CCNA 2 v6 Chapter 7: Check Your Understanding Questions Answers

CCNA 2 v6.0 (Routing & Switching Essentials v6) Chapter 7: Access Control Lists: Check Your Understanding Questions Answers

1. Which three statements describe ACL processing of packets? (Choose three.)

  • A packet can either be rejected or forwarded as directed by the ACE that is matched.
  • A packet that does not match the conditions of any ACE will be forwarded by default.
  • A packet that has been denied by one ACE can be permitted by a subsequent ACE.
  • An implicit deny any rejects any packet that does not match any ACE.
  • Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made.
  • Each statement is checked only until a match is detected or until the end of the ACE list.

Explanation: Packets not matching an ACE are implicitly denied. After a packet matches an ACE, it is no longer processed by the ACL.

2. What two functions describe uses of an access control list? (Choose two.)

  • ACLs assist the router in determining the best path to a destination.
  • ACLs can control which areas a host can access on a network.
  • ACLs can permit or deny traffic based upon the MAC address originating on the router.
  • ACLs provide a basic level of security for network access.
  • Standard ACLs can restrict access to specific applications and ports.

Explanation: ACLs can be configured as a simple firewall that provides security using basic traffic filtering capabilities. ACLs are used to filter host traffic by allowing or blocking matching packets to networks.

3. In which configuration would an outbound ACL placement be preferred over an inbound ACL placement?

  • When a router has more than one ACL
  • When an interface is filtered by an outbound ACL and the network attached to the interface is the source network being filtered within the ACL
  • When an outbound ACL is closer to the source of the traffic flow
  • When the ACL is applied to an outbound interface to filter packets coming from multiple inbound interfaces before the packets exit the interface

Explanation: An outbound ACL should be utilized when the same ACL filtering rules will be applied to packets coming from more than one inbound interface before exiting a single outbound interface. The outbound ACL will be applied on the single outbound interface.

4. A network administrator needs to configure a standard ACL so that only the workstation of the administrator with the IP address can access the virtual terminal of the main router. Which two configuration commands can achieve the task? (Choose two.)

  • R1(config)# access-list 10 permit
  • R1(config)# access-list 10 permit
  • R1(config)# access-list 10 permit
  • R1(config)# access-list 10 permit
  • R1(config)# access-list 10 permit host

Explanation: To permit or deny one specific IP address, either the wildcard mask (used after the IP address) or the wildcard mask keyword host (used before the IP address) can be used.

5. What single access-list statement matches networks,,, and

  • access-list 10 permit
  • access-list 10 permit
  • access-list 10 permit
  • access-list 10 permit

Explanation: The ACL statement access-list 10 permit will match all four network prefixes. All four prefixes have the same 22 high-order bits. These 22 high-order bits are matched by the network prefix and wildcard mask of

6. If a router has two interfaces and is routing both IPv4 and IPv6 traffic, how many ACLs could be created and applied to it?

  • 4
  • 6
  • 8
  • 12
  • 16

Explanation: In calculating how many ACLs can be configured, use the rule of “three Ps”: one ACL per protocol, per direction, per interface. In this case, 2 interfaces times 2 protocols times 2 directions yields 8 possible ACLs.

7. Which three statements are generally considered to be best practices in the placement of ACLs? (Choose three.)

  • Filter unwanted traffic before it travels onto a low-bandwidth link.
  • For every inbound ACL placed on an interface, there should be a matching outbound ACL.
  • Place extended ACLs close to the destination IP address of the traffic.
  • Place extended ACLs close to the source IP address of the traffic.
  • Place standard ACLs close to the source IP address of the traffic.
  • Place standard ACLs close to the destination IP address of the traffic.

Explanation: Extended ACLs should be placed as close as possible to the source IP address so that traffic that needs to be filtered does not cross the network and use network resources. Because standard ACLs do not specify a destination address, they should be placed as close to the destination as possible. Placing a standard ACL close to the source may filter all traffic and limit services to other hosts. Filtering unwanted traffic before it enters low-bandwidth links preserves bandwidth and supports network functionality. Decisions on placing ACLs inbound or outbound are dependent on the requirements to be met.

8. An administrator has configured an access list on R1 to allow SSH administrative access from host Which command correctly applies the ACL?

  • R1(config-line)# access-class 1 in
  • R1(config-line)# access-class 1 out
  • R1(config-if)# ip access-group 1 in
  • R1(config-if)# ip access-group 1 out

Explanation: Administrative access over SSH to the router is through the vty lines. Therefore, the ACL must be applied to those lines in the inbound direction. This is accomplished by entering line configuration mode and issuing the access-class command.

9. Which statement describes a difference between the operation of inbound and outbound ACLs?

  • On a network interface, more than one inbound ACL can be configured, but only one outbound ACL can be configured.
  • Inbound ACLs are processed before the packets are routed, whereas outbound ACLs are processed after the routing is completed.
  • Inbound ACLs can be used in both routers and switches, but outbound ACLs can be used only on routers.
  • In contrast to outbound ALCs, inbound ACLs can be used to filter packets with multiple criteria.

Explanation: With an inbound ACL, incoming packets are processed before they are routed. With an outbound ACL, packets are first routed to the outbound interface; then they are processed. Thus, processing inbound is more efficient from the router perspective. The structure, filtering methods, and limitations (on an interface, only one inbound and one outbound ACL can be configured) are the same for both types of ACLs.

Notify of

Inline Feedbacks
View all comments