1. Which two conditions would cause a router to drop a packet? (Choose two.)
- The ACL that is affecting the packet does not contain at least one deny ACE.
- No routing table entry exists for the packet destination, but the packet matches a permitted address in an outbound ACL.
- No outbound ACL exists on the interface where the packet exits the router.
- No inbound ACL exists on the interface where the packet enters the router.
- The packet source address does not match the source as permitted in a standard inbound ACE.
Explanation: Routers will drop any packets for which no routing table destination can be found. ACLs are not required on interfaces, but if one exists and the IP address of the source in the packet does not match that permitted in a standard ACL, the packet will be dropped. ACLs can contain multiple permit and deny ACEs, but generally should contain at least one permit ACE, because ACLs contain an implicit deny ACE at the end.
2. A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255. Which two IP addresses will match this ACL statement? (Choose two.)
- 172.16.16.12
- 172.16.31.24
- 172,16.65.21
- 172.16.0.255
- 172.16.15.36
Explanation: The wildcard mask indicates that any IP address within the range of 172.16.0.0 to 172.16.15.255 matches.
3. Which two statements describe appropriate general guidelines for configuring and applying ACLs? (Choose two.)
- Multiple ACLs per protocol and per direction can be applied to an interface.
- If a single ACL is to be applied to multiple interfaces, it must be configured with a unique number for each interface.
- The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs.
- If an ACL contains no permit statements, all traffic is denied by default.
- Standard ACLs are placed closest to the source, whereas extended ACLs are placed closest to the destination.
Explanation: An interface can only have one ACL per direction. Standard ACLs filter only on the source address, so they are normally placed closest to the destination. Extended ACLs filter on source and destination addresses and port numbers. They are commonly placed closest to the source to reduce traffic across the network or networks. A single ACL can be applied to multiple interfaces.
4. What single access list statement matches all of the following networks?
192.168.16.0
192.168.17.0
192.168.18.0
192.168.19.0
- access-list 10 permit 192.168.16.0 0.0.3.255
- access-list 10 permit 192.168.0.0 0.0.15.255
- access-list 10 permit 192.168.16.0 0.0.0.255
- access-list 10 permit 192.168.16.0 0.0.15.255
Explanation: The ACL statement access-list 10 permit 192.168.16.0 0.0.3.255 will match all four network prefixes. All four prefixes have the same 22 high order bits. These 22 high order bits are matched by the network prefix and wildcard mask of 192.168.16.0 0.0.3.255.
5. Which three statements describe ACL processing of packets? (Choose three.)
- A packet can either be rejected or forwarded as directed by the ACE that is matched.
- A packet that does not match the conditions of any ACE will be forwarded by default.
- Each statement is checked only until a match is detected or until the end of the ACE list.
- Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made.
- An implicit deny any rejects any packet that does not match any ACE.
- A packet that has been denied by one ACE can be permitted by a subsequent ACE.
Explanation: When a packet comes into a router that has an ACL configured on the interface, the router compares the condition of each ACE to determine if the defined criteria has been met. If met, the router takes the action defined in the ACE (allows the packet through or discards it). If the defined criteria has not been met, the router proceeds to the next ACE. An implicit deny any statement is at the end of every standard ACL.
6. A network administrator is configuring an ACL to restrict access to certain servers in the data center. The intent is to apply the ACL to the interface connected to the data center LAN. What happens if the ACL is incorrectly applied to an interface in the inbound direction instead of the outbound direction?
- All traffic is denied.
- All traffic is permitted.
- The ACL does not perform as designed.
- The ACL will analyze traffic after it is routed to the outbound interface.
Explanation: Always test an ACL to ensure that it performs as it was designed. Applying an ACL that is applied using the ip access-group in command instead of using the ip access-group out command is not going to work as designed.
7. Which scenario would cause an ACL misconfiguration and deny all traffic?
- Apply a standard ACL using the ip access-group outcommand.
- Apply a named ACL to a VTY line.
- Apply an ACL that has all deny ACE statements.
- Apply a standard ACL in the inbound direction.
Explanation: Having all ACEs with deny statements denies all traffic because there is an implicit deny any command at the end of every standard ACL.
8. In applying an ACL to a router interface, which traffic is designated as outbound?
- traffic that is leaving the router and going toward the destination host
- traffic that is coming from the source IP address into the router
- traffic for which the router can find no routing table entry
- traffic that is going from the destination IP address into the router
Explanation: Inbound and outbound are interpreted from the point of view of the router. Traffic that is designated in an inbound ACL will be denied or permitted when coming into that router interface from a source. Traffic that is designated in an outbound ACL will be denied or permitted when going out the interface to the destination.
9. When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device?
- remark
- description
- established
- eq
Explanation: In order to document the purpose of an ACL and identify its function more easily, the remark keyword is used when building the ACL. The established keyword is used to allow connections that were initially sourced from the current device. The eq operator is used to specify a port number for denying or permitting traffic. The description keyword is used when configuring and documenting interfaces.
10. Which location is recommended for extended numbered or extended named ACLs?
- a location as close to the destination of traffic as possible
- a location as close to the source of traffic as possible
- a location centered between traffic destinations and sources to filter as much traffic as possible
- if using the established keyword, a location close to the destination to ensure that return traffic is allowed
Explanation: Extended ACLs are normally placed as close to the source as possible. Standard ACLs are placed as close to the destination as possible because a standard ACL only has the source IP address listed as part of the ACE.
11. Which range represents all the IP addresses that are affected when network 10.120.160.0 with a wildcard mask of 0.0.7.255 is used in an ACE?
- 10.120.160.0 to 10.120.167.255
- 10.120.160.0 to 10.127.255.255
- 10.120.160.0 to 10.120.191.255
- 10.120.160.0 to 10.120.168.0
Explanation: A wildcard mask of 0.0.7.255 means that the first 5 bits of the 3rd octet must remain the same but the last 3 bits can have values from 000 to 111. The last octet has a value of 255, which means the last octet can have values from all zeros to all 1s.
12. A college student is studying for the Cisco CCENT certification and is visualizing extended access lists. Which three keywords could immediately follow the keywords permit or deny as part of an extended access list? (Choose three.)
- telnet
- tcp
- udp
- www
- icmp
- ftp
Explanation: Four commonly used keywords that could follow the keywords permit or deny in an IPv4 extended access list are ip, tcp, udp, and icmp. If the keyword ip is used, then the entire TCP/IP suite is affected (all TCP/IP protocols).
13. If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?
- permit tcp 172.16.0.0 0.0.3.255 any established
- deny tcp any any eq telnet
- deny udp any host 172.16.1.5 eq snmptrap
- permit udp any any range 10000 20000
- permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
- permit ip any any
Explanation: A best practice for configuring an extended ACL is to ensure that the most specific ACE is placed higher in the ACL. Consider the two permit UDP statements. If both of these were in an ACL, the SNMP ACE is more specific than the UDP statement that permits a range of 10,001 UDP port numbers. The SNMP ACE would be entered before the other UDP ACE. The ACEs from most specific to least specific are as follows:
– permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
– deny udp any host 172.16.1.5 eq snmptrap
– permit tcp 172.16.0.0 0.0.3.255 any established
– deny tcp any any eq telnet
– permit udp any any range 10000 20000
– permit ip any any
– permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
– deny udp any host 172.16.1.5 eq snmptrap
– permit tcp 172.16.0.0 0.0.3.255 any established
– deny tcp any any eq telnet
– permit udp any any range 10000 20000
– permit ip any any
14. Which operator is used in an ACL statement to match packets of a specific application?
- established
- It
- eq
- gt
Explanation: An example of an ACL that filters for FTP is as follows:
access-list 105 permit tcp any host 10.0.54.5 eq 20
access-list 105 permit tcp any host 10.0.54.5 eq 21
The operator (eq) toward the end of the ACL lines is used to match a specific port/service that is specified immediately following the eq operator.
access-list 105 permit tcp any host 10.0.54.5 eq 20
access-list 105 permit tcp any host 10.0.54.5 eq 21
The operator (eq) toward the end of the ACL lines is used to match a specific port/service that is specified immediately following the eq operator.