If you wanted to deny FTP access from network 200.200.10.0 to network 200.199.11.0 but allow everything else, which of the following command strings is valid?
Options
A. access-list 110 deny 200.200.10.0 to network 200.199.11.0 eq ftp access-list 111 permit ip any 0.0.0.0 255.255.255.255
B. access-list 1 deny ftp 200.200.10.0 200.199.11.0 any any
D. access-list 198 deny tcp 200.200.10.0 0.0.0.255 200.199.11.0 0.0.0.255 eq ftp access-list 198 permit ip any 0.0.0.0 255.255.255.255
Correct Answer
access-list 198 deny tcp 200.200.10.0 0.0.0.255 200.199.11.0 0.0.0.255 eq ftp access-list 198 permit ip any 0.0.0.0 255.255.255.255
Explanation
Extended IP access lists use numbers 100-199 and 2000-2699 and filter based on source and destination IP address, protocol number, and port number. The last option is correct because of the second line that specifies permit ip any any. (I used 0.0.0.0 255.255.255.255, which is the same as the any option.) The third option does not have this, so it would deny access but not allow everything else.
Security problems
Search Results
1. What does a switch do when a frame is received on an interface and the destination hardware address is unknown or not in the filter table?
Options
A. Forwards the switch to the first available link
B. Drops the frame
C. Floods the network with the frame looking for the device
D. Sends back a message to the originating station asking for a name resolution
Correct Answer: Floods the network with the frame looking for the device
Explanation:
Switches flood all frames that have an unknown destination address. If a device answers the frame, the switch will update the MAC address table to reflect the location of the device.
2. If you want to disable STP on a port connected to a server, which command would you use?
If you have a server or other devices connected into your switch that you're totally sure won't create a switching loop if STP is disabled, you can use something called
portfast on these ports. Using it means the port won't spend the usual 50 seconds to come up while STP is converging.
3. Your switch has a port status LED that is alternating between green and amber. What could this indicate?
When you connect to a switch port, at first the link lights are orange/amber, and then they turn green, indicating normal operation. If the link light is blinking, you have a problem.
4. What is the purpose of Spanning Tree Protocol in a switched LAN?
Options
A. To provide a mechanism for network monitoring in switched environments
B. To prevent routing loops in networks with redundant paths
C. To prevent switching loops in networks with redundant switched paths
D. To manage the VLAN database across multiple switches
Correct Answer: All switch and bridge ports are in either the forwarding or blocking state.
Explanation:
Convergence occurs when all ports on bridges and switches have transitioned to either the forwarding or blocking states. No data is forwarded until convergence is complete. Before data can be forwarded again, all devices must be updated.
6. Which router command allows you to view the entire contents of all access lists?
The
show access-lists command will allow you to view the entire contents of all access lists, but it will not show you the interfaces to which the access lists are applied.
7. Which of the following is true regarding access lists applied to an interface?
Options
A. You can place as many access lists as you want on any interface until you run out of memory.
B. You can apply only one access list on any interface.
C. One access list may be configured, per direction, for each layer 3 protocol configured on an interface.
D. You can apply two access lists to any interface.
Correct Answer: One access list may be configured, per direction, for each layer 3 protocol configured on an interface.
Explanation:
A Cisco router has rules regarding the placement of access lists on a router interface. You can place one access list per direction for each layer 3 protocol configured on an interface.
8. Which command would you use to apply an access list to a router interface?
Standard IP access lists use the numbers 1-99 and 1300-1999 and filter based on source IP address only. Option C is incorrect because the mask must be in wildcard format.
10. What command will permit SMTP mail to only host 1.1.1.1?
Options
A. access-list 10 permit smtp host 1.1.1.1
B. access-list 110 permit ip smtp host 1.1.1.1
C. access-list 10 permit tcp any host 1.1.1.1 eq smtp
D. access-list 110 permit tcp any host 1.1.1.1 eq smtp
When trying to find the best answer to an access-list question, always check the access-list number and then the protocol. When filtering to an upper-layer protocol, you must use an extended list, numbers 100-199 and 2000-2699. Also, when you filter to an upper-layer protocol, you must use either
tcp or
udp in the protocol field. If it says
ip in the protocol field, you cannot filter to an upper-layer protocol. SMTP uses TCP.