IOS access-list global configuration commands

IOS access-list global configuration commands

In extended ACLs, what does the keyword "ip" mean?

 

·         All IP packets

 

What range of numbers can be used for labeling extended access list?

 

·         100-199 and 2000-2699

 

What are tbe big differences of named ACLs compared to numbered ACLs?

 

•      Using names instead of numbers to identify the ACL, making it easier to remember the reason for the ACL
• Using ACL subcommands, not global commands, to define the action and matching parameters
• ACL editing features that allow the CLI user to delete individual lines from the ACL and insert new lines

 

What command is ran to disable the web interface of a router?

 

·         no ip http server

 

How do you disable cdp on a router interface?

 

·         In interface config mode, run no cdp enable

 

When configuring ACLs what are some of the recommendations from Cisco?

 

•      Place extended ACLs as close as possible to the source of the packet to discard the packets quickly.
• Place standard ACLs as close as possible to the packet's destination, because standard ACLs often discard packets that you do not want discarded when they are placed close to the source.
• Place more specific statements early in the ACL.
• Disable an ACL from its interface (using the no ip access-group command) before making changes to the ACL.

 

How command is ran to point a router to an NTP server for time synchronization?

 

·         ntp server (Provide IP address)

 

 

extended access list

 

·         A list of IOS access-list global configuration commands that can match multiple parts of an IP packet, including the source and destination IP address and TCP/UDP ports, for the purpose of deciding which packets to discard and which to allow through the router.

 

named access list

 

·         An ACL that identifies the various statements in the ACL based on a name, rather than a number.

 

Network time protocol (NTP)

 

·         A protocol used to synchronize time-of-day clocks so that multiple devices use the same time of day, which allows log messages to be more easily matched based on their timestamps.

 

Which of the following fields cannot be compared based on an extended IP ACL? (Choose two answers.)
a. Protocol
b. Source IP address
c. Destination IP address
d. TOS byte
e. URL
f. Filename for FTP transfers

 

·         E and F. Extended ACLs can look at the Layer 3 (IP) and Layer 4 (TCP, UDP) headers and a few others, but not any application layer information. Named extended ACLs can look for the same fields as numbered extended ACLs.

 

Which of the following access-list commands permit packets going from host 10.1.1.1 to all web servers whose IP addresses begin with 172.16.5? (Choose two answers.)
a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
c. access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
d. access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
e. access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www

 

·         A and E. The correct range of ACL numbers for extended IP access lists is 100 to 199 and 2000 to 2699. The answers that list the eq www parameter after 10.1.1.1 match the source port number, and the packets are going toward the web server, not away from it.

 

Which of the following access-list commands permits packets going to any web client from all web servers whose IP addresses begin with 172.16.5?
a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
c. access-list 2523 permit tcp any eq www 172.16.5.0 0.0.0.255
d. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www 172.16.5.0 0.0.0.255
e. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www any

 

·         E. Because the packet is going toward any web client, you need to check for the web server's port number as a source port. The client IP address range is not specified in the question, but the servers are, so the source address beginning with 172.16.5 is the correct answer.

 

Which of the following fields can be compared using a named extended IP ACL but not a numbered extended IP ACL?
a. Protocol
b. Source IP address
c. Destination IP address
d. TOS byte
e. None of the other answers are correct.

 

·         E. Named extended IP ACLs can match the exact same set of fields as can numbered extended IP ACLs.

 

In a router running a recent IOS version (at least version 15.0), an engineer needs to delete the second line in ACL 101, which currently has four commands configured. Which of the following options could be used? (Choose two answers.)
a. Delete the entire ACL and reconfigure the three ACL statements that should remain in the ACL.
b. Delete one line from the ACL using the no access-list... global command.
c. Delete one line from the ACL by entering ACL configuration mode for the ACL and then deleting only the second line based on its sequence number.
d. Delete the last three lines from the ACL from global configuration mode, and then add the last two statements back into the ACL.

 

·         A and C. Before IOS 12.3, numbered ACLs must be removed and then reconfigured to remove a line from the ACL. As of IOS 12.3, you can also use ACL configuration mode and sequence numbers to delete one ACL line at a time.

 

What general guideline should you follow when placing extended IP ACLs?
a. Perform all filtering on output if at all possible.
b. Put more general statements early in the ACL.
c. Filter packets as close to the source as possible.
d. Order the ACL commands based on the source IP addresses, from lowest to highest, to improve performance.

 

·         C. The authorized Cisco curriculum makes the suggestion in answer C for extended IP ACLs, suggesting that standard ACLs be placed as close to the destination as possible.

 

Which of the following is accurate about the NTP client function on a Cisco router?
a. The client synchronizes its time-of-day clock based on the NTP server.
b. It counts CPU cycles of the local router CPU to more accurately keep time.
c. The client synchronizes its serial line clock rate based on the NTP server.
d. The client must be connected to the same subnet as an NTP server.

 

·         NTP uses protocol messages between clients and servers so that the clients can adjust their time-of-day clock to match the server. NTP is totally unrelated to serial line clocking. It also does not count CPU cycles, instead relying on messages from the NTP server. Also, the client defines the IP address of the server, and does not have to be in the same subnet