CCNA Training » CCNA – Access List Questions 2

9/17/13 CCNA Training » CCNA – Access List Questions 2 www9tutcom/ccna-access-list-questions-2 1/12 Type text to search here Home > CCNA – Access List Questions 2 CCNA – Access List Questions 2 April 30th, 2011 Go to comments Here you will find answers to Access list Questions – Part 2 Note: If you are not sure about Access list, please read my Access list tutorial Question 1 Refer to the exhibit What will happen to HTTP traffic coming from the Internet that is destined for 172161210 if the traffic is processed by this ACL? router#show access-lists Extended IP access list 110 10 deny tcp 1721600 00255255 any eq telnet 20 deny tcp 1721600 00255255 any eq smtp 30 deny tcp 1721600 00255255 any eq http 40 permit tcp 1721600 00255255 any A Traffic will be dropped per line 30 of the ACL B Traffic will be accepted per line 40 of the ACL C Traffic will be dropped, because of the implicit deny all at the end of the ACL D Traffic will be accepted, because the source address is not covered by the ACL Answer: C Explanation The syntax of an extended access list is: access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port] Notice that in our access list, the network 1721600 00255255 is specified as the source but the question asks about “HTTP traffic coming from the Internet that is destined for 172161210″, which means 1721600 00255255 is the destination network So in this case there is no match in our access list and the traffic will be dropped because of the implicit deny all at the end of the ACL It is surely a tricky question! Question 2 9/17/13 CCNA Training » CCNA – Access List Questions 2 www9tutcom/ccna-access-list-questions-2 2/12 Refer to the exhibit Which statement describes the effect that the Router1 configuration has on devices in the 17216160 subnet when they try to connect to SVR-A using Telnet or SSH? A Devices will not be able to use Telnet or SSH B Devices will be able to use SSH, but not Telnet C Devices will be able to use Telnet, but not SSH D Devices will be able to use Telnet and SSH Answer: B Explanation Let’s analyze the access list 100: + 10 permit tcp 17216160 00015 host 172164863 eq 22: allows TCP traffic from network 17216160/28 to access host 172164863 with a destination port of 22 (SSH) + 20 permit tcp 17216160 00015 eq telnet host 172164863: allows TCP traffic from network 17216160/28 with a source port of 23 (telnet) to access host 172164863 Notice that if a device wants to telnet (or SSH) to SVR-A server it must use the destination port of 23 (or 22), not a source port of 23 (or 22) Access list 100 is applied on the inbound direction of Fa0/0 so it will only filter traffic from 17216160 subnet to the SVR-A server 9/17/13 CCNA Training » CCNA – Access List Questions 2 www9tutcom/ccna-access-list-questions-2 3/12 Access list 101 is very similar to access list 100 but it is applied on the inbound direction of Fa0/1 so it will filter traffic from SVR-A server to 17216160 subnet In ACL 101: + 10 permit tcp host 172164863 eq 22 17216160 00015: allows TCP traffic from host 172164863 with a source port of 22 (SSH) to access network 17216160/28 + 20 permit tcp host 172164863 17216160 00015 eq telnet: allows TCP traffic from host 172164863 to access network 17216160/28 with a destination port of telnet Notice that the returned traffic from SVR-A to network 17216160/28 (resulting from telnet or SSH session) will have a source port of 23 (Telnet) or 22 (SSH) In conclusion, the first statements of each ACL will allow devices to “SSH” to SVR-A But they can’t telnet because of the implicit deny all at the end of the ACL In this question, the second statements of each ACL can be considered “wrong” if we intend to filter telnet or SSH traffic and they have no effect on the Telnet or SSH traffic Question 3 Refer to the exhibit Which three variables (router, protocol port, and router ACL direction) apply to an extended ACL that will prevent student 01 from securely browsing the internet? A OUT B Router 3 C HTTPS D IN E Router 1 9/17/13 CCNA Training » CCNA – Access List Questions 2 www9tutcom/ccna-access-list-questions-2 4/12 Answer: B C D Explanation There are 3 routers we can place this access list: Router 1, Router Main and Router 3 but in theory, an extended access list should be placed close to the source -> Router 3 is the best