EWAN v4 Chapter 5 Check Your Understanding: Access Control Lists

Oct 29, 2023 Last Updated: Oct 29, 2023 CCNA 4 v4.0 EWAN, CCNA Exploration 4.0 No Comments
Tweet Share Pin it

1. Which statements correctly describe Cisco access control lists? (Choose two.)

  • Extended ACLs are created in interface configuration mode.
  • Extended ACLs filter traffic based on source and destination IP, port number, and protocol.
  • Standard IP ACLs are numbered 1 to 99, and extended ACLs are numbered 100 to 199.
  • Standard ACLs permit or deny traffic to specific IP addresses.
  • Standard ACLs do not permit the use of wildcard masks.

Explanation: Standard ACLs filter packets based solely on the source IP addresses and are numbered 1 to 99. Extended ACLs filter IP packets based on several attributes, such as protocol type, source and IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information. Extended ACLs are numbered 100 to 199.

2. Which statement is true about applying an access list to an interface?

  • Access lists are applied in global configuration mode.
  • Named access lists are applied using the ip access-name command.
  • Standard access lists should be applied to an interface as close as possible to the destination.
  • The command for applying access list 101 inbound is ip access-list 101.

Explanation: Because standard ACLs do not specify destination addresses, they should be placed as close to the destination as possible so that they filter traffic only to the destination network.

3. Which statement is a guideline to be followed when designing access control lists?

  • Because ACL tests are executed in order, they should be organized from the most general condition to the most specific.
  • Because ACL tests are executed in order, they should be organized from the most specific condition to the most general.
  • Because all statements in an ACL are evaluated before they are executed, an explicit deny any statement must be written for an ACL to function properly.
  • Because all statements in an ACL are evaluated before they are executed, an explicit permit any statement must be written for an ACL to function properly.

Explanation: An ACL is executed in order of the statements. The most specific condition must be examined before the more general conditions. Otherwise, the packet might pass the test condition of the general condition and never be examined by the more specific condition.

4. What occurs if the network administrator applies an IP access control list that has no permit statement outbound on an interface? (Choose two.)

  • All traffic outbound is denied.
  • All traffic outbound is allowed.
  • Only traffic originating from the router is allowed outbound.
  • The ACL restricts all incoming traffic and filters outgoing traffic.

Explanation: At the end of every ACL is an “implicit deny any” statement or the “deny all traffic” statement. Without any permit statements, all traffic would be denied or dropped on the outbound interface. Traffic originating from the route would be permitted, because access lists do not apply to traffic that originates from the router.

5. Which solutions can be implemented with ACLs? (Choose two.)

  • Segment the network to increase available bandwidth.
  • Create a firewall on a router to filter inbound traffic from an external network.
  • Control traffic entering or exiting different areas of a local network.
  • Distribute DHCP traffic to allow easier network availability.
  • Allow or deny traffic into the network based on the MAC address.

Explanation: ACLs can be used to help create a firewall by filtering inbound and outbound traffic. This includes controlling the traffic entering and exiting LANs. ACLs don’t distribute DHCP traffic.

6. Match each command with its description:

any
show running-config
show access-list
host
show ip interface

A. Substitutes for the 0.0.0.0 mask.
B. Indicates whether any ACLs are set on an interface.
C. Displays the contents of all ACLs on the router.
D. Represents an IP address and mask pair of 0.0.0.0 255.255.255.255.
E. Reveals the ACLs and interface assignments on a router.

any Represents an IP address and mask pair of 0.0.0.0 255.255.255.255.
show running-config Reveals the ACLs and interface assignments on a router.
show access-list Displays the contents of all ACLs on the router.
host Substitutes for the 0.0.0.0 mask.
show ip interface Indicates whether any ACLs are set on an interface.

7. Which IP address and wildcard mask test for hosts from an entire subnet of network 192.168.12.0 using a 29-bit mask?

  • 192.168.12.56 0.0.0.15
  • 192.168.12.56 0.0.0.8
  • 192.168.12.56 0.0.0.31
  • 192.168.12.84 0.0.0.7
  • 192.168.12.84 0.0.0.3
  • 192.168.12.84 0.0.0.255

Explanation: The wildcard mask can be derived by subtracting the 29-bit mask, 255.255.255.248, from 255.255.255.255. This results in the wildcard mask 0.0.0.7. 192.168.12.84 is a subnet of 192.168.12.0/29.

8. What kind of access list is created with the command ip access-list standard fastaccess?

  • Turbo ACL
  • Reflexive ACL
  • Named ACL
  • Dynamic ACL

Explanation: A standard named access list is created with the global configuration command ip access-list standard name.

9. Refer to the following configuration, which shows an ACL that already exists on the router. The network administrator wants to insert the command access-list 101 deny ip any 192.168.1.0 0.0.0.255 eq ftp as the third line in the ACL shown. The network administrator enters the command in global configuration mode on the router. What effect does this have?

access-list 101 deny ip any 192.168.1.0 0.0.0.255 eq 8080
access-list 101 deny ip any 192.168.1.0 0.0.0.255 eq 80
access-list 101 deny icmp any 192.168.1.0 0.0.0.255
access-list 101 deny icmp any 192.168.2.0 0.0.0.255
access-list 101 permit ip any 192.168.1.0 0.0.0.255
access-list 101 permit ip any 192.168.2.0 0.0.0.255
  • It inserts the line in the desired position in the ACL.
  • It inserts the line as the first statement in the ACL.
  • It inserts the line as the last statement in the ACL.
  • It deletes the entire list and replaces it with the new line only.

Explanation: Additional access list statements are automatically added to the end of the sequence of statements. Named ACLs can use optional sequence numbers to make this modification easier.

10. Refer to the exhibit and the following configuration. Which statement correctly describes how Router1 processes packets with this configuration?

EWAN v4 Chapter 5 Check Your Understanding: Access Control Lists 1

Router1(config)# access-list 201 deny icmp 192.168.1.0 0.0.0.255 any
Router1(config)# access-list 201 deny icmp 192.168.2.0 0.0.0.255 any
Router1(config)# access-list 201 permit any any
Router1(config)# access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 8080
Router1(config)# access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 80
Router1(config)# access-list 101 deny icmp any 192.168.1.0 0.0.0.255
Router1(config)# access-list 101 deny icmp any 192.168.2.0 0.0.0.255
Router1(config)# access-list 101 permit ip any 192.168.1.0 0.0.0.255
Router1(config)# access-list 101 permit ip any 192.168.2.0 0.0.0.255
Router1(config)# interface serial 0/0/0
Router1(config-if)# ip access-group 101 in
Router1(config-if)# ip access-group 201 out
  • Traffic exiting interface serial 0/0/0 is filtered by both ACL 101 and ACL 201.
  • If a packet entering interface serial 0/0/0 matches a condition in ACL 101, the router continues comparing the packet to the rest of the statements in ACL 101 to make sure that no other statements might apply.
  • Router1 compares packets entering interface serial 0/0/0 first to all the ACL 101 statements for the IP protocol and then to all the ACL 101 statements for the ICMP protocol.
  • A packet entering interface serial 0/0/0 is compared to each statement in ACL 101 until one statement matches the packet. Then the router drops or forwards the packet without considering the remaining statements in ACL 101.

Explanation: ACL statements are executed in sequential order. The packet is evaluated against each statement in the ACL, from the top down, one statement at a time. After the packet matches a statement, the packet is forwarded or dropped, and the remaining statements are not examined.

11. An administrator wants to implement lock-and-key access to a host within the company network for specific users who are connecting from outside the company network. What type of ACL would best suit the situation?

  • Dynamic
  • Reflexive
  • Extended
  • Time-based

Explanation: Lock-and-key ACLs are also called dynamic ACLs.

12. What type of ACL should the network administrator implement to limit Internet traffic during peak hours of the day?

  • Dynamic
  • Policy-based
  • Reflexive
  • Time-based

Explanation: Time-based ACLs filter packets based on a time range that defines specific times of the day and week.

13. Which statement correctly describes a reflexive access list?

  • An ACL that allows IP traffic for sessions originating from inside the network while denying traffic for sessions originating from the outside
  • An ACL that controls traffic based on the time
  • An ACL that uses an extended list to block users from traversing a router until they are authenticated
  • An ACL that identifies only the source of traffic

Explanation: Reflexive ACLs are used to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. These ACLs allow the router to manage session traffic dynamically. The router examines the outbound traffic, and when it sees a new connection, it adds an entry to a temporary ACL to allow replies back in.

