ACL Flashcards
(120 cards)
1
Q
What is the primary purpose of an Access Control List (ACL)?
A) To encrypt network traffic
B) To filter traffic based on defined rules
C) To assign IP addresses dynamically
D) To establish VPN tunnels
A
Answer: B) To filter traffic based on defined rules
2
Q
Which of the following are types of ACLs in Cisco devices? (Choose two)
A) Standard ACL
B) Dynamic ACL
C) Transparent ACL
D) Named ACL
A
Answer: A) Standard ACL and D) Named ACL
3
Q
Standard ACLs filter traffic based on:
A) Source and destination IP addresses
B) Source IP address only
C) Destination IP address only
D) Port numbers
A
Answer: B) Source IP address only
4
Q
Extended ACLs filter traffic based on:
A) Only source IP address
B) Source IP, destination IP, protocol, and port numbers
C) Only destination IP address
D) MAC addresses
A
Answer: B) Source IP, destination IP, protocol, and port numbers
5
Q
Where should a Standard ACL be placed for optimal performance?
A) Close to the destination
B) Close to the source
C) On a core switch
D) On a wireless controller
A
Answer: A) Close to the destination
6
Q
Where should an Extended ACL be placed for optimal performance?
A) Close to the source
B) Close to the destination
C) On a DNS server
D) On a DHCP server
A
Answer: A) Close to the source
7
Q
What is the range of numbered Standard ACLs?
A) 1–99 and 1300–1999
B) 100–199 and 2000–2699
C) 500–599
D) 800–899
A
Answer: A) 1–99 and 1300–1999
8
Q
What is the range of numbered Extended ACLs?
A) 1–99
B) 100–199 and 2000–2699
C) 500–599
D) 800–899
A
Answer: B) 100–199 and 2000–2699
9
Q
Which command creates a Standard numbered ACL to deny traffic from 192.168.1.0/24?
A) access-list 10 permit 192.168.1.0 0.0.0.255
B) access-list 10 deny 192.168.1.0 255.255.255.0
C) access-list 10 deny 192.168.1.0 0.0.0.255
D) access-list 100 deny ip 192.168.1.0 0.0.0.255
A
Answer: C) access-list 10 deny 192.168.1.0 0.0.0.255
10
Q
What does the wildcard mask 0.0.0.255 represent?
A) A single host
B) The first 24 bits must match
C) Any IP address
D) Only the last 8 bits can vary
A
Answer: D) Only the last 8 bits can vary
11
Q
Which command applies an ACL to an interface?
A) ip access-group 10 in
B) access-class 10 in
C) apply access-list 10 inbound
D) enable acl 10
A
Answer: A) ip access-group 10 in
12
Q
What is the default action of an ACL if no match is found?
A) Permit all
B) Deny all
C) Log traffic
D) Ask for user input
A
Answer: B) Deny all (implicit deny)`
13
Q
Which command verifies ACL configuration?
A) show access-list
B) show ip interface
C) show running-config
D) All of the above
A
Answer: D) All of the above
14
Q
What is the correct sequence of ACL processing?
A) Top-down, first match applies
B) Bottom-up, last match applies
C) Random order
D) Parallel processing
A
Answer: A) Top-down, first match applies
15
Q
How do you remove an ACL from an interface?
A) no ip access-group 10 in
B) disable access-list 10
C) clear access-list 10
D) remove acl 10
A
Answer: A) no ip access-group 10 in
16
Q
Which command creates a named Extended ACL?
A) ip access-list extended MY_ACL
B) access-list named MY_ACL extended
C) create acl MY_ACL extended
D) named-acl MY_ACL extended
A
Answer: A) ip access-list extended MY_ACL
17
Q
What happens if you edit an existing ACL?
A) New entries are appended at the bottom
B) The entire ACL is replaced
C) Entries can be inserted at specific positions
D) Both A and C
A
Answer: D) Both A and C (depends on editing method)`
18
Q
Which command blocks Telnet traffic from 10.1.1.1 to 192.168.1.1?
