CCNA 4 v6 Chapter 4: Check Your Understanding Questions Answers

CCNA 4 v6.0 (Connecting Networks v6) Chapter 4: Access Control Lists: Check Your Understanding Questions Answers

1. Which three statements describe ACL processing of packets? (Choose three.)

  • A packet can either be rejected or forwarded as directed by the ACE that is matched.
  • A packet that does not match the conditions of any ACE will be forwarded by default.
  • A packet that has been denied by one ACE can be permitted by a subsequent ACE.
  • An implicit deny any rejects any packet that does not match any ACE.
  • Each statement is checked only until a match is detected or until the end of the ACE list.
  • Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made.

Explanation: If the information in a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as specified by the matched statement. If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached. At the end of every ACL statement is an implicit deny any statement which is applied to all packets for which conditions did not test true and results in a “deny” action.

2. What two functions describe uses of an access control list? (Choose two.)

  • ACLs assist the router in determining the best path to a destination.
  • ACLs can control which areas a host can access on a network.
  • ACLs can permit or deny traffic based on the MAC address originating on the router.
  • ACLs provide a basic level of security for network access.
  • Standard ACLs can restrict access to specific applications and ports.

Explanation: ACLs can be configured as a simple firewall that provides security using basic traffic filtering capabilities. ACLs are used to filter host traffic by allowing or blocking matching packets to networks.

3. In which configuration would an outbound ACL placement be preferred over an inbound ACL placement?

  • When a router has more than one ACL
  • When an interface is filtered by an outbound ACL and the network attached to the interface is the source network being filtered within the ACL
  • When an outbound ACL is closer to the source of the traffic flow
  • When the ACL is applied to an outbound interface to filter packets coming from multiple inbound interfaces before the packets exit the interface

Explanation: An outbound ACL should be utilized when the same ACL filtering rules will be applied to packets coming from more than one inbound interface before exiting a single outbound interface. The outbound ACL will be applied on the single outbound interface.

4. Which two characteristics are shared by both standard and extended ACLs? (Choose two.)

  • Both kinds of ACLs can filter based on protocol type.
  • Both can permit or deny specific services by port number.
  • Both include an implicit deny as a final entry.
  • Both filter packets for a specific destination host IP address.
  • Both can be created by using either a descriptive name or number.

Explanation: Standard ACLs filter traffic based solely on a specified source IP address. Extended ACLs can filter by source or destination, protocol, or port. Both standard and extended ACLs contain an implicit deny as a final ACE. Standard and extended ACLs can be identified by either names or numbers.

5. A network administrator needs to configure a standard ACL so that only the workstation of the administrator with the IP address 192.168.15.23 can access the virtual terminal of the main router. Which two configuration commands can achieve the task? (Choose two.)

  • R1(config)# access-list 10 permit host 192.168.15.23
  • R1(config)# access-list 10 permit 192.168.15.23 0.0.0.0
  • R1(config)# access-list 10 permit 192.168.15.23 0.0.0.255
  • R1(config)# access-list 10 permit 192.168.15.23 255.255.255.0
  • R1(config)# access-list 10 permit 192.168.15.23 255.255.255.255

Explanation: To permit or deny one specific IP address, you can use either the wildcard mask 0.0.0.0 (used after the IP address) or the wildcard mask keyword host (used before the IP address).

6. Which three statements are generally considered to be best practices in the placement of ACLs? (Choose three.)

  • Filter unwanted traffic before it travels onto a low-bandwidth link.
  • For every inbound ACL placed on an interface, there should be a matching outbound ACL.
  • Place extended ACLs close to the destination IP address of the traffic.
  • Place extended ACLs close to the source IP address of the traffic.
  • Place standard ACLs close to the destination IP address of the traffic.
  • Place standard ACLs close to the source IP address of the traffic.

Explanation: Extended ACLs should be placed as close as possible to the source IP address so that traffic that needs to be filtered does not cross the network and use network resources. Because standard ACLs do not specify a destination address, they should be placed as close to the destination as possible. Placing a standard ACL close to the source may have the effect of filtering all traffic and limiting services to other hosts. Filtering unwanted traffic before it enters low-bandwidth links preserves bandwidth and supports network functionality. Decisions on placing ACLs inbound or outbound are dependent on the requirements to be met.