14. Categorize the following descriptions as belonging to either a standard IP ACL or an extended IP ACL:

  • Checks only the source address
  • Access list numbers 100 to 199
  • Checks protocol and port numbers
  • Permits/denies only entire protocols based on network address
  • Access list numbers 1 to 99
  • Checks source and destination address

Standard IP ACL Extended IP ACL
Checks only the source address
Permits/denies only entire protocols based on network address
Access list numbers 1 to 99		 Access list numbers 100 to 199
Checks protocol and port numbers
Checks source and destination address

15. Refer to the following configuration. Assuming that this ACL is correctly applied to a router interface, which statements describe traffic on the network? (Choose two.)

access-list 199 deny tcp 178.15.0.0 0.0.255.255 any eq 23
access-list 199 permit ip any any
  • All FTP traffic from network 178.15.0.0 will be permitted.
  • All Telnet traffic destined for network 178.15.0.0 will be denied.
  • Telnet and FTP will be permitted from all hosts on network 178.15.0.0 to any destination.
  • Telnet will not be permitted from any hosts on network 178.15.0.0 to any destination.
  • Telnet will not be permitted to any host on network 178.15.0.0 from any destination.

Explanation: The first line of the ACL denies Telnet traffic originating from the 178.15.0.0/16 network to any destination network. The second line permits all other IP traffic, including FTP.

16. Describe the “three Ps” rule associated with access control lists.

One ACL per protocol:

  • To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface.

One ACL per direction:

  • ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic.

One ACL per interface:

  • ACLs control traffic for an interface, such as Fast Ethernet 0/0.

17. Describe the two basic rules associated with the placement of standard and extended ACLs.

Standard ACLs:

  • Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.

Extended ACLs:

  • Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure.

18. Refer to the exhibit and the following configuration. ACL 10, configured on R1, is designed to deny the host at 192.168.10.10 access to the 192.168.11.0 network, but all other hosts on the 192.168.10.0 network should be permitted access. However, the ACL does not accomplish this. Which changes would correct this problem?

EWAN v4 Chapter 5 Check Your Understanding: Access Control Lists 2

R1(config)# access-list 10 deny host 192.168.10.10
R1(config)# interface Fa0/1
R1(config-if)# ip access-group 10 in

On router R1:

  • The host address is incorrectly specified. It should be 192.168.11.10.
  • Because of the implicit deny statement, the remainder of the subnet is not permitted through. The remainder of the subnet should be permitted using the access-list 10 permit any command.
  • ACL 10 should be applied to be in an outbound direction on interface Fa0/1.

Correct configuration:

R1(config)# access-list 10 deny host 192.168.11.10
R1(config)# access-list 10 permit any
R1(config)# interface Fa0/1
R1(config-if)# ip access-group 10 out

19. Refer to the exhibit and the following configuration. The named ACL SURFING should enable only the hosts on the 192.168.10.0 network web and secure web access. The hosts on 192.168.11.0 should not be permitted any access. The BROWSING ACL should permit return access only to traffic that originated from the 192.168.10.0 network. However, the ACLs do not accomplish this. Which changes would correct this problem?

EWAN v4 Chapter 5 Check Your Understanding: Access Control Lists 2

R1(config)# access-list extended SURFING
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 23
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443
R1(config)# access-list extended BROWSING
R1(config-ext-nacl)# permit tcp any 192.168.10.0 0.0.0.255
R1(config-ext-nacl)# exit
R1(config)# interface S0/0/0
R1(config-if)# ip access-group SURFING out
R1(config-if)# ip access-group BROWSING in

On router R1:

  • The first permit statement of the SURFING ACL allows Telnet access (23). It should permit web access (80).
  • The BROWSING ACL requires the established keyword at the end.

Correct configuration:

R1(config)# access-list extended SURFING
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 80
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443
R1(config)# access-list extended BROWSING
R1(config-ext-nacl)# permit tcp any 192.168.10.0 0.0.0.255 established
R1(config-ext-nacl)# exit
R1(config)# interface S0/0/0
R1(config-if)# ip access-group SURFING out
R1(config-if)# ip access-group BROWSING in

20. Describe the three types of complex ACLs and their functions.

Dynamic (lock-and-key):

  • Dynamic ACLs use an extended ACL to block users from traversing a router until they use Telnet or SSH to connect to the router and are authenticated.
  • After being authenticated, specific dynamic ACL entries are activated on the ACL applied to the interface.
  • These entries remain active for a specific period and then expire.
  • This enables a user to authenticate and access resources that normally would be denied. Dynamic ACLs can be combined with other types of ACLs, such as extended ACLs.

Reflexive:

  • Reflexive ACLs automatically create temporary entries based on upper-layer session information.
  • The entries are automatically deleted when the session ends.

Time-based:

  • Time-based ACLs are similar to extended ACLs in function, but they allow access control based on time.
  • A time range defines specific times of the day and days of the week at which the ACLs are implemented.

 

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x