, port 400 was incorrectly specified instead of port 443. What is the best way to correct this error?
R1# show access-lists Extended IP access list SURFING 10 permit tcp 192.168.10.0 0.0.0.255 any eq www 20 permit tcp 192.168.10.0 0.0.0.255 any eq 400 R1#
- Copy the ACL into a text editor, correct the ACE, and recopy the ACE to the router.
- Create a new named ACL and apply it to the router interface.
- Enter permit tcp 192.168.10.0 0.0.0.255 any eq 443.
- Enter the no 20 keyword, and then enter permit tcp 192.168.10.0 0.0.0.255 any eq 443.
- Remove the entire ACL and then re-create it with the correct ACE.
16. A network administrator needs to configure a standard ACL so that only the workstation of the administrator with the IP address 10.1.1.10 can access the virtual terminal of the main router. Which two configuration commands can achieve the task? (Choose two.)
- R1(config)# access-list 10 permit host 10.1.1.10
- R1(config)# access-list 10 permit 10.1.1.10 255.255.255.0
- R1(config)# access-list 10 permit 10.1.1.10 255.255.255.255
- R1(config)# access-list 10 permit 10.1.1.10 0.0.0.0
- R1(config)# access-list 10 permit 10.1.1.10 0.0.0.255
17. A network administrator is writing a standard ACL to deny any traffic from the 10.10.0.0/16 network but permit all other traffic. Which two commands should be used? (Choose two.)
- R1(config)# access-list 55 deny any
- R1(config)# access-list 55 permit any
- R1(config)# access-list 55 host 10.10.0.0
- R1(config)# access-list 55 deny 10.10.0.0 0.0.255.255
- R1(config)# access-list 55 deny 10.10.0.0 255.255.0.0
- R1(config)# access-list 55 10.10.0.0 255.255.255.255
18. In the following example, you forgot to enter an ACE to deny the user at IP address 192.168.10.10. Which command would correctly enter the ACE to filter this address?
R1# show access-lists Extended IP access list PERMIT-NET 10 permit ip 192.168.10.0 0.0.0.255 any 20 permit ip 192.168.11.0 0.0.0.255 any R1#
- deny ip host 192.168.10.10
- 5 deny ip host 192.168.10.10
- 15 deny ip host 192.168.10.10
- 25 deny ip host 192.168.10.10
19. You create a standard ACL called PERMIT-VTY to permit only an administrative host vty access to the router. Which line configuration command would correctly apply this ACL to the vty lines?
- access-class PERMIT-VTY in
- access-class PERMIT-VTY out
- ip access-group PERMIT-VTY in
- ip access-group PERMIT-VTY out
20. What effect does the permit tcp 10.10.100 0.0.0.255 any eq www extended named ACE have when implemented inbound on a G0/0 interface?
- All TCP traffic is permitted, and all other traffic is denied.
- All traffic from 10.10.100/24 is permitted anywhere on any port.
- The command is rejected by the router because it is incomplete.
- Traffic originating from 10.10.100/24 is permitted to all TCP port 80 destinations.
21. What does the CLI prompt change to after you enter the command ip access-list extended AAAFILTER in global configuration mode?
- R1(config-ext-nacl)#
- R1(config-if)#
- R1(config-line)#
- R1(config-router)#
- R1(config-std-nacl)#