A) access-list 100 deny tcp host 10.1.1.1 host 192.168.1.1 eq 23
B) access-list 100 deny udp 10.1.1.1 192.168.1.1 eq telnet
C) access-list 100 deny tcp 10.1.1.1 0.0.0.0 192.168.1.1 0.0.0.0 eq 80
D) access-list 100 permit ip any any
A
Answer: A) access-list 100 deny tcp host 10.1.1.1 host 192.168.1.1 eq 23
19
Q
Which wildcard mask matches any IP address?
A) 0.0.0.0
B) 255.255.255.255
C) 0.0.0.255
D) 255.255.255.0
A
Answer: B) 255.255.255.255 (equivalent to any)
20
Q
What does host 192.168.1.1 represent in an ACL?
A) A network range
B) A single host
C) A broadcast address
D) A multicast group
A
Answer: B) A single host
21
Q
What is a Reflexive ACL?
A) An ACL that filters based on MAC addresses
B) An ACL that dynamically permits return traffic for established sessions
C) An ACL that only works on IPv6
D) An ACL that requires authentication
A
Answer: B) An ACL that dynamically permits return traffic for established sessions
22
Q
Which ACL type can filter traffic based on time ranges?
A) Standard ACL
B) Dynamic ACL
C) Time-based ACL
D) Reflexive ACL
A
Answer: C) Time-based ACL
23
Q
What is the purpose of the established keyword in an Extended ACL?
A) Allows only responses to initiated TCP sessions
B) Blocks all TCP traffic
C) Permits any UDP traffic
D) Enables logging for ACL matches
A
Answer: A) Allows only responses to initiated TCP sessions
24
Q
Which command defines a time range for a Time-based ACL?
A) time-range WORK_HOURS
B) acl-time WORK_HOURS
C) set time WORK_HOURS
D) define time WORK_HOURS
A
Answer: A) time-range WORK_HOURS
25
What is the difference between inbound and outbound ACLs?
A) Inbound filters traffic entering an interface, outbound filters exiting traffic
B) Inbound filters exiting traffic, outbound filters entering traffic
C) Both filter the same traffic
D) Inbound works only on routers, outbound on switches
Answer: A) Inbound filters traffic entering an interface, outbound filters exiting traffic
26
Why is the order of ACL entries important?
A) Because the first match is applied, and subsequent entries are ignored
B) Because ACLs process all entries simultaneously
C) Because the last entry always overrides the rest
D) Because order affects logging only
Answer: A) Because the first match is applied, and subsequent entries are ignored
27
What happens if an ACL is applied to an interface but is empty?
A) All traffic is permitted
B) All traffic is denied (implicit deny)
C) Only ICMP traffic is allowed
D) The interface shuts down
Answer: B) All traffic is denied (implicit deny)
28
Which command shows ACL hits (number of matches)?
A) show access-list
B) show ip access-list
C) show acl counters
D) Both A and B
Answer: D) Both A and B
29
What is a best practice when writing ACLs?
A) Place more specific rules at the bottom
B) Place more specific rules at the top
C) Use only Standard ACLs
D) Avoid using wildcard masks
Answer: B) Place more specific rules at the top
30
How do you remove an entire ACL?
A) no access-list 10
B) clear access-list 10
C) delete access-list 10
D) remove acl 10
Answer: A) no access-list 10
31
Which ACL type can filter traffic based on TCP/UDP port numbers?
A) Standard ACL
B) Extended ACL
C) Named ACL
D) Reflexive ACL
Answer: B) Extended ACL
32
What is the purpose of a "Named ACL"?
A) To use numbers instead of names
B) To allow descriptive names instead of numbers
C) To work only on IPv6
D) To bypass implicit deny
Answer: B) To allow descriptive names instead of numbers
33
Which command creates a named Standard ACL?
A) ip access-list standard MY_ACL
B) access-list named MY_ACL standard
C) named-acl standard MY_ACL
D) create acl standard MY_ACL
Answer: A) ip access-list standard MY_ACL
34
What is the difference between a Standard and Extended ACL?