7. What packets match access-list 110 permit tcp 172.16.0.0 0.0.0.255 any eq 22?

  • Any TCP traffic from any host to the 172.16.0.0 network
  • Any TCP traffic from the 172.16.0.0 network to any destination network
  • SSH traffic from any source network to the 172.16.0.0 network
  • SSH traffic from the 172.16.0.0 network to any destination network

Explanation: The access-list 110 permit tcp 172.16.0.0 0.0.0.255 any eq 22 ACE will match traffic on port 22, which is SSH, that is sourced from network 172.16.0.0/24 with any destination.

8. Which statement describes a difference between the operation of inbound and outbound ACLs?

  • In contrast to outbound ACLs, inbound ACLs can be used to filter packets with multiple criteria.
  • Inbound ACLs are processed before the packets are routed, whereas outbound ACLs are processed after the routing is completed.
  • Inbound ACLs can be used in both routers and switches, but outbound ACLs can be used only on routers.
  • On a network interface, more than one inbound ACL can be configured, but only one outbound ACL can be configured.

Explanation: With an inbound ACL, incoming packets are processed before they are routed. With an outbound ACL, packets are first routed to the outbound interface, and then they are processed. Thus, processing inbound is more efficient from the router perspective. The structure, filtering methods, and limitations (on an interface, only one inbound and one outbound ACL can be configured) are the same for both types of ACLs.

9. What is a limitation when utilizing both IPv4 and IPv6 ACLs on a router?

  • A device can run only IPv4 ACLs or IPv6 ACLs.
  • Both IPv4 and IPv6 ACLs can be configured on a single device but cannot share the same name.
  • IPv4 ACLs can be numbered or named, whereas IPv6 ACLs must be numbered.
  • IPv6 ACLs perform the same functions as standard IPv4 ACLs.

Explanation: IPv4 and IPv6 ACLs can be configured on the same device as long as they utilize different ACL names. IPv6 ACLs provide the same functionality as named IPv4 extended ACLs but cannot have the same name as any IPv4 ACLs.

10. What method is used to apply an IPv6 ACL to a router interface?

  • The use of the access-class command
  • The use of the ip access-group command
  • The use of the ipv6 access-list command
  • The use of the ipv6 traffic-filter command

Explanation: A network administrator will use the ipv6 traffic-filter command within interface configuration mode to apply an IPv6 ACL.

11. Which IPv6 ACL command entry will permit traffic from any host to an SMTP server on network 2001:DB8:10:10::/64?

  • permit tcp any host 2001:DB8:10:10::100 eq 23
  • permit tcp any host 2001:DB8:10:10::100 eq 25
  • permit tcp host 2001:DB8:10:10::100 any eq 23
  • permit tcp host 2001:DB8:10:10::100 any eq 25

Explanation: The IPv6 access list statement, permit tcp any host 2001:DB8:10:10::100 eq 25, will allow IPv6 packets from any host to the SMTP server at 2001:DB8:10:10::100. The source of the packet is listed first in the ACL, which in this case is any source, and the destination is listed second, in this case the IPv6 address of the SMTP server. The port number is last in the statement, port 25, which is the well-known port for SMTP.

12. Which feature is unique to IPv6 ACLs when compared to those of IPv4 ACLs?

  • An implicit deny any any ACE
  • An implicit permit of neighbor discovery packets
  • The use of named ACL entries
  • The use of wildcard masks

Explanation: One of the major differences between IPv6 and IPv4 ACLs are two implicit permit ACEs at the end of any IPv6 ACL. These two permit ACEs allow neighbor discovery operations to function on the router interface.

13. Which three implicit access control entries are automatically added to the end of an IPv6 ACL? (Choose three.)

  • deny icmp any any
  • deny ip any any
  • deny ipv6 any any
  • permit icmp any any nd-na
  • permit icmp any any nd-ns
  • permit ipv6 any any

Explanation: All IPv6 ACLs automatically include two implicit permit statements; permit icmp any any nd-ns and permit icmp any any nd-na. These statements allow the router interface to perform neighbor discovery operations. An implicit deny ipv6 any any is also automatically included at the end of any IPv6 ACL that blocks all IPv6 packets not otherwise permitted.

14. What is the only type of ACL available for IPv6?

  • Named extended
  • Named standard
  • Numbered extended
  • Numbered standard

Explanation: Unlike IPv4, IPv6 has only one type of access list and that is the named extended access list.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments