CCNAv7 Module 5 Quiz – ACLs for IPv4 Configuration Answers

1. The computers used by the network administrators for a school are on the 10.7.0.0/27 network. Which two commands are needed at a minimum to apply an ACL that will ensure that only devices that are used by the network administrators will be allowed Telnet access to the routers? (Choose two.)

  • access-class 5 in
  • access-list standard VTY
    permit 10.7.0.0 0.0.0.127
  • access-list 5 permit 10.7.0.0 0.0.0.31
  • ip access-group 5 in
  • ip access-group 5 out
  • access-list 5 deny any
Explanation: Numbered and named access lists can be used on vty lines to control remote access. The first ACL command, access-list 5 permit 10.7.0.0 0.0.0.31, allows traffic that originates from any device on the 10.7.0.0/27 network. The second ACL command, access-class 5 in, applies the access list to a vty line.

2. Consider the configured access list.

R1# show access-lists
extended IP access list 100
deny tcp host 10.1.1.2 host 10.1.1.1 eq telnet
deny tcp host 10.1.2.2 host 10.1.2.1 eq telnet
permit ip any any (15 matches)

What are two characteristics of this access list? (Choose two.)

  • Only the 10.1.1.2 device can telnet to the router that has the 10.1.1.1 IP address assigned.
  • The 10.1.2.1 device is not allowed to telnet to the 10.1.2.2 device.
  • Any device can telnet to the 10.1.2.1 device.
  • A network administrator would not be able to tell if the access list has been applied to an interface or not.
  • Any device on the 10.1.1.0/24 network (except the 10.1.1.2 device) can telnet to the router that has the IP address 10.1.1.1 assigned.
  • The access list has been applied to an interface.
Explanation: The access list stops Telnet traffic from the 10.1.1.2 device to the 10.1.1.1 device. It also stops Telnet traffic from 10.1.2.2 device to 10.1.2.1. All other TCP/IP-based transmissions are allowed. The access list is working because there have been 15 matches on the last ACE.

3. Which command will verify the number of packets that are permitted or denied by an ACL that restricts SSH access?

  • show ip interface brief
  • show ip ssh
  • show running-config
  • show access-lists
Explanation: The show-access lists command will display each line of an access list and the number of matches to each statement. The show running-config command will show the statements as they were configured, but provides no information on matches. The show ip ssh command gives general information about the SSH configuration.

4. Which access list statement permits HTTP traffic that is sourced from host 10.1.129.100 port 4300 and destined to host 192.168.30.10?

  • access-list 101 permit tcp any eq 4300
  • access-list 101 permit tcp 192.168.30.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
  • access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.30.10 0.0.0.0 eq www
  • access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 4300 192.168.30.0 0.0.0.15 eq www
  • access-list 101 permit tcp host 192.168.30.10 eq 80 10.1.0.0 0.0.255.255 eq 4300
Explanation: The HTTP protocol uses port 80 and is designated in an ACL using the eq 80 parameter or by using eq www. The first IP address listed in an ACL is the source address along with the appropriate wildcard mask. With a source IP address of 10.1.128.0 and a wildcard mask of 0.0.1.255, then IP addresses from 10.1.128.0 to 10.1.129.255 are permitted.

5. When configuring router security, which statement describes the most effective way to use ACLs to control Telnet traffic that is destined to the router itself?

  • The ACL must be applied to each vty line individually.
  • The ACL is applied to the Telnet port with the ip access-group command.
  • The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.
  • Apply the ACL to the vty Ilines without the in or out option required when applying ACLS to interfaces.
Explanation: Because someone from outside the router is trying to use a protocol such as Telnet or SSH to gain access to the router, the ACL direction has to be inward into the router through the vty lines.

6. What packets would match the access control list statement that is shown below?

access-list 110 permit tcp 172.16.0.0 0.0.0.255 any eq 22
  • any TCP traffic from the 172.16.0.0 network to any destination network
  • SSH traffic from the 172.16.0.0 network to any destination network
  • SSH traffic from any source network to the 172.16.0.0 network
  • any TCP traffic from any host to the 172.16.0.0 network
Explanation: The statement, access-list 110 permit tcp 172.16.0.0 0.0.0.255 any eq 22, will match traffic on port 22, which is SSH, that is sourced from network 172.16.0.0/24 with any destination.

7. Consider the access list command applied outbound on a router serial interface.

access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo reply

What is the effect of applying this access list command?

  • Users on the 192.168.10.0/24 network are not allowed to transmit traffic to any other destination.
  • The only traffic denied is ICMP-based traffic. All other traffic is allowed.
  • The only traffic denied is echo-replies sourced from the 192.168.10.0/24 network. All other traffic is allowed.
  • No traffic will be allowed outbound on the serial interface.
Explanation: At the end of every extended access list is an implicit deny ip any any statement so that no traffic will be allowed to be sent out the serial interface.

8. Consider the following output for an ACL that has been applied to a router via the access-class in command. What can a network administrator determine from the output that is shown?

R1# <output omitted>
Standard IP access list 2
10 permit 192.168.10.0, wildcard bits 0.0.0.255 (2 matches)
20 deny any (1 match)
  • Traffic from one device was not allowed to come into one router port and be routed outbound a different router port.
  • Two devices were able to use SSH or Telnet to gain access to the router.
  • Two devices connected to the router have IP addresses of 192.168.10.x.
  • Traffic from two devices was allowed to enter one router port and be routed outbound to a different router port.
Explanation: The access-class command is used only on VTY ports. VTY ports support Telnet and/or SSH traffic. The match permit ACE is how many attempts were allowed using the VTY ports. The match deny ACE shows that a device from a network other than 192.168.10.0 was not allowed to access the router through the VTY ports.

9. Which two commands will configure a standard ACL? (Choose two.)

  • Router(config)# access-list 45 permit 192.168.200.4 host
  • Router(config)# access-list 10 permit 10.20.5.0 0.255.255.255 any
  • Router(config)# access-list 20 permit host 192.168.5.5 any any
  • Router(config)# access-list 35 permit host 172.31.22.7
  • Router(config)# access-list 90 permit 192.168.10.5 0.0.0.0
Explanation: Standard access lists have the syntax of access-list and a number between 1 and 99 followed by the permit or deny keyword and the source IP address (that includes a wildcard mask).

10. To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?

  • time-stamp reply
  • time-stamp request
  • echo request
  • echo reply
  • router advertisement
Explanation: By allowing the ICMP echo reply message inbound to the organization, internal users are allowed to ping external addresses (and the reply message allowed to return).

11. What two ACEs could be used to deny IP traffic from a single source host 10.1.1.1 to the 192.168.0.0/16 network? (Choose two.)

  • access-list 100 deny ip 192.168.0.0 0.0.255.255 10.1.1.1 0.0.0.0
  • access-list 100 deny ip 192.168.0.0 0.0.255.255 host 10.1.1.1
  • access-list 100 deny ip host 10.1.1.1 192.168.0.0 0.0.255.255
  • access-list 100 deny ip 192.168.0.0 0.0.255.255 10.1.1.1 255.255.255.255
  • access-list 100 deny ip 10.1.1.1 255.255.255.255 192.168.0.0 0.0.255.255
  • access-list 100 deny ip 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255
Explanation: There are two ways to identify a single host in an access list entry. One, is to use the host keyword with the host IP address, the other is to use a wildcard mask of 0.0.0.0 with the host IP address. The source of the traffic to be inspected by the access list goes first in the syntax and the destination goes last.

12. An administrator has configured an access list on R1 to allow SSH administrative access from host 172.16.1.100. Which command correctly applies the ACL?

  • R1(config-line)# access-class 1 in
  • R1(config-line)# access-class 1 out
  • R1(config-if)# ip access-group 1 out
  • R1(config-if)# ip access-group 1 in
Explanation: Administrative access over SSH to the router is through the vty lines. Therefore, the ACL must be applied to those lines in the inbound direction. This is accomplished by entering line configuration mode and issuing the access-class command.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments