Module 8: Quiz – Access Control Lists (Answers) Network Security

1. In applying an ACL to a router interface, which traffic is designated as outbound?

  • traffic that is coming from the source IP address into the router
  • traffic that is going from the destination IP address into the router
  • traffic that is leaving the router and going toward the destination host
  • traffic for which the router can find no routing table entry

Explanation: Inbound and outbound are interpreted from the point of view of the router. Traffic that is designated in an inbound ACL will be denied or permitted when coming into that router interface from a source. Traffic that is designated in an outbound ACL will be denied or permitted when going out the interface to the destination.

2. What is the quickest way to remove a single ACE from a named ACL?

  • Use the no access-list command to remove the entire ACL, then recreate it without the ACE.
  • Copy the ACL into a text editor, remove the ACE, then copy the ACL back into the router.
  • Use the no keyword and the sequence number of the ACE to be removed.
  • Create a new ACL with a different number and apply the new ACL to the router interface.

Explanation: Named ACL ACEs can be removed using the no command followed by the sequence number.

3. Which ICMP message type should be stopped inbound?

  • echo-reply
  • echo
  • source quench
  • unreachable

Explanation: The echo ICMP packet should not be allowed inbound on an interface. The echo-reply should be allowed so that when an internal device pings an external device, the reply is allowed to return.

4. Which scenario would cause an ACL misconfiguration and deny all traffic?

  • Apply a standard ACL using the ip access-group out command.
  • Apply an ACL that has all deny ACE statements.
  • Apply a standard ACL in the inbound direction.
  • Apply a named ACL to a VTY line.

Explanation: Having all ACEs with deny statements denies all traffic because there is an implicit deny any command at the end of every standard ACL.

5. Refer to the exhibit. A network administrator is configuring an IPv6 ACL to allow hosts on the 2001:DB8:CAFE:10::/64 network to access remote web servers, except for PC1. However, a user on PC1 can successfully access the web server PC2. Why is this possible?

  • The IPv6 ACL Deny_WEB is spelled incorrectly when applied to the interface.
  • The IPv6 ACL Deny_WEB is applied to the wrong interface of router R1.
  • The IPv6 ACL Deny_WEB is permitting all web traffic before the specific host is blocked.
  • The IPv6 ACL Deny_WEB is applied in the incorrect direction on router R1.

Explanation: The IPv6 ACL Deny_WEB is permitting all encrypted and unencrypted web traffic before the specific network host is blocked because of the sequence of commands that were entered by the administrator. To correct this issue, the IPv6 ACL Deny_WEB needs to be reordered with the more specific deny statements coming prior to the permit statements.

6. Refer to the exhibit. A network administrator wants to create a standard ACL to prevent Network 1 traffic from being transmitted to the Research and Development network. On which router interface and in which direction should the standard ACL be applied?

  • R1 Gi0/0 outbound
  • R2 S0/0/0 inbound
  • R1 S0/0/0 outbound
  • R2 Gi0/0 outbound
  • R2 Gi0/0 inbound
  • R1 Gi0/0 inbound

Explanation: Standard ACLs can only specify source addresses, so the standard ACL would contain the network 1 address and appropriate wildcard mask. Also, because standard ACLs can only contain source addresses, the ACL should be placed as close to the destination as possible. The destination is the Research and Development LAN. The R2 Gi0/0 interface is that destination. By tracing the path that the packets will take starting with network 1 and traveling to the Research and Development network, a student can determine that the packets would be coming out of the R2 Gi0/0 interface.

7. Which two statements describe appropriate general guidelines for configuring and applying ACLs? (Choose two.)

  • Standard ACLS are placed closest to the source, whereas extended ACLS are placed closest to the destination.
  • If an ACL contains no permit statements, all traffic is denied by default.
  • The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs.
  • If a single ACL is to be applied to multiple interfaces, it must be configured with a unique number for each interface.
  • Multiple ACLS per protocol and per direction can be applied to an interface.

Explanation: An interface can only have one ACL per direction. Standard ACLs filter only on the source address, so they are normally placed closest to the destination. Extended ACLs filter on source and destination addresses and port numbers. They are commonly placed closest to the source to reduce traffic across the network or networks. A single ACL can be applied to multiple interfaces.

8. Refer to the exhibit. Which statement describes the function of the ACEs?

  • These ACEs automatically appear at the end of every IPv6 ACL to allow IPv6 routing to occur.
  • These ACEs must be manually added to the end of every IPv6 ACL to allow IPv6 routing to occur.
  • These are optional ACEs that can be added to the end of an IPv6 ACL to allow ICMP messages that are defined in object groups named nd-na and nd-ns.
  • These ACEs allow for IPv6 neighbor discovery traffic.

Explanation: The ICMP protocol is used for neighbor discovery. The two permit statements allow neighbor advertisement and neighbor solicitation messages between IPv6 devices.

9. What wild card mask will match networks through


Explanation: The subnets through all share the same 14 high level bits. A wildcard mask in binary that matches 14 high order bits is 00000000.00000011.11111111.11111111. In dotted decimal this wild card mask is

10. What method is used to apply an IPv6 ACL to a router interface?

  • the use of the access-class command
  • the use of the ipv6 traffic-filter command
  • the use of the ip access-group command
  • the use of the ipv6 access-list command

Explanation: A network administrator will use the ipv6 traffic-filter command within interface configuration mode to apply an IPv6 ACL.​

11. What type of ACL offers greater flexibility and control over network access?

  • named standard
  • numbered standard
  • flexible
  • extended

Explanation: The two types of ACLs are standard and extended. Both types can be named or numbered, but extended ACLs offer greater flexibility.

12. Which operator is used in an ACL statement to match packets of a specific application?

  • established
  • gt
  • lt
  • eq

Explanation: An example of an ACL that filters for FTP is as follows:
access-list 105 permit tcp any host eq 20
access-list 105 permit tcp any host eq 21
The operator (eq) toward the end of the ACL lines is used to match a specific port/service that is specified immediately following the eq operator.

13. Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair? (Choose two.)

  • some
  • any
  • gt
  • most
  • all
  • host

Explanation: The two keywords that can be used when configuring ACLs are host and any. The host keyword is equivalent to using the wildcard mask and the any keyword could be used instead of the wildcard mask.

14. Consider the following access list.

access-list 100 permit ip host any
access-list 100 deny icmp any echo
access-list 100 permit ip any any

Which two actions are taken if the access list is placed inbound on a router Gigabit Ethernet port that has the IP address assigned? (Choose two.)

  • Only the network device assigned the IP address is allowed to access the router.
  • Devices on the network are allowed to reply to any ping requests.
  • A Telnet or SSH session is allowed from any device on the into the router with this access list assigned.
  • Devices on the network can sucessfully ping devices on the network.
  • Only Layer 3 connections are allowed to be made from the router to any other network device.

Explanation: The first ACE allows the device to do any TCP/IP-based transactions with any other destination. The second ACE stops devices on the network from issuing any pings to any other location. Everything else is permitted by the third ACE. Therefore, a Telnet/SSH session or ping reply is allowed from a device on the network.


Inline Feedbacks
View all comments
Would love your thoughts, please comment.x