1. ACLs are used primarily to filter traffic. What are two additional uses of ACLs? (Choose two.)
- specifying source addresses for authentication
- specifying internal hosts for NAT
- identifying traffic for QoS
- reorganizing traffic into VLANs
- filtering VTP packets
Explanation: ACLs are used to filter traffic to determine which packets will be permitted or denied through the router and which packets will be subject to policy-based routing. ACLs can also be used to identify traffic that requires NAT and QoS services. Prefix lists are used to control which routes will be redistributed or advertised to other routers.
2. Which set of access control entries would allow all users on the 192.168.10.0/24 network to access a web server that is located at 172.17.80.1, but would not allow them to use Telnet?
- access-list 103 deny tcp host 192.168.10.0 any eq 23
access-list 103 permit tcp host 192.168.10.1 eq 80 - access-list 103 permit 192.168.10.0 0.0.0.255 host 172.17.80.1
access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq telnet - access-list 103 permit tcp 192.168.10.0 0.0.0.255 host 172.17.80.1
access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23 - access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80
access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23
Explanation: For an extended ACL to meet these requirements the following need to be included in the access control entries:
- identification number in the range 100-199 or 2000-2699
- permit or deny parameter
- protocol
- source address and wildcard
- destination address and wildcard
- port number or name
3. Which packet types are implicitly permitted by IPv6 ACLs?
- router solicitation packets
- IPv6 unicast packets
- neighbor discovery packets
- ping packets
Explanation: IPv6 access lists include two implicit permit entries by default. These two permit entries allow neighbor solicitation and neighbor advertisement packets (both of which are part of the neighbor discovery protocol) to pass through the interface for IPv6 to MAC address resolution.
4. Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table?
- ipv6 access-class ENG_ACL in
- ipv6 access-class ENG_ACL out
- ipv6 traffic-filter ENG_ACL in
- ipv6 traffic-filter ENG_ACL out
Explanation: For the purpose of applying an access list to a particular interface, the ipv6 traffic-filter IPv6 command is equivalent to the access-group IPv4 command. The direction in which the traffic is examined (in or out) is also required.
5. Refer to the exhibit. A network administrator wants to create a standard ACL to prevent network 1 traffic from being transmitted to the Research and Development network. On which router interface and in which direction should the standard ACL be applied?
- R1 Gi0/0 inbound
- R1 Gi0/0 outbound
- R1 S0/0/0 outbound
- R2 S0/0/0 inbound
- R2 Gi0/0 outbound
- R2 Gi0/0 inbound
Explanation: Standard ACLs can only specify source addresses, so the standard ACL would contain the network 1 address and appropriate wildcard mask. Also, because standard ACLs can only contain source addresses, the ACL should be placed as close to the destination as possible. The destination is the Research and Development LAN. The R2 Gi0/0 interface is that destination. By tracing the path that the packets will take starting with network 1 and traveling to the Research and Development network, a student can determine that the packets would be coming out of the R2 Gi0/0 interface.
6. Which IPv4 address range covers all IP addresses that match the ACL filter specified by 172.16.2.0 with wildcard mask 0.0.1.255?
- 172.16.2.0 to 172.16.2.255
- 172.16.2.1 to 172.16.3.254
- 172.16.2.0 to 172.16.3.255
- 172.16.2.1 to 172.16.255.255
Explanation: The wildcard mask 0.0.1.255 means the first 23 bits are matched and the last 9 bits are ignored. That is, a matching IP address should be from 172.16.2.0 to 172.16.3.255 (where last 9 bits are from all 0s to all 1s and any value between).
7. Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair? (Choose two.)
- most
- host
- all
- any
- some
- gt
Explanation: The two keywords that can be used when configuring ACLs are host and any. The host keyword is equivalent to using the 0.0.0.0 wildcard mask and the any keyword could be used instead of the 255.255.255.255 wildcard mask.
8. Refer to the exhibit. A network administrator is configuring an IPv6 ACL to allow hosts on the 2001:DB8:CAFÉ:10::/64 network to access remote web servers, except for PC1. However, a user on PC1 can successfully access the web server PC2. Why is this possible?
- The IPv6 ACL Deny_WEB is spelled incorrectly when applied to the interface.
- The IPv6 ACL Deny_WEB is applied to the wrong interface of router R1.
- The IPv6 ACL Deny_WEB is applied in the incorrect direction on router R1.
- The IPv6 ACL Deny_WEB is permitting all web traffic before the specific host is blocked.
Explanation: The IPv6 ACL Deny_WEB is permitting all encrypted and unencrypted web traffic before the specific network host is blocked because of the sequence of commands that were entered by the administrator. To correct this issue, the IPv6 ACL Deny_WEB needs to be reordered with the more specific deny statements coming prior to the permit statements.
9. Which IPv6 ACL command entry will permit traffic from any host to an SMTP server on network 2001:DB8:10:10::/64?
- permit tcp any host 2001:DB8:10:10::100 eq 25
- permit tcp host 2001:DB8:10:10::100 any eq 25
- permit tcp any host 2001:DB8:10:10::100 eq 23
- permit tcp host 2001:DB8:10:10::100 any eq 23
Explanation: The IPv6 access list statement, permit tcp any host 2001:DB8:10:10::100 eq 25, will allow IPv6 packets from any host to the SMTP server at 2001:DB8:10:10::100. The source of the packet is listed first in the ACL, which in this case is any source, and the destination is listed second, in this case the IPv6 address of the SMTP server. The port number is last in the statement, port 25, which is the well-known port for SMTP.
