Chapter 21: Quiz – Troubleshooting ACLs and Prefix Lists (Answers) CCNPv8 ENARSI

1. ACLs are used primarily to filter traffic. What are two additional uses of ACLs? (Choose two.)

  • specifying source addresses for authentication
  • specifying internal hosts for NAT
  • identifying traffic for QoS
  • reorganizing traffic into VLANs
  • filtering VTP packets

Explanation: ACLs are used to filter traffic to determine which packets will be permitted or denied through the router and which packets will be subject to policy-based routing. ACLs can also be used to identify traffic that requires NAT and QoS services. Prefix lists are used to control which routes will be redistributed or advertised to other routers.

2. Which set of access control entries would allow all users on the 192.168.10.0/24 network to access a web server that is located at 172.17.80.1, but would not allow them to use Telnet?

  • access-list 103 deny tcp host 192.168.10.0 any eq 23
    access-list 103 permit tcp host 192.168.10.1 eq 80
  • access-list 103 permit 192.168.10.0 0.0.0.255 host 172.17.80.1
    access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq telnet
  • access-list 103 permit tcp 192.168.10.0 0.0.0.255 host 172.17.80.1
    access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23
  • access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80
    access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23

Explanation: For an extended ACL to meet these requirements the following need to be included in the access control entries:

  • identification number in the range 100-199 or 2000-2699
  • permit or deny parameter
  • protocol
  • source address and wildcard
  • destination address and wildcard
  • port number or name

3. Which packet types are implicitly permitted by IPv6 ACLs?

  • router solicitation packets
  • IPv6 unicast packets
  • neighbor discovery packets
  • ping packets

Explanation: IPv6 access lists include two implicit permit entries by default. These two permit entries allow neighbor solicitation and neighbor advertisement packets (both of which are part of the neighbor discovery protocol) to pass through the interface for IPv6 to MAC address resolution.

4. Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table?

  • ipv6 access-class ENG_ACL in
  • ipv6 access-class ENG_ACL out
  • ipv6 traffic-filter ENG_ACL in
  • ipv6 traffic-filter ENG_ACL out

Explanation: For the purpose of applying an access list to a particular interface, the ipv6 traffic-filter IPv6 command is equivalent to the access-group IPv4 command. The direction in which the traffic is examined (in or out) is also required.

5. Refer to the exhibit. A network administrator wants to create a standard ACL to prevent network 1 traffic from being transmitted to the Research and Development network. On which router interface and in which direction should the standard ACL be applied?

Chapter 21: Quiz - Troubleshooting ACLs and Prefix Lists (Answers) CCNPv8 ENARSI 3

  • R1 Gi0/0 inbound
  • R1 Gi0/0 outbound
  • R1 S0/0/0 outbound
  • R2 S0/0/0 inbound
  • R2 Gi0/0 outbound
  • R2 Gi0/0 inbound

Explanation: Standard ACLs can only specify source addresses, so the standard ACL would contain the network 1 address and appropriate wildcard mask. Also, because standard ACLs can only contain source addresses, the ACL should be placed as close to the destination as possible. The destination is the Research and Development LAN. The R2 Gi0/0 interface is that destination. By tracing the path that the packets will take starting with network 1 and traveling to the Research and Development network, a student can determine that the packets would be coming out of the R2 Gi0/0 interface.

6. Which IPv4 address range covers all IP addresses that match the ACL filter specified by 172.16.2.0 with wildcard mask 0.0.1.255?

  • 172.16.2.0 to 172.16.2.255
  • 172.16.2.1 to 172.16.3.254
  • 172.16.2.0 to 172.16.3.255
  • 172.16.2.1 to 172.16.255.255

Explanation: The wildcard mask 0.0.1.255 means the first 23 bits are matched and the last 9 bits are ignored. That is, a matching IP address should be from 172.16.2.0 to 172.16.3.255 (where last 9 bits are from all 0s to all 1s and any value between).

7. Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair? (Choose two.)