choice -> B is correct The traffic we need to filter here is “securely browsing the internet” so it is HTTPS -> C is correct Finally we should apply this access list to the inbound direction so that Router 3 will filter this traffic before making routing decision It helps save processing resources on Router 3 -> D is correct Question 4 Which two statements apply to dynamic access lists? (choose two) A they offer simpler management in large internetworks B you can control logging messages C they allow packets to be filtered based on upper-layer session information D you can set a time-based security policy E they provide a level of security against spoofing F they are used to authenticate individual users Answer: A F Explanation Dynamic ACLs have the following security benefits over standard and static extended ACLs: + Use of a challenge mechanism to authenticate individual users + Simplified management in large internetworks + In many cases, reduction of the amount of router processing that is required for ACLs + Reduction of the opportunity for network break-ins by network hackers + Creation of dynamic user access through a firewall, without compromising other configured security restrictions (Reference: CCNA Exploration 4 – Dynamic ACLs) Question 5 Which command shows if an access list is assigned to an interface? A show ip interface [interface] access-lists B show ip access-lists interface [interface] C show ip interface [interface] D show ip access-lists [interface] 9/17/13 CCNA Training » CCNA – Access List Questions 2 www9tutcom/ccna-access-list-questions-2 5/12 Answer: C Explanation The output of “show ip interface [interface]” command is shown below: In the output we can see the access list 1 is applied to this interface on inbound direction Question 6 Which item represents the standard IP ACL? A access-list 50 deny 19216811 000255 B access-list 110 permit ip any any C access-list 2500 deny tcp any host 19216811 eq 22 D access-list 101 deny tcp any host 19216811 9/17/13 CCNA Training » CCNA – Access List Questions 2 www9tutcom/ccna-access-list-questions-2 6/12 Answer: A Explanation The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only access list 50 is a standard access list Question 7 Which statement about access lists that are applied to an interface is true? A you can apply only one access list on any interface B you can configure one access list, per direction, per layer 3 protocol C you can place as many access lists as you want on any interface D you can configure one access list, per direction, per layer 2 protocol Answer: B Explanation We can have only 1 access list per protocol, per direction and per interface It means: + We can not have 2 inbound access lists on an interface + We can have 1 inbound and 1 outbound access list on an interface Question 8 A network engineer wants to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet Which ACL can be used? A reflexive B extended C standard D dynamic Answer: D Explanation We can use a dynamic access list to authenticate a remote user with a specific username and password The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server The configuration of dynamic ACL can be read here: http://wwwciscocom/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524shtml 9/17/13 CCNA Training » CCNA – Access List Questions 2 www9tutcom/ccna-access-list-questions-2 7/12 Question 9 Which parameter standard access list takes into consideration for traffic filtering decisions? A Source MAC address B Destination IP address C Destination MAC address D Source IP address Answer: D Question 10 In which solution is a router ACL used? A protecting a server from unauthorized access B controlling path selection, based on the route metric C reducing router CPU utilization D filtering packets that are passing through a router Answer: D Comments (364) Comments Comment pages « Previous 1 … 6 7 8 981 1 ian_arvin from the philippines September 10th, 2013 Hi guys for those who have passed ccna 640-802 which dump is more reliable the one from spike or acme? If u have new dumps kindly send to cacsalangayahoocom 2 tani10 September 10th, 2013 Question 4 correct answers A, D 3 ad September 10th, 2013 9/17/13 CCNA Training » CCNA – Access List Questions 2 www9tutcom/ccna-access-list-questions-2 8/12 q no 1… ans should be Aits match… 4 ad September 10th, 