Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CCNA Access Lists Questions

8,709 views

Published on

Published in: Technology
  • Be the first to comment

CCNA Access Lists Questions

  1. 1. Chapter 10 True/False Indicate whether the statement is true or false.____ 1. Smart network engineers pay close attention to network traffic flow and security when they design and man- age their networks.____ 2. With careful planning, you can create access lists that control which traffic crosses particular links, and which segments of your network will have access to others.____ 3. Access lists can take the place of more advanced security measures, such as firewalls.____ 4. Access lists begin working the second they are applied to an interface.____ 5. You can remove individual lines in an access list. Multiple Choice Identify the choice that best completes the statement or answers the question.____ 6. When making changes, you must remove the access list, using the ____ command. a. no access-list [list number] b. access-list off [list number] c. off access-list [list number] d. access-list [list number] no____ 7. With the ____ command, an administrator can schedule the router to reload in a certain number of minutes, hours, or even days. a. interval c. restart b. refresh d. reload____ 8. If you create and apply the lists and they have the intended results, you can cancel the scheduled reload with the ____ command. a. reload 0 c. reload cancel b. reload abort d. reload off____ 9. Traffic coming in to “the man in the router,” through any of the interfaces, needs to be filtered using ____ traffic filters. a. outgoing c. exterior b. incoming d. outbound____ 10. To apply the inbound access list 1 to an interface, you use the following command: ____. a. ip access-group 1 out c. ip access-group 1 ext b. ip access-group 1 int d. ip access-group 1 in____ 11. The following command sets an outbound access list filter: ____. a. ip access-group 1 ext c. ip access-group 1 int b. ip access-group 1 out d. ip access-group 1 in____ 12. You must use the ____ command to save the list after configuration if you want it to survive a router reload. a. copy reload c. copy run start
  2. 2. b. copy start on d. copy run reload____ 13. Routers use ____ to determine which bits in an address will be significant. a. wildcard masks c. list numbers b. access masks d. address rules____ 14. It is possible to replace the 0.0.0.0 255.255.255.255 entry, which represents all hosts and all networks, with the ____ keyword. a. all c. each b. any d. none____ 15. To view the access lists defined on your router, use the ____ command. a. show access-lists c. display access-lists b. show lists d. access-lists show____ 16. To view which interfaces have IP access lists set, use the ____ command. a. show ip in c. show ip interface b. show ip out d. show ip any____ 17. Use the ____ command to remove the application of the list. a. no accessgroup [ip][list #][direction] b. no ip [accessgroup][list #][direction] c. no ip access-list [list #][direction] d. no ip access-group [list #][direction]____ 18. Regarding extended IP access lists, the ____ keyword is short for a wildcard mask of 0.0.0.0. a. host c. none b. any d. all____ 19. To remove an extended IP access list from an interface, you enter interface configuration mode and use the ____ command. a. no ip ext access-group [list #] [in|out] b. extended no ip access-group [list #] [in|out] c. no ext access-group [list #] [in|out] d. no ip access-group [list #] [in|out]____ 20. To name a standard IP access list, use the following syntax: ____. a. ip access-list named [name] b. named access-list standard [name] c. ip access-list standard [name] d. ip named-access-list [name]____ 21. To name an extended IP access list, use the following syntax: ____. a. extended ip named-access-list [name] b. ip access-list extended [name] c. named-access-list extended [name] d. ip access-list named [name]____ 22. To apply a standard IP named list to an interface, use the following syntax: ____. a. ip standard access-group [name] [in | out] b. ip standard-group [name] [in | out] c. ip apply access-group [name] [in | out] d. ip access-group [name] [in | out]
  3. 3. ____ 23. ____ provides a GUI-based configuration tool for Cisco devices. a. CLI c. CCL b. SDM d. ACL____ 24. SDM allows you to easily create a standard or an extended access list or, as it is known in the SDM, a(n) ____. a. VTY c. ACL b. TTY d. CLI____ 25. Unlike the CLI, the SDM does allow a router to be configured as a firewall. To begin this task, click the ____ icon in the Tasks panel. a. Firewall and ACL c. Routing b. Security Audit d. NAT____ 26. The configuration of a(n) ____ is the main difference between the Basic and Advance firewall wizards. a. NAT server c. intranet b. DMZ d. proxy server Completion Complete each statement. 27. ____________________ are permit or deny statements that filter traffic based on the source address, destina- tion address, protocol type, and port number of a packet. 