10. What is the purpose of using prefix lists?
- to filter routes based on matching subnet masks
- to filter traffic based on a range of protocols or port numbers
- to assign quality of service markings to filtered traffic
- to expand the range of private addresses using PAT
- to implicitly permit neighbor discovery protocol packets
Explanation: Network administrators use prefix lists to control matching routes for route filtering. Prefix lists allow the route and prefix to be defined so that both can be used for route matching.
11. A network administrator is configuring a prefix list to match networks for BGP route filtering. Which network matches the prefix match specification 10.160.0.0/14 ge 22?
- 10.158.0.0/22
- 10.162.0.0/14
- 10.163.0.0/24
- 10.128.0.0/28
Explanation: Prefix lists provide another method of identifying networks in a routing protocol. A prefix list identifies a specific IP address, network, or network range and allows for the selection of multiple networks with a variety of prefix lengths by using a prefix match specification. A prefix match specification contains two parts: a high-order bit pattern and a high-order bit count, which determines the high-order bits in the bit pattern that are to be matched. The high-order bit pattern is also known as the network address and the high-order bit count as the mask length. The network portion of the matching networks is 10.160.0.0 and higher. The mask length of the matching networks must be greater than or equal to /22.
12. A network administrator is configuring a prefix list with the ip prefix-list command. How does the IOS process the prefix list if the administrator does not specify a sequence number?
- It will present a prompt to ask the administrator to enter one.
- It will present an error message that indicates the entry fails.
- It automatically increments by 5 based on the highest sequence number.
- It automatically increments by 10 based on the highest sequence number.
Explanation: Prefix lists are configured with the global configuration command ip prefix-list prefix-listname [seq sequence-number] {permit | deny} high-order-bit-pattern/high-order-bit-count [ge ge-value][**le** *le-value*]. If a sequence is not provided, the sequence number automatically increments by 5 based on the highest sequence number.
“Do I Know This Already?” Quiz Answers:
1. What is the correct order of operations for an IPv4 ACL?
- Top-down processing, execute upon the longest match, implicit deny all
- Execute upon the longest match, top-down processing, implicit deny all
- Implicit deny all, immediate execution upon a match, top-down processing
- Top-down processing, immediate execution upon a match, implicit deny all
2. What occurs to a packet when an ACL is applied to an interface but the packet does not match any of the entries in the ACL?
- It is forwarded.
- It is flooded.
- It is dropped.
- It is buffered.
3. What does the following ACL entry accomplish when applied to an interface: 20 permit tcp 10.1.1.0 0.0.0.63 host 192.0.2.1 eq 23?
- Permits Telnet traffic from the device with IP address 192.0.2.1 going to any device with an IP address from 10.1.1.0 to 10.1.1.63
- Permits Telnet traffic from any device with IP address from 10.1.1.0 to 10.1.1.63 going to the device with IP address 192.0.2.1
- Permits SSH traffic from any device with IP address from 10.1.1.0 to 10.1.1.63 going to the device with IP address 192.0.2.1
- Permits SSH traffic from the device with IP address 192.0.2.1 going to any device with IP address from 10.1.1.0 to 10.1.1.63
4. Which command successfully filters ingress traffic using ACL 100 on an interface?
- access-group 100 in
- access-class 100 in
- ip access-group 100 in
- ip traffic-filter 100 in
5. What is the correct order of operations for an IPv6 ACL?
- Immediate execution upon a match, implicit permit icmp nd, implicit deny all, top-down processing
- Top-down processing, immediate execution upon a match, implicit permit icmp nd, implicit deny all
- Top-down processing, implicit permit icmp nd, immediate execution upon a match, implicit deny all
- Implicit permit icmp nd, top-down processing, immediate execution upon a match, implicit deny all
6. What happens if you add the following entry to the end of an IPv6 ACL: deny ipv6 any any log? (Choose two.)
- All traffic is denied and logged.
- All traffic that does not match an entry in the ACL is denied and logged.
- ICMP Neighbor Discovery messages are implicitly permitted.
- ICMP Neighbor Discovery messages are denied.
7. Which command successfully filters egress traffic using an IPv6 ACL named ENARSI on an interface?
- access-group ENARSI out
- access-class ENARSI out
- ipv6 access-group ENARSI out
- ipv6 traffic-filter ENARSI out
8. Which IP prefix list matches only the default route?
- ip prefix-list ENARSI permit 0.0.0.0/0 le 32
- ip prefix-list ENARSI permit 0.0.0.0/0 ge 32
- ip prefix-list ENARSI permit 0.0.0.0/0 ge 1
- ip prefix-list ENARSI permit 0.0.0.0/0
9. Which IP prefix list matches all routes?
- ip prefix-list ENARSI permit 0.0.0.0/0 le 32
- ip prefix-list ENARSI permit 0.0.0.0/0 ge 32
- ip prefix-list ENARSI permit 0.0.0.0/0 ge 1
- ip prefix-list ENARSI permit 0.0.0.0/0
10. What routes match the following prefix list: ip prefix-list ENARSI seq 35 deny 192.168.0.0/20 ge 24 le 28?
- Routes with an address from 192.168.0.0 to 192.168.15.255 with a subnet mask of 24 to 28
- Routes within the 192.168.0.0/20 subnet with a subnet mask greater than 24 and less than 28
- Routes with the subnet ID and mask 192.168.0.0/20
- Routes with an address from 192.168.0.0 to 192.168.15.255 with a subnet mask of 24 or 28