CCNA 2 Chap 9

1.

1 point

Consider the following access list that allows IP phone configuration file transfers from a particular host to a TFTP server:

R1(config)# access-list 105 permit udp host 10.0.70.23 host 10.0.54.5 range 1024 5000
R1(config)# access-list 105 deny ip any any
R1(config)# interface gi0/0
R1(config-if)# ip access-group 105 out

Which method would allow the network administrator to modify the ACL and include FTP transfers from any source IP address?

R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 20 R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 21

R1(config)# interface gi0/0 R1(config-if)# no ip access-group 105 out R1(config)# no access-list 105 R1(config)# access-list 105 permit udp host 10.0.70.23 host 10.0.54.5 range 1024 5000 R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 20 R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 21 R1(config)# access-list 105 deny ip any any R1(config)# interface gi0/0 R1(config-if)# ip access-group 105 out

R1(config)# interface gi0/0 R1(config-if)# no ip access-group 105 out R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 20 R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 21 R1(config)# interface gi0/0 R1(config-if)# ip access-group 105 out

R1(config)# access-list 105 permit udp host 10.0.70.23 host 10.0.54.5 range 1024 5000 R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 20 R1(config)# access-list 105 permit tcp any host 10.0.54.5 eq 21 R1(config)# access-list 105 deny ip any any

2.

1 point

Refer to the exhibit. What is the result of adding the established argument to the end of the ACE?

Any TCP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network if it is in response to an originated request.

192.168.254.0 /23 traffic is allowed to reach any network.

Any traffic is allowed to reach the 192.168.254.0 255.255.254.0 network.

Any IP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network as long as it is in response to an originated request.

3.

1 point

What two functions describe uses of an access control list? (Choose two.)

ACLs provide a basic level of security for network access.

ACLs can permit or deny traffic based upon the MAC address originating on the router.

Standard ACLs can restrict access to specific applications and ports.

ACLs assist the router in determining the best path to a destination.

ACLs can control which areas a host can access on a network.

4.

1 point

Refer to the exhibit. A router has an existing ACL that permits all traffic from the 172.16.0.0 network. The administrator attempts to add a new ACE to the ACL that denies packets from host 172.16.0.1 and receives the error message that is shown in the exhibit. What action can the administrator take to block packets from host 172.16.0.1 while still permitting all other traffic from the 172.16.0.0 network?

Add a deny any any ACE to access-list 1.

Manually add the new deny ACE with a sequence number of 15.

Create a second access list denying the host and apply it to the same interface.

Manually add the new deny ACE with a sequence number of 5.

5.

1 point

What is a limitation when utilizing both IPv4 and IPv6 ACLs on a router?

A device can run only IPv4 ACLs or IPv6 ACLs.

IPv4 ACLs can be numbered or named whereas IPv6 ACLs must be numbered.

IPv6 ACLs perform the same functions as standard IPv4 ACLs.

Both IPv4 and IPv6 ACLs can be configured on a single device, but cannot share the same name.an be used only on routers.

6.

1 point

Which statement describes a difference between the operation of inbound and outbound ACLs?

In contrast to outbound ALCs, inbound ACLs can be used to filter packets with multiple criteria.

Inbound ACLs are processed before the packets are routed while outbound ACLs are processed after the routing is completed.

Inbound ACLs can be used in both routers and switches but outbound ACLs can be used only on routers.

On a network interface, more than one inbound ACL can be configured but only one outbound ACL can be configured.

7.

1 point

Open the PT Activity. Perform the tasks in the activity instructions and then answer the question.

Why is the ACL not working?

The interface has not been enabled.

The ACL is applied to the wrong interface.

The ACL is applied in the wrong direction.

The access-list 105 command or commands are incorrect.

The ACL is missing a deny ip any any ACE.

8.

1 point

Refer to the exhibit. What will happen to the access list 10 ACEs if the router is rebooted before any other commands are implemented?

The ACEs of access list 10 will be renumbered.

The ACEs of access list 10 wildcard masks will be converted to subnet masks.

The ACEs of access list 10 will be deleted.

The ACEs of access list 10 will not be affected.

9.

1 point

Refer to the exhibit. The IPv6 access list LIMITED_ACCESS is applied on the S0/0/0 interface of R1 in the inbound direction. Which IPv6 packets from the ISP will be dropped by the ACL on R1?

ICMPv6 packets that are destined to PC1

packets that are destined to PC1 on port 80

HTTPS packets to PC1

neighbor advertisements that are received from the ISP router

10.

1 point

Refer to the exhibit. The network administrator that has the IP address of 10.0.70.23/25 needs to have access to the corporate FTP server (10.0.54.5/28). The FTP server is also a web server that is accessible to all internal employees on networks within the 10.x.x.x address. No other traffic should be allowed to this server. Which extended ACL would be used to filter this traffic, and how would this ACL be applied? (Choose two.)

access-list 105 permit tcp host 10.0.54.5 any eq www access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 20 access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 21

R1(config)# interface s0/0/0 R1(config-if)# ip access-group 105 out

R2(config)# interface gi0/0 R2(config-if)# ip access-group 105 in

access-list 105 permit ip host 10.0.70.23 host 10.0.54.5 access-list 105 permit tcp any host 10.0.54.5 eq www access-list 105 permit ip any any

access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 20 access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 21 access-list 105 permit tcp 10.0.0.0 0.255.255.255 host 10.0.54.5 eq www access-list 105 deny ip any host 10.0.54.5 access-list 105 permit ip any any

R1(config)# interface gi0/0 R1(config-if)# ip access-group 105 out

11.

1 point

What method is used to apply an IPv6 ACL to a router interface?

the use of the ipv6 traffic-filter command

the use of the ipv6 access-list command

the use of the ip access-group command

the use of the access-class command

12.

1 point

Which two characteristics are shared by both standard and extended ACLs? (Choose two.)

Both kinds of ACLs can filter based on protocol type.

Both include an implicit deny as a final entry.

Both filter packets for a specific destination host IP address.

Both can permit or deny specific services by port number.

Both can be created by using either a descriptive name or number.

13.

1 point

Which three implicit access control entries are automatically added to the end of an IPv6 ACL? (Choose three.)

permit icmp any any nd-na

deny ip any any

permit ipv6 any any

deny icmp any any

permit icmp any any nd-ns

deny ipv6 any any

14.

1 point

In which configuration would an outbound ACL placement be preferred over an inbound ACL placement?

when an outbound ACL is closer to the source of the traffic flow

when a router has more than one ACL

when the ACL is applied to an outbound interface to filter packets coming from multiple inbound interfaces before the packets exit the interface

when an interface is filtered by an outbound ACL and the network attached to the interface is the source network being filtered within the ACL

15.

1 point

A network administrator needs to configure a standard ACL so that only the workstation of the administrator with the IP address 192.168.15.23 can access the virtual terminal of the main router. Which two configuration commands can achieve the task? (Choose two.)

Router1(config)# access-list 10 permit 192.168.15.23 255.255.255.255

Router1(config)# access-list 10 permit 192.168.15.23 255.255.255.0

Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.0

Router1(config)# access-list 10 permit host 192.168.15.23

Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.255

16.

1 point

Which feature is unique to IPv6 ACLs when compared to those of IPv4 ACLs?

the use of named ACL entries

the use of wildcard masks

an implicit permit of neighbor discovery packets

an implicit deny any any ACE

17.

1 point

What is the only type of ACL available for IPv6?

named extended

named standard

numbered extended

numbered standard

18.

1 point

An administrator has configured an access list on R1 to allow SSH administrative access from host 172.16.1.100. Which command correctly applies the ACL?

R1(config-line)# access-class 1 out

R1(config-if)# ip access-group 1 in

R1(config-line)# access-class 1 in

R1(config-if)# ip access-group 1 out

19.

1 point

Which three statements are generally considered to be best practices in the placement of ACLs? (Choose three.)

For every inbound ACL placed on an interface, there should be a matching outbound ACL.

Place extended ACLs close to the destination IP address of the traffic.

Place standard ACLs close to the destination IP address of the traffic.

Place standard ACLs close to the source IP address of the traffic.

Filter unwanted traffic before it travels onto a low-bandwidth link.

Place extended ACLs close to the source IP address of the traffic.

20.

1 point

What single access list statement matches all of the following networks?
192.168.16.0
192.168.17.0
192.168.18.0
192.168.19.0

access-list 10 permit 192.168.0.0 0.0.15.255

access-list 10 permit 192.168.16.0 0.0.15.255

access-list 10 permit 192.168.16.0 0.0.0.255

access-list 10 permit 192.168.16.0 0.0.3.255

21.

1 point

If a router has two interfaces and is routing both IPv4 and IPv6 traffic, how many ACLs could be created and applied to it?

16

6

4

12

8

22.

1 point

Which IPv6 ACL command entry will permit traffic from any host to an SMTP server on network 2001:DB8:10:10::/64?

permit tcp any host 2001:DB8:10:10::100 eq 23

permit tcp host 2001:DB8:10:10::100 any eq 25

permit tcp host 2001:DB8:10:10::100 any eq 23

permit tcp any host 2001:DB8:10:10::100 eq 25

23.

1 point

Match each statement with the example subnet and wildcard that it describes. (Not all options are used.)

hosts in a subnet 192.168.15.65 255.255.255.240
all IP 192.168.15.144 0.0.0.15
first valid host 192.168.15.12
subnetwork 192.168.5.0 0.0.3.255
addresses 192.168.3.64 0.0.0.7
192.168.100.63 255.255.255.192

First valid / all IP / subnetwork / hosts in a subnet / addresses / [192]

First valid / subnetwork / all IP / hosts in a subnet / addresses / [192]

[192] / First valid / subnetwork / hosts in a subnet / all IP / addresses

First valid / subnetwork / all IP / addresses / hosts in a subnet / [192]

24.

1 point

Which three statements describe ACL processing of packets? (Choose three.)

Each statement is checked only until a match is detected or until the end of the ACE list.

An implicit deny any rejects any packet that does not match any ACE.

A packet that does not match the conditions of any ACE will be forwarded by default.

A packet that has been denied by one ACE can be permitted by a subsequent ACE.

A packet can either be rejected or forwarded as directed by the ACE that is matched.

Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made.

25.

1 point

What packets would match the access control list statement that is shown below?

access-list 110 permit tcp 172.16.0.0 0.0.0.255 any eq 22

SSH traffic from any source network to the 172.16.0.0 network

SSH traffic from the 172.16.0.0 network to any destination network

any TCP traffic from any host to the 172.16.0.0 network

any TCP traffic from the 172.16.0.0 network to any destination network