  • most
  • host
  • all
  • any
  • some
  • gt

Explanation: The two keywords that can be used when configuring ACLs are host and any. The host keyword is equivalent to using the 0.0.0.0 wildcard mask and the any keyword could be used instead of the 255.255.255.255 wildcard mask.

8. Refer to the exhibit. A network administrator is configuring an IPv6 ACL to allow hosts on the 2001:DB8:CAFÉ:10::/64 network to access remote web servers, except for PC1. However, a user on PC1 can successfully access the web server PC2. Why is this possible?

Chapter 21: Quiz - Troubleshooting ACLs and Prefix Lists (Answers) CCNPv8 ENARSI 4

  • The IPv6 ACL Deny_WEB is spelled incorrectly when applied to the interface.
  • The IPv6 ACL Deny_WEB is applied to the wrong interface of router R1.
  • The IPv6 ACL Deny_WEB is applied in the incorrect direction on router R1.
  • The IPv6 ACL Deny_WEB is permitting all web traffic before the specific host is blocked.

Explanation: The IPv6 ACL Deny_WEB is permitting all encrypted and unencrypted web traffic before the specific network host is blocked because of the sequence of commands that were entered by the administrator. To correct this issue, the IPv6 ACL Deny_WEB needs to be reordered with the more specific deny statements coming prior to the permit statements.

9. Which IPv6 ACL command entry will permit traffic from any host to an SMTP server on network 2001:DB8:10:10::/64?

  • permit tcp any host 2001:DB8:10:10::100 eq 25
  • permit tcp host 2001:DB8:10:10::100 any eq 25
  • permit tcp any host 2001:DB8:10:10::100 eq 23
  • permit tcp host 2001:DB8:10:10::100 any eq 23

Explanation: The IPv6 access list statement, permit tcp any host 2001:DB8:10:10::100 eq 25, will allow IPv6 packets from any host to the SMTP server at 2001:DB8:10:10::100. The source of the packet is listed first in the ACL, which in this case is any source, and the destination is listed second, in this case the IPv6 address of the SMTP server. The port number is last in the statement, port 25, which is the well-known port for SMTP.

10. What is the purpose of using prefix lists?

  • to filter routes based on matching subnet masks
  • to filter traffic based on a range of protocols or port numbers
  • to assign quality of service markings to filtered traffic
  • to expand the range of private addresses using PAT
  • to implicitly permit neighbor discovery protocol packets

Explanation: Network administrators use prefix lists to control matching routes for route filtering. Prefix lists allow the route and prefix to be defined so that both can be used for route matching.

11. A network administrator is configuring a prefix list to match networks for BGP route filtering. Which network matches the prefix match specification 10.160.0.0/14 ge 22?

  • 10.158.0.0/22
  • 10.162.0.0/14
  • 10.163.0.0/24
  • 10.128.0.0/28

Explanation: Prefix lists provide another method of identifying networks in a routing protocol. A prefix list identifies a specific IP address, network, or network range and allows for the selection of multiple networks with a variety of prefix lengths by using a prefix match specification. A prefix match specification contains two parts: a high-order bit pattern and a high-order bit count, which determines the high-order bits in the bit pattern that are to be matched. The high-order bit pattern is also known as the network address and the high-order bit count as the mask length. The network portion of the matching networks is 10.160.0.0 and higher. The mask length of the matching networks must be greater than or equal to /22.

12. A network administrator is configuring a prefix list with the ip prefix-list command. How does the IOS process the prefix list if the administrator does not specify a sequence number?

  • It will present a prompt to ask the administrator to enter one.
  • It will present an error message that indicates the entry fails.
  • It automatically increments by 5 based on the highest sequence number.
  • It automatically increments by 10 based on the highest sequence number.

Explanation: Prefix lists are configured with the global configuration command ip prefix-list prefix-listname [seq sequence-number] {permit | denyhigh-order-bit-pattern/high-order-bit-count [ge ge-value][**le** *le-value*]. If a sequence is not provided, the sequence number automatically increments by 5 based on the highest sequence number.


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments