Inbound access lists are applied before the routing process

Inbound access lists are applied before the routing process

Which of the following statements apply only to the extended IP access lists and not to both standard and extended lists?

You can filter traffic based on destination IP address

·        

You can filter traffic for a specific TCP/IP protocol

 

Which of the following statements about access lists are true?

An access list without a permit traffic will not allow any traffic

·        

Inbound access lists are applied before the routing process

 

You want to create an access list that prevents traffic from network A that is sent to Host 1. You want the access list applied after the routing decision is made. Which of the following would be part of your design?

 

·         Outbound filter
Extended access list

 

 

Which of the following describes how access lists can be used to improve network security?

 

·         An access list filters traffic based on the IP header information such as a source or destination IP address, protocol or socket numbers

 

You want to create an access list statement that allows traffic from any network. Which network address and wildcard mask value should you use?

 

·         255.255.255.255

 

Your company has two subnets, 172.16.1.0 and 172.16.2.0 as shown in the exhibit. Recent policy changes forbid FTP traffic from leaving your company however all traffic is allowed. You've created the following access list to meet the new company requirements:

access-list 101 deny tcp any any eq 20
access-list 101 deny tcp any any eq 21
access-list 101 permit ip any any

Where should you apply this filter?

 

·         outbound side of S0

 

Your router has the following access lists:

List 91 denies all traffic from network 12.1.6.0/24 and allows other traffic

List 101 denies all Telnet traffic and allows other traffic

Access list 91 applied the Serial0 interface for outbound traffic. Access list 101 is applied to Serial0 interface for inbound traffic.

You now want to modify the access list configuration to deny any outbound ICMP traffic while keeping all other restrictions in place as closely as possible. How should you modify the access lists to accomplish your goal with the least amount of effort?

 

·         Create an access list 102 that denies ICMP traffic and traffic from network 12.1.6.0/24. Apply the list Serial0 for outbound traffic

 

Which of the following ACL statements allow TCP/IP traffic?

 

·         access-list 101 permit ip any any

 

You want to create an access list that permits and restricts traffic to meet the following specifications.

1. Allow all TCP/IP traffic coming from any host on network 10.0.0.0 while denying all TCP/IP traffic from other sources
2. Deny all TCP traffic coming from network 10.0.0.0
3. Allow all TCP traffic coming from any source directed to host 10.1.1.2
4. Deny all TCP/IP traffic coming from host 10.1.1.1

Which access list statement should come last in the access list?

 

·         access-list 101 permit ip 10.0.0.0 0.255.255.255 any

 

You have created an access list with the following command:

Router(config)#access-list 101 deny tcp 10.1.0.0 0.0.255.255 any

Which three of the following are identified by the various parts of this command?

 

·         It applies to traffic originating from all hosts on network 10.1.0.0

It applies to all destination networks and hosts

It will deny only TCP traffic

 

You have issued the following commands at the server console.

Router(config)#access-list 122 permit tcp 10.6.0.0 0.0.255.255 any
Router(config)# in eth 0
Router(config)#ip access-group 122 out

Which of the following statements is true?

 

·         TCP packets received from host 10.6.12.45 on the serial 1 interface can be forwarded out the eth 0 interface

 

Which of the following commands can you use to see which IP access list is applied to the first Ethernet interface?

 

·         sh ip int

 

You have just finished configuring access list 101 and are ready to apply it to an interface. Before you do however you would like to view the access list to ensure there are no mistakes. Which command displays access list 101?

 

·         show access-lists 101

 

You are the administrator for the 172.16.0.0 network as shown in the exhibit. You need to block Telnet traffic from entering your network while allowing other traffic to pass through. You decide to apply an access list to the incoming side of the Serial 0 interface. Which statements should be included in your access-list?

 

·         access-list 101 deny tcp any any eq 23

access-list 101 permit ip any any

 

Your company has two subnets 172.16.1.0 and 172.16.2.0 as shown in the exhibit. You want to prevent public Telnet traffic from entering your company but allow all other traffic. Which of the following set of statements will accomplish your goal?

 

·         access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq 23
acess-list 101 permit ip any 172.16.2.0.0 0.0.255.255
interface serial 0
ip access-group 101 in

 

You have decided to use ACLs on your router to restrict TFTP traffic between networks. Specifically you want to allow only the host with an IP address of 172.17.8.1 to access an TFTP server with an IP address of 10.0.0.1 on a different network. The TFTP protocol runs on UDP port 69. To accomplish this you create the following ACL on the router connecting the two networks:

Router(config)#access-list 100
Router(config)#access-list 100 permit udp host 172.17.8.1 host 10.0.0.1 eq 69
Router(config)#access-list 100 deny udp any any eq 69
Router(config)#access-list 100 permit IP any any

You apply the ACL inbound traffic on the interface (Fa 0/0) connected to the 10.0.0.1/8 network using the following commands:

Router(config)#int fa 0/0
Router(config)#ip access-group 100 in

After doing so, you find that all hosts in the 172.17.8.0/24 network can still access the TFTP service on the 10.0.0.1 over port 69.

What can you do to fix the issue?

 

·         Apply the ACL to outbound traffic on the router interface connected to the 10.0.0.0/8 network

 

You have decided to use ACLs on your router to restrict TFTP traffic between networks.Specifically you want to allow only the server with an IP address of 10.0.0.1. The TFTP protocol runs on UDP port 69. To accomplish this you create the following ACL on the router connecting the two networks:

Router(config)#access-list 100
Router(config)#access-list permit udp 172.17.8.1 0.0.0.255 host 10.0.0.1eq 69
Router(config)#access-list 100 deny udp any any eq 69
Router(config)#access-list 100 permit IP any any

After applying the ACL to inbound traffic on the interface connected to the 172.17.8.0/24 network you find that all hosts on the 172.17.8.0/24 network can still access the TFTP service on 10.0.0.1 over port 69.

What can you do to fix this issue?

 

·         Modify the first ACL line to access-list 100 permit udp host 172.17.8.1 host 10.0.0.1 eq 69

Modify the first ACL line to access-list 100 permit udp 172.17.8.1 0.0.0.0 host 10.0.0.1 eq 69

 

You are configuring ACLs for the router. You need to create a standard IP access list that rejects all traffic except traffic from host 10.12.12.16.

To verify the ACL is configured correctly and functioning as intended you want to view extended matching information for each line in the ACL as packets are processed by the router. Which command should you use?

 

·         access-list 2 permit 10.12.12.16 log

 

You are configuring ACLs on a router. You need to create a standard IP access list that permits all outgoing traffic except from the 10.0.0.0 network. To verify the ACL is configured correctly and functioning as intended you want to view extended information about matches for each line in the ACL as packets are processed by the router. Which commands should you use?

·         access-list 1 permit any log

access-list 1 deny 10.0.0.0 0.255.255.255 log