A) Standard uses names, Extended uses numbers
B) Standard filters only source IP, Extended filters source/dest IP, protocol, and ports
C) Standard works on Layer 2, Extended on Layer 3
D) Standard is for IPv6, Extended is for IPv4
Answer: B) Standard filters only source IP, Extended filters source/dest IP, protocol, and ports
35
Which ACL type requires authentication before permitting traffic?
A) Reflexive ACL
B) Dynamic ACL
C) Time-based ACL
D) Named ACL
Answer: B) Dynamic ACL
36
What is the purpose of a "Reflexive ACL"?
A) To block all inbound traffic
B) To dynamically allow return traffic for established sessions
C) To filter based on time of day
D) To log all denied packets
Answer: B) To dynamically allow return traffic for established sessions
37
Which keyword allows only established TCP sessions in an Extended ACL?
A) permit-established
B) established
C) tcp-established
D) session-allow
Answer: B) established
38
What is a "Time-based ACL"?
A) An ACL that expires after a set time
B) An ACL that filters traffic based on a defined time range
C) An ACL that only works during business hours
D) An ACL that adjusts based on network load
Answer: B) An ACL that filters traffic based on a defined time range
39
Which command configures a time range for a Time-based ACL?
A) time-range WORK_HOURS → periodic weekdays 9:00 to 17:00
B) set time WORK_HOURS 9:00-17:00
C) acl-time WORK_HOURS 9AM-5PM
D) define time WORK_HOURS 0900-1700
Answer: A) time-range WORK_HOURS → periodic weekdays 9:00 to 17:00
40
Which ACL type is best for allowing return traffic for a session initiated from inside the network?
A) Standard ACL
B) Reflexive ACL
C) Named ACL
D) Dynamic ACL
Answer: B) Reflexive ACL
41
What is the correct syntax for a Reflexive ACL?
A) permit tcp any any reflect MY_ACL
B) ip reflexive-list MY_ACL permit tcp any any
C) access-list 100 permit tcp any any reflect MY_ACL
D) reflexive-acl MY_ACL permit tcp any any
Answer: A) permit tcp any any reflect MY_ACL
42
How do you apply a Reflexive ACL to an interface?
A) ip access-group MY_ACL in
B) ip access-group MY_ACL out
C) ip reflexive-group MY_ACL in
D) apply reflexive MY_ACL
Answer: B) ip access-group MY_ACL out
43
What is the primary benefit of a Named ACL over a Numbered ACL?
A) Better performance
B) Easier to manage with descriptive names
C) Supports more entries
D) Works only on IPv6
Answer: B) Easier to manage with descriptive names
44
Which command shows time-range configurations?
A) show time-range
B) show clock
C) show acl time
D) show running-config | include time-range
Answer: A) show time-range
45
What happens if a time-range referenced in an ACL is not active?
A) The ACL entry is ignored
B) The ACL denies all traffic
C) The ACL permits all traffic
D) The router reboots
Answer: A) The ACL entry is ignored
46
Which ACL type is best for blocking a specific host from accessing a network?
A) Standard ACL
B) Extended ACL
C) Reflexive ACL
D) Named ACL
Answer: A) Standard ACL
47
Which ACL type is best for blocking Telnet traffic from a specific subnet?
A) Standard ACL
B) Extended ACL
C) Reflexive ACL
D) Named ACL
Answer: B) Extended ACL
48
What is the correct wildcard mask to match the network 10.1.1.0/24?
A) 0.0.0.255
B) 255.255.255.0
C) 0.0.0.0
D) 255.255.255.255
Answer: A) 0.0.0.255
49
What does the wildcard mask 0.0.0.0 represent?
A) Any IP address
B) A single host
C) A /24 network
D) A /16 network
Answer: B) A single host
50
Which command permits all traffic in an ACL?
A) permit any any
B) permit ip any any
C) allow all
D) permit all
Answer: B) permit ip any any
51
Where should a Standard ACL be placed in a network?
