CCNA 2 Routing and Switching Essentials v5 Chapter 9: Access Control Lists – Check Your Understanding Questions Answers
1. What range of IP addresses is represented by the network and wildcard mask 192.168.70.0 0.0.0.127?
- 192.168.70.0 to 192.168.70.127
- 192.168.70.0 to 192.168.70.255
- 192.168.70.0 to 192.168.70.63
- 192.168.70.0 to 192.168.71.255
2. What range of IP addresses is represented by the network and wildcard mask 192.168.70.0 0.0.1.255?
- 192.168.70.0 to 192.168.71.255
- 192.168.70.0 to 192.168.70.255
- 192.168.70.0 to 192.168.73.255
- 192.168.70.0 to 192.168.76.255
3. What range of IP addresses is represented by the network and wildcard mask
172.16.32.0 0.0.15.255?
- 172.16.32.0 to 172.16.47.255
- 172.16.32.0 to 172.16.34.255
- 172.16.32.0 to 172.16.63.255
- 172.16.32.0 to 172.16.240.255
4. Which set of access control entries would allow all users on the 192.168.10.0/24 network to access a web server that is located at 172.17.80.1, but would not allow them to use Telnet?
- access-list 103 deny tcp host 192.168.10.0 any eq 23
access-list 103 permit tcp host 192.168.10.1 eq 80 - access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80
access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23 - access-list 103 permit 192.168.10.0 0.0.0.255 host 172.17.80.1
access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq telnet - access-list 103 permit tcp 192.168.10.0 0.0.0.255 host 172.17.80.1 eq 80
access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23
Explanation: For an extended ACL to meet these requirements the following need to be included in the access control entries:
- identification number in the range 100-199 or 2000-2699
- permit or deny parameter
- protocol
- source address and wildcard
- destination address and wildcard
- port number or name
5. In applying an ACL to a router interface, which traffic is designated as outbound?
- Traffic that is coming from the source IP address into the router
- Traffic that is leaving the router and going toward the destination host
- Traffic that is going from the destination IP address into the router
- Traffic for which the router can find no routing table entry
Explanation: Inbound and outbound are interpreted from the point of view of the router. Traffic that is designated in an inbound ACL will be denied or permitted when coming into that router interface from a source. Traffic that is designated in an outbound ACL will be denied or permitted when going out the interface to the destination.
6. In the creation of an IPv6 ACL, what is the purpose of the implicit final command entries permit icmp any any nd-na and permit icmp any any nd-ns?
- To allow IPv6 to MAC address resolution
- To allow forwarding of IPv6 multicast packets
- To allow automatic address configuration
- To allow forwarding of ICMPv6 packets
Explanation: IPv6 address to MAC address resolution is performed through the exchange of ICMPv6 neighbor discovery packets comprised of neighbor solicitation and neighbor advertisement packets. Unless these packets are permitted on a router interface, the interface will not be able to perform MAC address resolution.
7. What is the effect of the established parameter in an extended ACL?
- Blocks all incoming traffic from reaching a network
- Allows external traffic into a network only if it is part of an existing connection with an internal host
- Allows external sources to send unsolicited requests for information to source IP addresses in the network
- Allows traffic from a permitted source address to go to any destination outside the network
8. ACLs are used primarily to filter traffic. What are two additional uses of ACLs? (Choose two.)
- Specifying source addresses for authentication
- Specifying internal hosts for NAT
- Identifying traffic for QoS
- Reorganizing traffic into VLANs
- Filtering VTP packets
Explanation: ACLs are used to filter traffic to determine which packets will be permitted or denied through the router and which packets will be subject to policy-based routing. ACLs can also be used to identify traffic that requires NAT and QoS services. Prefix lists are used to control which routes will be redistributed or advertised to other routers.
9. Which two statements are correct about extended ACLs? (Choose two.)
- Extended ACLs use a number range from 1 through 99.
- Extended ACLs end with an implicit permit statement.
- Extended ACLs evaluate the source and destination addresses.
- Port numbers can be used to add greater definition to an ACL.
- Multiple ACLs can be placed on the same interface as long as they are in the same direction.
Explanation: Extended ACLs can be used for precise traffic-filtering. Extended ACLs check for both source and destination addresses of packets. They also check the protocols and port numbers (or services), thus allowing for a greater range of criteria on which to base the ACL.
10. Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table?
- access-group ipv6_ENG_ACL in
- access-group ipv6_ENG_ACL out
- ipv6 access-class ENG_ACL in
- ipv6 access-class ENG_ACL out
- ipv6 traffic-filter ENG_ACL in
- ipv6 traffic-filter ENG_ACL out
Explanation: For the purpose of applying an access list to a particular interface, the ipv6 traffic-filter IPv6 command is equivalent to the access-group IPv4 command. The direction in which the traffic is examined (in or out) is also required.