2-9: ACLs Flashcards Preview

CISA-1220 Routing > 2-9: ACLs > Flashcards

Flashcards in 2-9: ACLs Deck (32):
1

Which two characteristics are shared by both standard and extended ACLs?

  1. Both can be created by using either a descriptive name or number.
  2. Both include an implicit deny as a final ACE.

2

A network administrator needs to configure a standard ACL so that only the workstation of the administrator with the IP address 192.168.15.23 can access the virtual terminal of the main router. Which two configuration commands can achieve the task?

  1. access-list 10 permit 192.168.15.23 0.0.0.0
  2. access-list 10 permit host 192.168.15.23

2

Which statement describes a difference between the operation of inbound and outbound ACLs?

Inbound ACLs are processed before the packets are routed while outbound ACLs are processed after the routing is completed.

2

The IPv6 access list LIMITED_ACCESS is applied on the S0/0/0 interface of R1 in the inbound direction. Which IPv6 packets from the ISP will be dropped by the ACL on R1?

ICMPv6 packets that are destined to PC1

2

The final entry in an ACL is always?

Implicit deny any

3

What wildcard mask would you use for hosts in a subnet with the subnet mask 255.255.252.0?

192.168.5.0 0.0.3.255

4

Which three statements are generally considered to be best practices in the placement of ACLs?

  1. Place extended ACLs close to the source IP address of the traffic.
  2. Place standard ACLs close to the destination IP address of the traffic.
  3. Filter unwanted traffic before it travels onto a low-bandwidth link.

4

What wildcard mask would you use for addresses with a subnet mask of 255.255.255.248?

192.168.3.64 0.0.0.7

4

The Logical Operation for equality in Extended ACLs is?

eq

5

A router has an existing ACL that permits all traffic from the 172.16.0.0 network. The administrator attempts to add a new ACE to the ACL that denies packets from host 172.16.0.1 and receives the error message that is shown in the exhibit. What action can the administrator take to block packets from host 172.16.0.1 while still permitting all other traffic from the 172.16.0.0 network?

Manually add the new deny ACE with a sequence number of 5.

7

Which three implicit access control entries are automatically added to the end of an IPv6 ACL?

  1. deny ipv6 any any
  2. permit icmp any any nd-ns
  3. permit icmp any any nd-na

7

Which feature is unique to IPv6 ACLs when compared to those of IPv4 ACLs?

An implicit permit of neighbor discovery packets

8

Rules in Access Control Lists are known as?

Access Control Entries (ACEs)

9

Which IPv4 address range covers all IP addresses that match the ACL filter specified by 172.16.2.0 with wildcard mask 0.0.1.255?

172.16.2.0 to 172.16.3.255

11

What are two possible uses of access control lists in an enterprise network?

  1. limiting debug outputs
  2. controlling virtual terminal access to routers

12

Outbound packers are processed by ACLs when?

After they have been routed to the outbound interface.

13

What two functions describe uses of an access control list?

  1. ACLs provide a basic level of security for network access.
  2. ACLs can control which areas a host can access on a network.

15

An administrator has configured an access list on R1 to allow SSH administrative access from host 172.16.1.100. Which command correctly applies the ACL?

R1(config-line)# access-class 1 in

16

What wildcard mask would you use for subnetwork address of a subnet with 14 valid host addresses?

192.168.15.144 0.0.0.15

17

What is the only type of ACL available for IPv6?

named extended

19

Which statement describes a characteristic of standard IPv4 ACLs?

They filter traffic based on source IP addresses only.

21

Which three statements describe ACL processing of packets?

  1. Each statement is checked only until a match is detected or until the end of the ACE list.
  2. An implicit deny any rejects any packet that does not match any ACE.
  3. A packet can either be rejected or forwarded as directed by the ACE that is matched.

22

Extended ACLs should be placed where?

As close as possible to the source of the traffic.

23

Inbound packets are processed by ACLs when?

Before they are routed.

25

If a router has two interfaces and is routing both IPv4 and IPv6 traffic, how many ACLs could be created and applied to it?

8

26

An ACL with the number 88 is a standard or extended ACL?

Standard. (1-99 & 1300 - 1999)

27

Standard ACLs should be placed where?

As close to the destination as possible.

28

What wildcard mask would you use for the first valid host address in a subnet?

192.168.15.65 255.255.255.240

29

Which IPv6 ACL command entry will permit traffic from any host to an SMTP server on network 2001:DB8:10:10::/64?

permit tcp any host 2001:DB8:10:10::100 eq 25

30

Consider the following access list that allows IP phone configuration file transfers from a particular host to a TFTP server:

R1(config)# access-list 105 permit udp host 10.0.70.23 host 10.0.54.5 range 1024 5000
R1(config)# access-list 105 deny ip any any
R1(config)# interface gi0/0
R1(config-if)# ip access-group 105 out

Which method would allow the network administrator to modify the ACL and include FTP transfers from any source IP address?

R1(config)# interface gi0/0
R1(config-if)# no ip access-group 105 out
R1(config)# no access-list 105
R1(config)# access-list 105 permit udp host 10.0.70.23 host 10.0.54.5 range 1024 5000
R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 20
R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 21
R1(config)# access-list 105 deny ip any any
R1(config)# interface gi0/0
R1(config-if)# ip access-group 105 out ******************

31

What wildcard mask would you use when all IP address bits must match exactly?

host 192.168.15.12

32

The network administrator that has the IP address of 10.0.70.23/25 needs to have access to the corporate FTP server (10.0.54.5/28). The FTP server is also a web server that is accessible to all internal employees on networks within the 10.x.x.x address. No other traffic should be allowed to this server. Which extended ACL would be used to filter this traffic, and how would this ACL be applied? 

R1(config)# interface gi0/0
R1(config-if)# ip access-group 105 out ******************

access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 20
access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 21
access-list 105 permit tcp 10.0.0.0 0.255.255.255 host 10.0.54.5 eq www
access-list 105 deny ip any host 10.0.54.5
access-list 105 permit ip any any ********************