1. Which two conditions would cause a router to drop a packet? (Choose two.)
- The ACL that is affecting the packet does not contain at least one deny ACE.
- No routing table entry exists for the packet destination, but the packet matches a permitted address in an outbound ACL.
- No outbound ACL exists on the interface where the packet exits the router.
- No inbound ACL exists on the interface where the packet enters the router.
- The packet source address does not match the source as permitted in a standard inbound ACE.
2. A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255. Which two IP addresses will match this ACL statement? (Choose two.)
3. Which two statements describe appropriate general guidelines for configuring and applying ACLs? (Choose two.)
- Multiple ACLs per protocol and per direction can be applied to an interface.
- If a single ACL is to be applied to multiple interfaces, it must be configured with a unique number for each interface.
- The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs.
- If an ACL contains no permit statements, all traffic is denied by default.
- Standard ACLs are placed closest to the source, whereas extended ACLs are placed closest to the destination.
4. What single access list statement matches all of the following networks?
- access-list 10 permit 192.168.16.0 0.0.3.255
- access-list 10 permit 192.168.0.0 0.0.15.255
- access-list 10 permit 192.168.16.0 0.0.0.255
- access-list 10 permit 192.168.16.0 0.0.15.255
5. Which three statements describe ACL processing of packets? (Choose three.)
- A packet can either be rejected or forwarded as directed by the ACE that is matched.
- A packet that does not match the conditions of any ACE will be forwarded by default.
- Each statement is checked only until a match is detected or until the end of the ACE list.
- Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made.
- An implicit deny any rejects any packet that does not match any ACE.
- A packet that has been denied by one ACE can be permitted by a subsequent ACE.
6. A network administrator is configuring an ACL to restrict access to certain servers in the data center. The intent is to apply the ACL to the interface connected to the data center LAN. What happens if the ACL is incorrectly applied to an interface in the inbound direction instead of the outbound direction?
- All traffic is denied.
- All traffic is permitted.
- The ACL does not perform as designed.
- The ACL will analyze traffic after it is routed to the outbound interface.
7. Which scenario would cause an ACL misconfiguration and deny all traffic?
- Apply a standard ACL using the ip access-group outcommand.
- Apply a named ACL to a VTY line.
- Apply an ACL that has all deny ACE statements.
- Apply a standard ACL in the inbound direction.
8. In applying an ACL to a router interface, which traffic is designated as outbound?
- traffic that is leaving the router and going toward the destination host
- traffic that is coming from the source IP address into the router
- traffic for which the router can find no routing table entry
- traffic that is going from the destination IP address into the router
9. When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device?
10. Which location is recommended for extended numbered or extended named ACLs?
- a location as close to the destination of traffic as possible
- a location as close to the source of traffic as possible
- a location centered between traffic destinations and sources to filter as much traffic as possible
- if using the established keyword, a location close to the destination to ensure that return traffic is allowed
11. Which range represents all the IP addresses that are affected when network 10.120.160.0 with a wildcard mask of 0.0.7.255 is used in an ACE?
- 10.120.160.0 to 10.120.167.255
- 10.120.160.0 to 10.127.255.255
- 10.120.160.0 to 10.120.191.255
- 10.120.160.0 to 10.120.168.0
12. A college student is studying for the Cisco CCENT certification and is visualizing extended access lists. Which three keywords could immediately follow the keywords permit or deny as part of an extended access list? (Choose three.)
13. If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?
- permit tcp 172.16.0.0 0.0.3.255 any established
- deny tcp any any eq telnet
- deny udp any host 172.16.1.5 eq snmptrap
- permit udp any any range 10000 20000
- permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
- permit ip any any
– permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
– deny udp any host 172.16.1.5 eq snmptrap
– permit tcp 172.16.0.0 0.0.3.255 any established
– deny tcp any any eq telnet
– permit udp any any range 10000 20000
– permit ip any any
14. Which operator is used in an ACL statement to match packets of a specific application?
access-list 105 permit tcp any host 10.0.54.5 eq 20
access-list 105 permit tcp any host 10.0.54.5 eq 21
The operator (eq) toward the end of the ACL lines is used to match a specific port/service that is specified immediately following the eq operator.