9/17/13

CCNA Training CCNA Access List Questions 2

Type text to search here...

Home > CCNA Access List Questions 2

CCNA Access List Questions 2

April 30th, 2011 Go to comments Here you will find answers to Access list Questions Part 2 Note: If you are not sure about Access list, please read my Access list tutorial. Question 1 Refer to the exhibit. What will happen to HTTP traffic coming from the Internet that is destined for 172.16.12.10 if the traffic is processed by this ACL? router#show access-lists Extended IP access list 110 10 deny tcp 172.16.0.0 0.0.255.255 any eq telnet 20 deny tcp 172.16.0.0 0.0.255.255 any eq smtp 30 deny tcp 172.16.0.0 0.0.255.255 any eq http 40 permit tcp 172.16.0.0 0.0.255.255 any A. Traffic will be dropped per line 30 of the ACL. B. Traffic will be accepted per line 40 of the ACL. C. Traffic will be dropped, because of the implicit deny all at the end of the ACL. D. Traffic will be accepted, because the source address is not covered by the ACL.

Answer: C Explanation The syntax of an extended access list is: access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port] Notice that in our access list, the network 172.16.0.0 0.0.255.255 is specified as the source but the question asks about HTTP traffic coming from the Internet that is destined for 172.16.12.10, which means 172.16.0.0 0.0.255.255 is the destination network. So in this case there is no match in our access list and the traffic will be dropped because of the implicit deny all at the end of the ACL. It is surely a tricky question! Question 2
www.9tut.com/ccna-access-list-questions-2 1/12

9/17/13

CCNA Training CCNA Access List Questions 2

Refer to the exhibit. Which statement describes the effect that the Router1 configuration has on devices in the 172.16.16.0 subnet when they try to connect to SVR-A using Telnet or SSH?

A. Devices will not be able to use Telnet or SSH. B. Devices will be able to use SSH, but not Telnet. C. Devices will be able to use Telnet, but not SSH. D. Devices will be able to use Telnet and SSH.

Answer: B Explanation Lets analyze the access list 100: + 10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22: allows TCP traffic from network 172.16.16.0/28 to access host 172.16.48.63 with a destination port of 22 (SSH) + 20 permit tcp 172.16.16.0 0.0.0.15 eq telnet host 172.16.48.63: allows TCP traffic from network 172.16.16.0/28 with a source port of 23 (telnet) to access host 172.16.48.63 Notice that if a device wants to telnet (or SSH) to SVR-A server it must use the destination port of 23 (or 22), not a source port of 23 (or 22). Access list 100 is applied on the inbound direction of Fa0/0 so it will only filter traffic from 172.16.16.0 subnet to the SVR-A server.
www.9tut.com/ccna-access-list-questions-2 2/12

9/17/13

CCNA Training CCNA Access List Questions 2

Access list 101 is very similar to access list 100 but it is applied on the inbound direction of Fa0/1 so it will filter traffic from SVR-A server to 172.16.16.0 subnet. In ACL 101: + 10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15: allows TCP traffic from host 172.16.48.63 with a source port of 22 (SSH) to access network 172.16.16.0/28. + 20 permit tcp host 172.16.48.63 172.16.16.0 0.0.0.15 eq telnet: allows TCP traffic from host 172.16.48.63 to access network 172.16.16.0/28 with a destination port of telnet. Notice that the returned traffic from SVR-A to network 172.16.16.0/28 (resulting from telnet or SSH session) will have a source port of 23 (Telnet) or 22 (SSH) In conclusion, the first statements of each ACL will allow devices to SSH to SVR-A. But they cant telnet because of the implicit deny all at the end of the ACL. In this question, the second statements of each ACL can be considered wrong if we intend to filter telnet or SSH traffic and they have no effect on the Telnet or SSH traffic. Question 3 Refer to the exhibit. Which three variables (router, protocol port, and router ACL direction) apply to an extended ACL that will prevent student 01 from securely browsing the internet?

A. OUT B. Router 3 C. HTTPS D. IN E. Router 1

www.9tut.com/ccna-access-list-questions-2

3/12

9/17/13

CCNA Training CCNA Access List Questions 2

Answer: B C D Explanation There are 3 routers we can place this access list: Router 1, Router Main and Router 3 but in theory, an extended access list should be placed close to the source -> Router 3 is the best choice -> B is correct. The traffic we need to filter here is securely browsing the internet so it is HTTPS -> C is correct. Finally we should apply this access list to the inbound direction so that Router 3 will filter this traffic before making routing decision. It helps save processing resources on Router 3 -> D is correct. Question 4 Which two statements apply to dynamic access lists? (choose two) A. they offer simpler management in large internetworks. B. you can control logging messages. C. they allow packets to be filtered based on upper-layer session information. D. you can set a time-based security policy. E. they provide a level of security against spoofing. F. they are used to authenticate individual users.

Answer: A F Explanation Dynamic ACLs have the following security benefits over standard and static extended ACLs: + Use of a challenge mechanism to authenticate individual users + Simplified management in large internetworks + In many cases, reduction of the amount of router processing that is required for ACLs + Reduction of the opportunity for network break-ins by network hackers + Creation of dynamic user access through a firewall, without compromising other configured security restrictions (Reference: CCNA Exploration 4 Dynamic ACLs) Question 5 Which command shows if an access list is assigned to an interface? A. show ip interface [interface] access-lists B. show ip access-lists interface [interface] C. show ip interface [interface] D. show ip access-lists [interface]

www.9tut.com/ccna-access-list-questions-2

4/12

9/17/13

CCNA Training CCNA Access List Questions 2

Answer: C Explanation The output of show ip interface [interface] command is shown below:

In the output we can see the access list 1 is applied to this interface on inbound direction. Question 6 Which item represents the standard IP ACL? A. access-list 50 deny 192.168.1.1 0.0.0.255 B. access-list 110 permit ip any any C. access-list 2500 deny tcp any host 192.168.1.1 eq 22 D. access-list 101 deny tcp any host 192.168.1.1
www.9tut.com/ccna-access-list-questions-2 5/12

9/17/13

CCNA Training CCNA Access List Questions 2

Answer: A Explanation The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only access list 50 is a standard access list. Question 7 Which statement about access lists that are applied to an interface is true? A. you can apply only one access list on any interface B. you can configure one access list, per direction, per layer 3 protocol C. you can place as many access lists as you want on any interface D. you can configure one access list, per direction, per layer 2 protocol

Answer: B Explanation We can have only 1 access list per protocol, per direction and per interface. It means: + We can not have 2 inbound access lists on an interface + We can have 1 inbound and 1 outbound access list on an interface Question 8 A network engineer wants to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet. Which ACL can be used? A. reflexive B. extended C. standard D. dynamic

Answer: D Explanation We can use a dynamic access list to authenticate a remote user with a specific username and password. The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server. The configuration of dynamic ACL can be read here: http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml
www.9tut.com/ccna-access-list-questions-2 6/12

9/17/13

CCNA Training CCNA Access List Questions 2

Question 9 Which parameter standard access list takes into consideration for traffic filtering decisions? A. Source MAC address B. Destination IP address C. Destination MAC address D. Source IP address

Answer: D Question 10 In which solution is a router ACL used? A. protecting a server from unauthorized access B. controlling path selection, based on the route metric C. reducing router CPU utilization D. filtering packets that are passing through a router

Answer: D

Comments (364) Comments Comment pages Previous 1 6 7 8 981 1. ian_arvin from the philippines September 10th, 2013 Hi guys for those who have passed ccna 640-802 which dump is more reliable the one from spike or acme? If u have new dumps kindly send to cacsalanga@yahoo.com 2. tani10 September 10th, 2013 Question 4 correct answers A, D 3. ad September 10th, 2013
www.9tut.com/ccna-access-list-questions-2 7/12

9/17/13

CCNA Training CCNA Access List Questions 2

q no 1. ans should be A..its match.. 4. ad September 10th, 2013 9tuti love u :) 5. ad September 10th, 2013 9tuti love u :) 6. ad September 10th, 2013 9tuti love u :). 7. ad September 10th, 2013 9tuti love u :).. 8. ad September 10th, 2013 9tuti love u :) 9. Richard September 11th, 2013 tani 10, pls. make sure your read about ACL, particularly, time-based and dynamic :) 10. jasostrong September 11th, 2013 Thanks 9tut. I made it. I passed my CCNA 200-120 today. The sim is Access-list 1 , Access-list 2 & EIGRP. A lot of new questions like Netflow, Syslog, SNMP, VRRP, and GLBP. 11. inayat shah September 13th, 2013 I am going to sit my CCNA exam on 28 Sep. Could anybody send me the latest Sim or all the Sim at 9tut is still enough for CCNA 640-802 exam? please do inform and support me. Thank you. E-mail: inayat291@gmail.com best regard!
www.9tut.com/ccna-access-list-questions-2 8/12

9/17/13

CCNA Training CCNA Access List Questions 2

12. Anonymous September 13th, 2013 Which two statements apply to dynamic access lists? (choose two) A. they offer simpler management in large internetworks. B. you can control logging messages. C. they allow packets to be filtered based on upper-layer session information. D. you can set a time-based security policy. E. they provide a level of security against spoofing. F. they are used to authenticate individual users. *** THE ACME 486 DUMP SAYS THAT D & F ARE THE ANSWERS CAN SOMEONE EXPLAIN TO ME WHATS GOING ON ?? *** Reposted Please explain sir 9tut. Thank you. 13. Franz September 13th, 2013 Which two statements apply to dynamic access lists? (choose two) A. they offer simpler management in large internetworks. B. you can control logging messages. C. they allow packets to be filtered based on upper-layer session information. D. you can set a time-based security policy. E. they provide a level of security against spoofing. F. they are used to authenticate individual users. *** THE ACME 486 DUMP SAYS THAT D & F ARE THE ANSWERS CAN SOMEONE EXPLAIN TO ME WHATS GOING ON ?? *** 14. Joe September 13th, 2013 Franz/Anon, try a google. https://supportforums.cisco.com/thread/2187794 Comment pages Previous 1 6 7 8 981 Add a Comment Name

www.9tut.com/ccna-access-list-questions-2

9/12

9/17/13

CCNA Training CCNA Access List Questions 2

Submit Comment

Subscribe to comments feed CCNA Access List Questions CCNA WAN

Premium Membership
Become a member to interact with all questions and read all tutorials, labs!

Find out more or Sign In

CCNA 640-802
CCNA Lab Sim CCNA Basic Questions CCNA Basic Questions 2 CCNA Cisco IOS Questions CCNA Cisco IOS Questions 2 CCNA Cisco IOS Questions 3 CCNA OSI Model Questions CCNA TCP/IP Model & Operation CCNA Show Command Questions CCNA Protocols & Services CCNA Access List Questions CCNA Access List Questions 2 CCNA WAN CCNA WAN 2 CCNA IP Address Questions CCNA IP Routing Questions CCNA IP Routing Questions 2
www.9tut.com/ccna-access-list-questions-2 10/12

9/17/13

CCNA Training CCNA Access List Questions 2

CCNA RIP Questions CCNA OSPF Questions CCNA OSPF Questions 2 CCNA EIGRP Questions CCNA EIGRP Questions 2 CCNA Security Questions CCNA DHCP Questions DHCP Group of Four Questions CCNA NAT & PAT Questions CCNA Drag and Drop 1 CCNA Drag and Drop 2 CCNA Drag and Drop 3 CCNA Drag and Drop 4 CCNA Drag and Drop 5 CCNA Switch Questions CCNA Switch Questions 2 CCNA Switch Questions 3 CCNA VLAN Questions CCNA VLAN Questions 2 CCNA VTP Questions CCNA Hotspot CCNA STP Questions CCNA STP Questions 2 CCNA IPv6 Questions CCNA Subnetting CCNA Subnetting Questions 2 CCNA Subnetting Questions 3 CCNA Subnetting Questions 4 CCNA Operations 1 CCNA Operations 2 CCNA Operations 3 CCNA Troubleshooting 1 CCNA Troubleshooting 2 CCNA Wireless CCNA FAQs & Tips Share your CCNA Experience

New CCNA 200-120

Share your (new) CCNA Experience

www.9tut.com/ccna-access-list-questions-2

11/12

9/17/13

CCNA Training CCNA Access List Questions 2

CCNA Self-Study
Practice CCNA GNS3 Labs CCNA Knowledge

Network Resources
Free Router Simulators ICND1/ICND2 Website CCNP - ROUTE Website CCNP - SWITCH Website CCNP - TSHOOT Website CCNA Voice Website CCNA Wireless Website CCNA Security Website CCDA Website CCIP Website CCIE Written Website Support 9tut

Your contribution will help keep this site updated!

Top Copyright 2010-2013 CCNA Training Site Privacy Policy. Valid XHTML 1.1 and CSS 3.UV

www.9tut.com/ccna-access-list-questions-2

12/12