2013 9tut…i love u :) 5 ad September 10th, 2013 9tut…i love u :) 6 ad September 10th, 2013 9tut…i love u :) 7 ad September 10th, 2013 9tut…i love u :) 8 ad September 10th, 2013 9tut…i love u :)… 9 Richard September 11th, 2013 tani 10, pls make sure your read about ACL, particularly, time-based and dynamic :) 10 jasostrong September 11th, 2013 Thanks 9tut I made it I passed my CCNA 200-120 today The sim is Access-list 1 , Access-list 2 & EIGRP A lot of new questions like Netflow, Syslog, SNMP, VRRP, and GLBP 11 inayat shah September 13th, 2013 I am going to sit my CCNA exam on 28 Sep Could anybody send me the latest Sim or all the Sim at 9tut is still enough for CCNA 640-802 exam? please do inform and support me Thank you E-mail: inayat291gmailcom best regard! 9/17/13 CCNA Training » CCNA – Access List Questions 2 www9tutcom/ccna-access-list-questions-2 9/12 12 Anonymous September 13th, 2013 Which two statements apply to dynamic access lists? (choose two) A they offer simpler management in large internetworks B you can control logging messages C they allow packets to be filtered based on upper-layer session information D you can set a time-based security policy E they provide a level of security against spoofing F they are used to authenticate individual users *** THE ACME 486 DUMP SAYS THAT D & F ARE THE ANSWERS … CAN SOMEONE EXPLAIN TO ME WHATS GOING ON ?? *** Reposted… Please explain sir 9tut Thank you 13 Franz September 13th, 2013 Which two statements apply to dynamic access lists? (choose two) A they offer simpler management in large internetworks B you can control logging messages C they allow packets to be filtered based on upper-layer session information D you can set a time-based security policy E they provide a level of security against spoofing F they are used to authenticate individual users *** THE ACME 486 DUMP SAYS THAT D & F ARE THE ANSWERS … CAN SOMEONE EXPLAIN TO ME WHATS GOING ON ?? *** 14 Joe September 13th, 2013 Franz/Anon, try a google… https://supportforumsciscocom/thread/2187794 Comment pages « Previous 1 … 6 7 8 981 Add a Comment Name 9/17/13 CCNA Training » CCNA – Access List Questions 2 www9tutcom/ccna-access-list-questions-2 10/12 Submit Comment Subscribe to comments feed CCNA – Access List Questions CCNA – WAN Premium Membership Become a member to interact with all questions and read all tutorials, labs! Find out more or Sign In CCNA 640-802 CCNA Lab Sim CCNA – Basic Questions CCNA – Basic Questions 2 CCNA – Cisco IOS Questions CCNA – Cisco IOS Questions 2 CCNA – Cisco IOS Questions 3 CCNA – OSI Model Questions CCNA – TCP/IP Model & Operation CCNA – Show Command Questions CCNA – Protocols & Services CCNA – Access List Questions CCNA – Access List Questions 2 CCNA – WAN CCNA – WAN 2 CCNA – IP Address Questions CCNA – IP Routing Questions CCNA – IP Routing Questions 2 9/17/13 CCNA Training » CCNA – Access List Questions 2 www9tutcom/ccna-access-list-questions-2 11/12 CCNA – RIP Questions CCNA – OSPF Questions CCNA – OSPF Questions 2 CCNA – EIGRP Questions CCNA – EIGRP Questions 2 CCNA – Security Questions CCNA – DHCP Questions DHCP Group of Four Questions CCNA – NAT & PAT Questions CCNA – Drag and Drop 1 CCNA – Drag and Drop 2 CCNA – Drag and Drop 3 CCNA – Drag and Drop 4 CCNA – Drag and Drop 5 CCNA – Switch Questions CCNA – Switch Questions 2 CCNA – Switch Questions 3 CCNA – VLAN Questions CCNA – VLAN Questions 2 CCNA – VTP Questions CCNA – Hotspot CCNA – STP Questions CCNA – STP Questions 2 CCNA – IPv6 Questions CCNA – Subnetting CCNA – Subnetting Questions 2 CCNA – Subnetting Questions 3 CCNA – Subnetting Questions 4 CCNA – Operations 1 CCNA – Operations 2 CCNA – Operations 3 CCNA – Troubleshooting 1 CCNA – Troubleshooting 2 CCNA – Wireless CCNA FAQs & Tips Share your CCNA Experience New CCNA 200-120 Share your (new) CCNA Experience 9/17/13 CCNA Training » CCNA – Access List Questions 2 www9tutcom/ccna-access-list-questions-2 12/12 CCNA Self-Study Practice CCNA GNS3 Labs CCNA Knowledge Network Resources Free Router Simulators ICND1/ICND2 Website CCNP - ROUTE Website CCNP - SWITCH Website CCNP - TSHOOT Website CCNA Voice Website CCNA Wireless Website CCNA Security Website CCDA Website CCIP Website CCIE Written Website Support 9tut Your contribution will help keep this site updated! Top Copyright © 2010-2013 CCNA Training Site Privacy Policy Valid XHTML 11 and CSS 3UV