CCNA 200-125 Exam: Access list Questions With Answers

  1. Which identification number is valid for an extended ACL?
    • A. 1
    • B. 64
    • C. 99
    • D. 100*
    • E. 299
    • F. 1099

    Show (Hide) Explanation/Reference
    Below is the range of standard and extended access list:

    Access list type Range
    Standard 1-99, 1300-1999
    Extended 100-199, 2000-2699

    In most cases we only need to remember 1-99 is dedicated for standard access lists while 100 to 199 is dedicated for extended access lists.

  2. Which statement about named ACLs is true?
    • A. They support standard and extended ACLs.*
    • B. They are used to filter usernames and passwords for Telnet and SSH.
    • C. They are used to filter Layer 7 traffic.
    • D. They support standard ACLs only.
    • E. They are used to rate limit traffic destined to targeted networks.

    Show (Hide) Explanation/Reference
    The syntax of a named ACL is:

    ip access-list {standard | extended} {name | number}

    Therefore we can configure a standard acl with keyword “standard” and configure an extended acl with keyword “extended”. For example this is how to configure an named extended access-list:

    Router(config)#ip access-list extended in_to_out permit tcp host 10.0.0.1 host 187.100.1.6 eq telnet

  3. Which range represents the standard access list?
    • A. 99*
    • B. 150
    • C. 299
    • D. 2000

    Show (Hide) Explanation/Reference
    Below is the range of standard and extended access list

    Access list type Range
    Standard 1-99, 1300-1999
    Extended 100-199, 2000-2699

  4. A network engineer wants to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet. Which ACL can be used?
    • A. reflexive
    • B. extended
    • C. standard
    • D. dynamic*

    Show (Hide) Explanation/Reference
    We can use a dynamic access list to authenticate a remote user with a specific username and password. The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server. The configuration of dynamic ACL can be read here: http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml

  5. Which statement about ACLs is true?
    • A. An ACL have must at least one permit action, else it just blocks all traffic.*
    • B. ACLs go bottom-up through the entries looking for a match
    • C. An ACL has a an implicit permit at the end of ACL.
    • D. ACLs will check the packet against all entries looking for a match.
  6. Which action can change the order of entries in a named access-list?
    • A. removing an entry
    • B. opening the access-list in notepad
    • C. adding an entry
    • D. resequencing*

    Show (Hide) Explanation/Reference
    You can check the named access-list with the “show ip access-list” (or “show access-list”) command:

    R1#show ip access-list
    Standard IP access list nat_traffic
        10 permit 10.1.0.0, wildcard bits 0.0.255.255
        15 permit 10.2.0.0, wildcard bits 0.0.255.255
        20 permit 10.3.0.0, wildcard bits 0.0.255.255

    We can resequence a named access-list with the command: “ip access-list resequence access-list-name starting-sequence-number increment“. For example:

    R1(config)#ip access-list nat_traffic 100 10

    Then we can check this access-list again:

    R1#show ip access-list
    Standard IP access list nat_traffic
        100 permit 10.1.0.0, wildcard bits 0.0.255.255
        110 permit 10.2.0.0, wildcard bits 0.0.255.255
        120 permit 10.3.0.0, wildcard bits 0.0.255.255

    We can see the starting sequence number is now 100 and the increment is 10. But notice that resequencing an access-list cannot change the order of entries inside it but it is the best choice in this question. Adding or removing a n entry does not change the order of entries. Maybe we should understand this question “how to renumber the entries in a named access-list”.

  7. Which of the following are the valid numbers of standard ACL? (Choose two)
    • A. 50*
    • B. 1550*
    • C. 150
    • D. 1250
    • E. 2050

    Show (Hide) Explanation/Reference
    The range of standard ACL is 1-99, 1300-1999 so 50 and 1550 are two valid numbers.
  8. Host is able to ping a web server but it is not able to do HTTP request. What is the most likely cause the problem?
    • A. ACL blocking port 23
    • B. ACL blocking all ports
    • C. ACL blocking port 80*
    • D. ACL blocking port 443
    • E. None of the above
  9. Which item represents the standard IP ACL?
    • A. Access-list 110 permit any any
    • B. Access-list 50 deny 192.168.1.1 0.0.0.255*
    • C. Access list 101 deny tvp any host 192.168.1.1
    • D. Access-list 2500 deny tcp any host 192.168.1.1 eq 22

    Show (Hide) Explanation/Reference
    The range of standard ACL is 1-99, 1300-1999 so 50 is a valid number for standard ACL.
  10. While troubleshooting a connection problem on a computer, you determined that the computer can ping a specific web server but it cannot connect to TCP port 80 on that server. Which reason for the problem is most likely true?
    • A. A VLAN number is incorrect
    • B. An ARP table entry is missing
    • C. A route is missing
    • D. An ACL is blocking the TCP port*
  11. Which command can you enter to block HTTPS traffic from the whole class A private network range to a host?
    • A. R1(config)#access-list 105 deny tcp 10.1.0.0 0.0.255.255 40.0.0.2 0.0.0.0 eq 443
    • B. R1(config)#access-list 105 deny tcp 10.1.0.0 0.0.255.255 40.0.0.2 0.0.0.0 eq 53
    • C. R1(config)#access-list 105 deny tcp 10.0.0.0 0.255.255.255 40.0.0.2 0.0.0.0 eq 53
    • D. R1(config)#access-list 105 deny tcp 10.0.0.0 0.255.255.255 40.0.0.2 0.0.0.0 eq 443*
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x