A) Closest to the source
B) Closest to the destination
C) On a core switch
D) On a firewall
Answer: B) Closest to the destination
52
Where should an Extended ACL be placed in a network?
A) Closest to the source
B) Closest to the destination
C) On a DNS server
D) On a DHCP server
Answer: A) Closest to the source
53
Why is it better to place Extended ACLs near the source?
A) To reduce unnecessary traffic
B) To improve logging
C) To simplify configuration
D) To block all traffic
Answer: A) To reduce unnecessary traffic
54
What is the "implicit deny" rule in ACLs?
A) A hidden deny any any at the end of every ACL
B) A rule that permits all traffic
C) A rule that logs all traffic
D) A rule that blocks only ICMP
Answer: A) A hidden deny any any at the end of every ACL
55
How do you override the implicit deny in an ACL?
A) Add a permit any any at the end
B) Use no implicit-deny
C) Disable ACL logging
D) Use a Reflexive ACL
Answer: A) Add a permit any any at the end
56
What is a best practice when writing ACLs?
A) Place general rules first
B) Place specific rules first
C) Use only Standard ACLs
D) Avoid using wildcard masks
Answer: B) Place specific rules first
57
Why should you avoid overly permissive ACL rules?
A) They can create security risks
B) They slow down the router
C) They only work on IPv6
D) They disable logging
Answer: A) They can create security risks
58
Which command shows which interfaces have ACLs applied?
A) show ip interface
B) show access-list
C) show running-config
D) All of the above
Answer: D) All of the above
59
What happens if two ACLs are applied to the same interface in the same direction?
A) Both are processed in order
B) Only the first one is applied
C) The router crashes
D) The second one overrides the first
Answer: B) Only the first one is applied
60
Which command removes all ACLs from an interface?
A) no ip access-group
B) clear access-list
C) remove acl
D) disable acl
Answer: A) no ip access-group
61
What is the correct command to apply an ACL to a VTY line (Telnet/SSH access)?
A) access-group 10 in
B) access-class 10 in
C) ip access-list 10 in
D) apply access-list 10
Answer: B) access-class 10 in
62
Which type of ACL is best suited for restricting remote access (SSH/Telnet) to a router?
A) Standard ACL
B) Extended ACL
C) Reflexive ACL
D) Named ACL
Answer: A) Standard ACL (since it filters based on source IP)
63
What happens if an ACL is applied to an interface but contains no permit statements?
A) All traffic is allowed
B) All traffic is blocked (implicit deny)
C) Only ICMP traffic is allowed
D) The interface shuts down
Answer: B) All traffic is blocked (implicit deny)
64
How do you remove a single ACL entry from a numbered ACL?
A) no access-list 10 deny 192.168.1.0 0.0.0.255
B) delete access-list 10 entry 1
C) clear access-list 10
D) You must recreate the entire ACL
Answer: D) You must recreate the entire ACL (numbered ACLs don’t support single-line removal)
65
Which command displays ACLs applied to router interfaces?
A) show ip interface
B) show access-list
C) show running-config
D) All of the above
Answer: D) All of the above
66
What is the purpose of the log keyword in an ACL entry?
A) To permit traffic and log matches
B) To deny traffic and log matches
C) To disable the ACL
D) To encrypt traffic
Answer: B) To deny traffic and log matches
67
Which ACL type can filter traffic based on TCP/UDP port numbers?
A) Standard ACL
B) Extended ACL
C) Named ACL
D) Reflexive ACL
Answer: B) Extended ACL
68
What is the correct syntax to permit HTTP traffic (TCP/80) from any source to a specific host?
A) access-list 100 permit tcp any host 192.168.1.1 eq 80
B) access-list 100 permit tcp any any eq www
C) access-list 100 allow http any 192.168.1.1
D) access-list 100 permit 80 any 192.168.1.1
Answer: A) access-list 100 permit tcp any host 192.168.1.1 eq 80
69
How do you verify if an ACL is blocking traffic?
A) Check ACL hit counters (show access-list)
B) Use ping and traceroute tests
C) Check syslog messages (if log is enabled)
D) All of the above
Answer: D) All of the above
70
What is the effect of placing an ACL rule in the wrong order?
A) Traffic may be incorrectly permitted/denied due to first-match logic
B) The ACL stops working
C) The router crashes
D) The ACL automatically reorders itself
Answer: A) Traffic may be incorrectly permitted/denied due to first-match logic
71
If an ACL is blocking legitimate traffic, what should you check first?
A) The order of ACL entries
B) The router’s hostname
C) The OSPF configuration
D) The VLAN database
Answer: A) The order of ACL entries
72
Which command shows ACL hit counters?
A) show access-list
B) show ip access-list
C) show acl stats
D) Both A and B
Answer: D) Both A and B
73
What does a hit counter of 0 mean in show access-list output?
A) The rule has never been matched
B) The rule is misconfigured
C) The rule is disabled
D) The rule is logging traffic
Answer: A) The rule has never been matched
74
How do you test an ACL without applying it to an interface?
A) Use test access-list
B) Configure it but don’t apply it, then check logs
C) Use a packet tracer tool
D) It cannot be tested without applying
Answer: B) Configure it but don’t apply it, then check logs
75
What is a common mistake when configuring ACLs?
A) Forgetting the implicit deny
B) Using too many comments
C) Placing Extended ACLs near the destination
D) Using named ACLs
Answer: A) Forgetting the implicit deny
76
If an ACL is not working as expected, what should you verify first?
A) The ACL is applied to the correct interface and direction
B) The router’s hostname
C) The OSPF configuration
D) The VLAN database
Answer: A) The ACL is applied to the correct interface and direction
77
What does a high number of ACL hits indicate?
A) The rule is frequently matched
B) The rule is misconfigured
C) The rule is logging traffic
D) The rule is disabled
Answer: A) The rule is frequently matched
78
How can you identify unused ACL entries?
A) Check hit counters with show access-list
B) Use debug ip packet
C) Check the router’s ARP table
D) Disable the ACL temporarily
Answer: A) Check hit counters with show access-list
79
What is a common symptom of an overly restrictive ACL?
A) Legitimate traffic is blocked
B) The router crashes
C) All traffic is permitted
D) Only ICMP is allowed
Answer: A) Legitimate traffic is blocked
80
Which command helps verify if an ACL is blocking traffic?
A) show access-list (check hits)
B) ping from affected hosts
C) traceroute
D) All of the above
Answer: D) All of the above
81
What happens if an ACL is applied in the wrong direction (e.g., out instead of in)?
A) Traffic filtering will not work as intended
B) The router crashes
C) All traffic is permitted
D) The ACL disables itself
Answer: A) Traffic filtering will not work as intended
82
How do you temporarily disable an ACL for testing?
A) no ip access-group [ACL#] [in/out]
B) disable access-list [ACL#]
C) shutdown acl [ACL#]
D) clear access-list [ACL#]
Answer: A) no ip access-group [ACL#] [in/out]
83
What is the purpose of ACL logging?
A) To track which packets are matched by ACL entries
B) To improve router performance
C) To disable the implicit deny
D) To allow all traffic
Answer: A) To track which packets are matched by ACL entries
84
Which command enables logging for an ACL entry?
A) access-list 100 deny ip any any log
B) logging access-list 100
C) debug acl 100
D) ip access-list log
Answer: A) access-list 100 deny ip any any log
85
What is a drawback of excessive ACL logging?
A) High CPU usage
B) Increased network speed
C) ACLs stop working
D) No impact
Answer: A) High CPU usage
86
How can you test an ACL before applying it?
A) Use a lab environment or packet tracer
B) Apply it to a non-critical interface first
C) Check syntax with show running-config
D) All of the above
Answer: D) All of the above
87
What is the effect of an empty ACL applied to an interface?
A) All traffic is permitted
B) All traffic is denied (implicit deny)
C) Only ICMP is allowed
D) The interface shuts down
Answer: B) All traffic is denied (implicit deny)
88
Why should you document ACL changes?
A) For troubleshooting and auditing
B) To increase ACL performance
C) To disable the implicit deny
D) To allow IPv6 traffic
Answer: A) For troubleshooting and auditing
89
Which command shows ACLs applied to interfaces?
A) show ip interface
B) show access-list
C) show running-config
D) All of the above
Answer: D) All of the above
90
What is the best way to reorder ACL entries?
A) Copy the ACL to a text editor, modify, then reapply
B) Delete and recreate the ACL
C) Use insert command (only in named ACLs)
D) Both A and C
Answer: D) Both A and C
91
What is the command to create an IPv6 ACL?
A) ipv6 access-list MY_ACL
B) access-list ipv6 MY_ACL
C) ipv6 traffic-filter MY_ACL
D) ipv6 acl MY_ACL
Answer: A) ipv6 access-list MY_ACL
92
How are IPv6 ACLs applied to interfaces?
A) ipv6 access-group MY_ACL in
B) ipv6 traffic-filter MY_ACL in
C) apply ipv6 acl MY_ACL
D) ipv6 filter MY_ACL
Answer: B) ipv6 traffic-filter MY_ACL in
93
Do IPv6 ACLs have an implicit deny?
A) Yes, like IPv4 ACLs
B) No, they permit all by default
C) Only in named ACLs
D) Only on routers
Answer: A) Yes, like IPv4 ACLs
94
What is the command to create an IPv6 ACL named "BLOCK_ICMP"?
A) ipv6 access-list BLOCK_ICMP
B) access-list ipv6 BLOCK_ICMP
C) ipv6 filter BLOCK_ICMP
D) ipv6 acl BLOCK_ICMP
Answer: A) ipv6 access-list BLOCK_ICMP
95
How do you apply an IPv6 ACL to an interface?
A) ipv6 access-group BLOCK_ICMP in
B) ipv6 traffic-filter BLOCK_ICMP in
C) apply ipv6 acl BLOCK_ICMP
D) ipv6 filter BLOCK_ICMP in
Answer: B) ipv6 traffic-filter BLOCK_ICMP in
96
Which command denies all ICMPv6 traffic in an IPv6 ACL?
A) deny icmp any any
B) deny ipv6 any any
C) block icmpv6 any any
D) deny 58 any any (ICMPv6 = protocol 58)
Answer: D) deny 58 any any
97
What is the implicit rule at the end of an IPv6 ACL?
A) permit ipv6 any any
B) deny ipv6 any any
C) allow any any
D) IPv6 ACLs have no implicit rule
Answer: B) deny ipv6 any any
98
How do you permit only HTTPS (TCP/443) in an IPv6 ACL?
A) permit tcp any any eq 443
B) permit ipv6 any any eq https
C) allow tcp any any 443
D) permit 6 any any eq 443
Answer: A) permit tcp any any eq 443
99
Which command shows configured IPv6 ACLs?
A) show ipv6 access-list
B) show access-list ipv6
C) display ipv6 acl
D) show ipv6 filter
Answer: A) show ipv6 access-list
100
Can IPv6 ACLs filter based on ICMPv6 types?
A) Yes (e.g., deny icmp any any echo-request)
B) No, only TCP/UDP
C) Only in named ACLs
D) Only on routers
Answer: A) Yes
101
What is the correct syntax to block Telnet (TCP/23) in IPv6?
A) deny tcp any any eq 23
B) block tcp any any 23
C) deny ipv6 any any eq telnet
D) no tcp 23 any any
Answer: A) deny tcp any any eq 23
102
How do you remove an IPv6 ACL?
A) no ipv6 access-list BLOCK_ICMP
B) delete ipv6 acl BLOCK_ICMP
C) clear ipv6 access-list
D) remove ipv6 filter BLOCK_ICMP
Answer: A) no ipv6 access-list BLOCK_ICMP
103
What is the IPv6 equivalent of any in IPv4 ACLs?
A) any
B) ::/0
C) all
D) ipv6-any
Answer: B) ::/0
104
Which command permits IPv6 traffic from a specific host (2001:db8::1)?
A) permit ipv6 host 2001:db8::1 any
B) allow ipv6 2001:db8::1/128 any
C) permit ipv6 2001:db8::1 ::/0
D) Both A and C
Answer: D) Both A and C
105
Can IPv6 ACLs use sequence numbers like IPv4 named ACLs?
A) Yes
B) No
C) Only in Standard ACLs
D) Only in Reflexive ACLs
Answer: A) Yes
106
How do you insert a new rule in an existing IPv6 ACL?
A) Use sequence numbers (e.g., 10 permit tcp any any eq 80)
B) Delete and recreate the ACL
C) IPv6 ACLs do not support insertion
D) Use ipv6 acl insert
Answer: A) Use sequence numbers
107
What is the default action of an IPv6 ACL if no matches occur?
A) Permit all
B) Deny all
C) Log traffic
D) Ask for authentication
Answer: B) Deny all
108
Which command shows IPv6 ACLs applied to interfaces?
A) show ipv6 interface
B) show running-config
C) Both A and B
D) show ipv6 traffic-filter
Answer: C) Both A and B
109
Can IPv6 ACLs filter based on extension headers?
A) Yes (e.g., deny ipv6 any any routing)
B) No
C) Only in Extended ACLs
D) Only on firewalls
Answer: A) Yes
110
What is the correct syntax to permit IPv6 DNS (UDP/53)?
A) permit udp any any eq 53
B) allow udp any any domain
C) permit ipv6 any any eq dns
D) Both A and B
Answer: A) permit udp any any eq 53
111
How do you block all IPv6 traffic except HTTP/HTTPS?
A)
permit tcp any any eq 80
permit tcp any any eq 443
deny ipv6 any any
B)
allow tcp any any 80
allow tcp any any 443
block all ipv6
C) IPv6 ACLs cannot filter ports
D) Use ipv6 filter strict
Answer: A)
112
What is the purpose of IPv6 ACL sequence numbers?
A) To manually order rules
B) To improve performance
C) To enable logging
D) To bypass implicit deny
Answer: A) To manually order rules
113
Can IPv6 ACLs be time-based?
A) Yes
B) No
C) Only in named ACLs
D) Only on switches
Answer: A) Yes
114
What is the correct wildcard for a single IPv6 host?
A) host 2001:db8::1
B) 2001:db8::1/128
C) Both A and B
D) IPv6 does not use wildcards
Answer: C) Both A and B
115
Which command removes an IPv6 ACL from an interface?
A) no ipv6 traffic-filter BLOCK_ICMP in
B) disable ipv6 acl BLOCK_ICMP
C) clear ipv6 access-list
D) remove ipv6 filter
Answer: A) no ipv6 traffic-filter BLOCK_ICMP in
116
How do you permit only IPv6 neighbor discovery (ICMPv6 type 135)?
A) permit icmp any any nd-na
B) permit 135 any any
C) allow ipv6 any any nd
D) IPv6 ACLs cannot filter ICMPv6 types
Answer: A) permit icmp any any nd-na
117
What is the IPv6 equivalent of host in IPv4 ACLs?
A) host 2001:db8::1
B) 2001:db8::1/128
C) Both A and B
D) IPv6 uses ipv6-host
Answer: C) Both A and B
118
Can IPv6 ACLs be reflexive?
A) Yes
B) No
C) Only in Extended ACLs
D) Only on routers
Answer: A) Yes
119
How do you verify IPv6 ACL hit counters?
A) show ipv6 access-list
B) show access-list ipv6
C) Both A and B
D) IPv6 ACLs do not support hit counters
Answer: A) show ipv6 access-list
120
What is the main difference between IPv4 and IPv6 ACLs?
A) IPv6 ACLs use different syntax but similar logic
B) IPv6 ACLs cannot filter ports
C) IPv6 ACLs have no implicit deny
D) IPv6 ACLs only work on firewalls
Answer: A) IPv6 ACLs use different syntax but similar logic
