Scribd
Upload
284 views

Access Lists QUESTION

The document contains several examples of configuring and applying access control lists (ACLs) on Cisco routers to filter network traffic. Questions ask the reader to identify the correct ACL configuration, interface, and direction to meet specific filtering requirements. The last example identifies an incorrectly configured ACL that is preventing web traffic from being denied as intended over an ISDN link.

Uploaded by

ĐinhĐạiĐồng
Copyright
© © All Rights Reserved
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
284 views

Access Lists QUESTION

The document contains several examples of configuring and applying access control lists (ACLs) on Cisco routers to filter network traffic. Questions ask the reader to identify the correct ACL configuration, interface, and direction to meet specific filtering requirements. The last example identifies an incorrectly configured ACL that is preventing web traffic from being denied as intended over an ISDN link.

Uploaded by

ĐinhĐạiĐồng
Copyright
© © All Rights Reserved
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 7

1.

Exhibit:

You work as a network administrator at TestKing.com. A named access list called


research_block has been written to prevent users on the research network and public
Internet form access to the TestKing Support server. All other users within the
TestKing company should have access to this server. The list contains the following
statements.
deny 172.16.102.0 0.0.0.255 172.16.104.255 0.0.0.0
permit 172.16.0.0 0.0.255.255 172.16.104.252 0.0.0.0
Which of the following commands sequences will place this list to meet these
requirements?
A. TestKing1(config)# interface e0
TestKing1(config-if)# ip access-group research_block in
B. TestKing1(config)# interface s0
TestKing1(config-if)# ip access-group research_block out
C. TestKing2(config)# interface s0
TestKing2(config-if)# ip access-group research_block out
D. TestKing2(config)# interface s1
TestKing2(config-if)# ip access-group research_block in
E. TestKing3(config)# interface s1
TestKing3(config-if)# ip access-group research_block in
F. TestKing3(config)# interface e0
TestKing3(config-if)# ip access-group research_block out
2. You work as a network technician at TestKing. You are configuring a E0 interface
connected to the 192.168.1.8/29 LAN on a Cisco router.
You apply the following access list to the interface.
access-list 123 deny tcp 192.168.1.8 0.0.0.7 eq 20 any
access-list 123 deny tcp 192.168.1.8 0.0.0.7 eq 21 any
What consequence will this access list have?
A. All traffic will be allowed to exit E0 except FTP traffic.

B. FTP traffic from 192.168.1.22 to any host will be denied.


C. FTP traffic from 192.168.1.9 to any host will be denied.
D. All traffic exiting E0 will be denied.
E. All FTP traffic to network 192.168.1.8/29 from any host will be denied.
3. As a network technician at TestKing you are configuring access lists on an
interface of a Cisco router. You use multiple access lists.
Which of the following statements are valid? (Select one)
A. There is no limit to the number of access lists that can be applied to an interface, as
long as they are applied in order from most specific to most general.
B. Cisco IOS allows only one access list to be applied to an interface.
C. One access list may be configured per direction for each Layer 3 protocol configured
on an interface.
D. Up to three access lists per protocol can be applied to a single interface.
E. No more than two access lists can be applied to a single interface.
F. The maximum number allowed varies depending on the amount of RAM installed in
the router.
4. Your TestKing trainee Jose are interested in ACLs (access control lists).
He asks you want they can be used for.
What should you tell him? (Choose three)
A. Protect hosts from viruses.
B. Classify network traffic.
C. Provide high network availability.
D. Identify interesting traffic for DDR.
E. IP route filtering.
F. Monitor the number of bytes and packets.
5. Three sites, TestKing1, TestKing2, and TestKing3 are connected via a WAN. At
each site a router provides serial connectivity to the Wan and an Ethernet
connection to a LAN. All three routers are configured, and the network is
functional. Configure and apply an access list will prevent telnet access to the
TestKing1 router while allowing all other traffic to pass. The access list should not
contain more than three (3) statements and should be applied to the TestKing1
router. The routers have been previously
configured with the following specifications:
The routers are named TestKing1, TestKing2, and TestKing3.
RIP is the routing protocol.
The clocking signal is provided on the serial 0 interfaces.
All passwords on all routers are "testking".
The subnet mask on all the interfaces is the default mask.
IP addresses are listed in the chart below.
TestKing1
E0 192.168.149.1
S0 192.168.199.1

Secret password: testking


TestKing2
E0 192.168.155.1
S0 192.168.11.1
S1 192.168.199.2
Secret password: testking
TestKing3
E0 192.168.165.1
S1 192.168.11.2
To configure the router click on the host icon that is connected to a router by a serial
console cable.

6. The following access list was applied outbound on the E0 interface connected to
the 192.168.1.8/29 LAN:
access-list 123 deny tcp 192.168.1.8 0.0.0.7 eq 20 any
access-list 123 deny tcp 192.168.1.8 0.0.0.7 eq 21 any
What effect will this access list have?
A. All traffic will be allowed to exit E0 except FTP traffic.
B. FTP traffic from 192.168.1.22 to any host will be denied.
C. FTP traffic from 192.168.1.9 to any host will be denied.
D. All traffic exiting E0 will be denied.
E. All FTP traffic to network 192.168.1.9/29 from any host will be denied.
7. Which command is used to display the placement and direction of an IP access
control list on a router?
A. show access-list
B. show ip route
C. show ip interface
D. show interface
E. show interface list

F. show ip interface brief


8. Which of the following access list statements will deny all telnet connections to
subnet 10.0.1.0/24?
A. access-list 15 deny tcp 10.0.1.0 255.255.255.0 eq telnet
B. access-list 115 deny tcp any 10.0.1.0 eq telnet
C. access-list 115 deny udp any 10.0.10 eq 23
D. access-list 115 deny tcp any 10.0.1.0 0.0.0.255 eq 23
E. access-list 15 deny telnet any 10.0.1.0 0.0.0.255 eq 23
9. An access list has been designed to prevent Telnet traffic from the Graphics
Department from reaching the HR server attached to the Eastfield router. Which of
the following access lists will accomplish this task when grouped with the e0
interface in the inbound direction on the Westfield router?

A. deny tcp 192.168.16.0 0.0.0.255 192.168.17.252 0.0.0.0 eq 23


permit ip any any
B. deny tcp 192.168.18.262 0.0.0.0 192.168.16.0 0.0.0.255 eq 23
permit ip any any
C. permit ip any any
deny tcp 192.168.16.0 0.0.0.255 192.172.252 0.0.0.0 eq 23
D. permit ip any any
deny tcp 192.168.17.252 0.0.0.0 192.168.0 0.0.0.255 eq 23

10.
Camden#show running-config
<some output text omitted>
enable password cisco
!
username Central password 0 cisco
!
interface BRI0/0
ip address 192.168.0.1 255.255.255.0
encapsulation ppp
dialer idle-timeout 180
dialer map ip 192.168.0.2 name Remote 5552000
dialer-group 1
isdn switch-type basic-ni
no fair-queue
ppp authentication chap
!
ip route 192.168.20.0 255.255.255.0 192.168.0.2
!
router rip
network 192.168.0.0
!
access-list 129 deny tcp 192.168.0.0 0.0.0 255 host 192.168.20.5 eq
www
access-list 128 permit ip any any
dialer-list 1 protocol ip list 128
In an effort to minimize traffic, an administrator decided to keep web traffic from
causing the ISDN link to come up by denying WWW traffic to the 192.168.20.5
remote server. Two minutes after making changes to the configuration as shown in
the graphic, the administrator notices that web traffic is still passing over the link.
What is the most likely cause of the problem?
A. The dialer-group has not been applied to outbound traffic.
B. The access-list is incorrectly configured.
C. Broadcasts are creating "interesting" traffic and keeping the link active.
D. The command ip access-group 128 out is missing from the bri0/0 interface.

1. Answer: F
Explanation:
To enable the ACL on an interface and define the direction of packets to which the ACL
is applied, the ip access-group command is used.
When referring to a router, these terms have the following meanings.
Out - Traffic that has already been through the router and is leaving the interface; the
source would be where it's been (on the other side of the router) and the destination is
where it's going.
In - Traffic that is arriving on the interface and which will go through the router; the
source would be where it's been and the destination is where it's going (on the other side
of the router).
2. Answer: D
Explanation:
By default access list is having implicit deny statement at the end. In this example there is
no permit statement, so it will deny all traffic exiting E0 Interface.
Incorrect answers
A: It will deny FTP and Telnet Traffic
B,C,E: It will deny all traffic in addition to the condition mentioned in the answer.
Because there is no permit statement at the end.
3. Answer: C
4. Answer: C, D, E
Explanation:
IP access control lists (ACLs) cause a router to discard some packets based on criteria
defined by the network engineer. The goal of these filters is to prevent unwanted traffic in
the network whether to prevent hackers from penetrating the network or just to prevent
employees from using systems they should not be using.
IP access lists can also be used to filter routing updates, to match packets for
prioritization, to match packets for prioritization, to match packets for VPN tunneling,
and to match packets for implementing quality of service features.
5. Answer:
TestKing1>enable
Password:
TestKing1#show access-lists
TestKing1#config t
Enter configuration commands, one per line. End with END.
TestKing1(config)#access-list 101 deny tcp any 192.168.149.1 0.0.0.0 eq 23
TestKing1(config)#access-list 101 deny tcp any 192.168.199.1 0.0.0.0 eq 23
TestKing1(config)#access-list 101 permit ip any any
TestKing1(config)#interface Ethernet 0
TestKing1(config-if)#ip access-group 101 in
TestKing1(config-if)#exit
TestKing1(config)#interface serial 0

TestKing1(config-if)#ip access-group 101 in


TestKing1(config-if)# <CTRL-Z>
TestKing1#copy running-config startup-config
Destination filename [startup-config]?
6. Answer: D
7. Answer: C
8. Answer: D
9. Answer: A
Explanation: The syntax for an access list is the source address first then the destination
address. In this case the source address is 192.168.16.0/24 and the destination address
192.168.17.252
10. Answer: B
Explanation:
The access list is incorrectly configured! The extended list for the deny is 129! The other
is 128 and the dialer list is referencing the 128 access-list.

You might also like