28. The access list ends with an implicit ____________________ statement, which blocks all packets that do not meet the requirements of the access list. 29. Traffic coming in to the “man in the router,” through any of the interfaces, is considered ____________________. 30. Access lists to block a router’s outward delivery must be applied as ____________________ filters. 31. ____________________ IP access lists filter network traffic based on the source IP address only. Matching Match each item with a statement below: a. Access lists f. Standard IP access lists b. Lack of planning g. Extended IP access lists c. no access-list [list #] h. Named access lists d. Wildcard mask i. Single host wildcard mask e. Partial masking____ 32. permit or deny packets based only on the source address____ 33. the mixing of 0s and 1s in a wildcard mask octet____ 34. built into the Cisco IOS; solve many problems associated with traffic flow and security____ 35. use names instead of numbers to identify themselves____ 36. one of the most common problems associated with access lists
  4. 4. ____ 37. filter by source IP address, destination IP address, protocol type, and application port number____ 38. removes an access list____ 39. the default for standard IP access lists____ 40. determines which bits of the source address are significant Short Answer 41. Why should you use a text editor to create access lists? 42. What are the rules all access lists follow? 43. Describe each element of the standard IP access list configuration syntax. 44. Briefly describe wildcard masks. 45. How can you monitor standard IP access lists? 46. Describe each element of the extended IP access list configuration syntax. 47. Where should you place standard and extended IP access lists? 48. How can you monitor extended IP access lists? 49. What are some of the advantages of using named access lists?
  5. 5. 50. What kind of tasks can you perform on the SDM’s Interfaces and Connection screen? Chapter 10 Answer Section TRUE/FALSE 1. ANS: T PTS: 1 REF: 260 2. ANS: T PTS: 1 REF: 261 3. ANS: F PTS: 1 REF: 261 4. ANS: T PTS: 1 REF: 261 5. ANS: F PTS: 1 REF: 263 MULTIPLE CHOICE 6. ANS: A PTS: 1 REF: 261 7. ANS: D PTS: 1 REF: 261 8. ANS: C PTS: 1 REF: 262 9. ANS: B PTS: 1 REF: 26310. ANS: D PTS: 1 REF: 26311. ANS: B PTS: 1 REF: 26312. ANS: C PTS: 1 REF: 26413. ANS: A PTS: 1 REF: 26514. ANS: B PTS: 1 REF: 26915. ANS: A PTS: 1 REF: 26916. ANS: C PTS: 1 REF: 26917. ANS: D PTS: 1 REF: 27318. ANS: A PTS: 1 REF: 27519. ANS: D PTS: 1 REF: 27720. ANS: C PTS: 1 REF: 27921. ANS: B PTS: 1 REF: 27922. ANS: D PTS: 1 REF: 27923. ANS: B PTS: 1 REF: 28024. ANS: C PTS: 1 REF: 28025. ANS: A PTS: 1 REF: 28626. ANS: B PTS: 1 REF: 286 COMPLETION27. ANS: Access lists PTS: 1 REF: 26028. ANS: deny any PTS: 1 REF: 26029. ANS: inbound
  6. 6. PTS: 1 REF: 26330. ANS: outbound PTS: 1 REF: 26331. ANS: Standard PTS: 1 REF: 265 MATCHING32. ANS: F PTS: 1 REF: 26833. ANS: E PTS: 1 REF: 26634. ANS: A PTS: 1 REF: 26035. ANS: H PTS: 1 REF: 27936. ANS: B PTS: 1 REF: 26137. ANS: G PTS: 1 REF: 27338. ANS: C PTS: 1 REF: 26339. ANS: I PTS: 1 REF: 27940. ANS: D PTS: 1 REF: 265 SHORT ANSWER41. ANS: To ease the administrative load associated with access lists, Cisco recommends using a text editor to create them. You can then easily make changes to the list and apply it to the router configuration using copy and paste. You should place a no access-list [list #] command as the first line of the text file, which allows you to completely remove an access list from a router. If you do not use this command, the lines of the access list in the text file will be appended to the end of the existing list when you paste it into the configura- tion. PTS: 1 REF: 26342. ANS: In summary, all access lists follow these rules: • Routers apply lists sequentially in the order in which you type them into the router. • Routers apply lists to packets sequentially, from the top down, one line at a time. • Packets are processed only until a match is made, and then they are acted upon based on the access list crite- ria contained in access list statements. • Lists always end with an implicit deny. Routers discard any packets that do not match any of the access list statements. • Access lists must be applied to an interface as either inbound or outbound traffic filters. • Only one list, per protocol, per direction can be applied to an interface. • Access lists are effective as soon as they are applied; however, you must use the copy run start com- mand to save the list after configuration if you want it to survive a router reload. PTS: 1 REF: 26443. ANS: To configure standard IP access lists, you must create the list and then apply it to an interface using the fol- lowing syntax:
  7. 7. access-list [list #] [permit|deny] [source address] [source wildcard mask] The brackets in each command syntax are not part of the command; they group items that are replaced within each specific entry. The following list explains each element of the standard IP access list configuration syntax: • [list #]—Standard IP access lists are represented by a number in the range of 1–99 (in IOS versions 11.2 and greater, they can also be represented by text names). • [permit|deny]—Used to specify the nature of the access list line. It is either a permit or a deny statement. • [source address]—The IP address of the source. • [source wildcard mask]—A wildcard mask, or inverse mask, applied to determine which bits of the source address are significant. PTS: 1 REF: 26544. ANS: Wildcard masks are one of the most important concepts in IP access lists. Routers use them to determine which bits in an address will be significant. Unlike subnet masks, 0s are placed in bit positions deemed signif- icant, and 1s are placed in positions that are not significant. In other words, where there is a 0 in the mask, the corresponding bit in the incoming packet (either 0 or 1) must match the bit in the IP address in the access list. If there is no match, the packet passes to the next line in the access list. PTS: 1 REF: 26545. ANS: Three main commands are available for monitoring access lists on your router. The first two, show ac- cess-lists and show ip access-lists, display the exact syntax of all access lists and IP access lists, respectively. The show interfaces or show ip interface command is used to verify that an access list has been successfully applied to an interface. It is a good idea to run each of these commands af- ter creating and applying access lists, to visually inspect and verify that statements were typed correctly and that the lists will function as entered. Use the no access-list [list #] command to remove the list and the no ip access-group [list #][direction] command to remove the application of the list. PTS: 1 REF: 27346. ANS: To configure extended IP access lists, you must create the list and then apply it to an interface using the fol- lowing syntax. A detailed explanation of each element follows the example. access-list [list #] [permit|deny] [protocol] [source IP address] [source wildcard mask] [operator] [port] [destination IP address] [destination wildcard mask] [operator] [port] [log] • [list #]—Extended IP access lists are represented by a number in the range of 100–199 (in IOS versions 11.2 and greater, they can also be represented by text names). • [permit|deny]—Used to specify the nature of the access list line. It is either a permit or a deny statement. • [protocol]—The IP protocol to be filtered can be IP (which includes all protocols in the TCP/IP suite), TCP, UDP, ICMP, or others. • [source IP address]—The IP address of the source. • [source wildcard mask]—A wildcard mask, or inverse mask, applied to determine which bits of the source address are significant. • [destination IP address]—The IP address of the destination. • [destination wildcard mask]—A wildcard mask, or inverse mask, applied to determine which bits of the des- tination address are significant.
  8. 8. • [operator]—Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used if an extended list filters by a specific port number. • [port]—If necessary, the port number of the protocol to be filtered. Alternatively, a service using TCP, such as www or ftp, can be specified. • [log]—Turns on logging of access list activity. PTS: 1 REF: 273-27447. ANS: Once an extended IP access list is created, it must be applied to an interface, just like a standard list. The dif- ference is the placement of the list. Standard IP access lists examine the source address only. As a result, you must place them as close to the destination as possible to avoid blocking traffic bound for another interface or network. On the other hand, extended IP access lists are able to filter based on source and destination. There- fore, they are placed as close to the source as possible. PTS: 1 REF: 27748. ANS: The same commands used to monitor standard IP access lists are used to monitor extended IP access lists. If you want to view the access lists configured on your router, you use the show access-lists or show ip access-lists command. To see if the list has been applied to an interface, use the show inter- faces or show ip interface command. Extended IP lists keep track of the number of packets that pass each line of an access list. These matches or counters can be reset to zero for troubleshooting purposes. The clear access-list counters [list #] command clears the counters. The no access-list [list#] command removes the list and the no ip access-group [list#] [direction] command removes the application of the list. PTS: 1 REF: 27849. ANS: The naming feature allows you to maintain security by using an easily identifiable access list. It also removes the limit of 100 lists per filter type. In addition, with named access lists lines can be selectively deleted in the ACL. This feature does not allow you to add lines to the ACL; any lines added to a named ACL are applied to the end of the list. Named ACLs provide greater flexibility to network administrators who work in environ- ments where large numbers of ACLs are needed, such as a large ISP. PTS: 1 REF: 27950. ANS: On the Interfaces and Connection screen, you can perform tasks related to: • Interfaces and Connections • Firewall and ACL • VPN • Security Audit • Routing • NAT • Intrusion Prevention • Quality of Service • NAC • Additional Tasks PTS: 1 REF: 281

×