Discussion
Home ‣ Networking ‣ Security Comments
- Question
You have created a named access list called Blocksales. Which of the following is a valid command for applying this to packets trying to enter interface s0 of your router?
Options- A. (config)# ip access-group 110 in
- B. (config-if)# ip access-group 110 in
- C. (config-if)# ip access-group Blocksales in
- D. (config-if)# blocksales ip access-list in
- Correct Answer
- (config-if)# ip access-group Blocksales in
ExplanationUsing a named access list just replaces the number used when applying the list to the router's interface. ip access-group Blocksales in is correct. - 1. If you wanted to deny all Telnet connections to only network 192.168.10.0, which command could you use?
Options- A. access-list 100 deny tcp 192.168.10.0 255.255.255.0 eq telnet
- B. access-list 100 deny tcp 192.168.10.0 0.255.255.255 eq telnet
- C. access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23
- D. access-list 100 deny 192.168.10.0 0.0.0.255 any eq 23 Discuss
- 2. You configure the following access list:
What will the result of this access list be?access-list 110 deny tcp 10.1.1.128 0.0.0.63 any eq smtp access-list 110 deny tcp any eq 23 int ethernet 0 ip access-group 110 out
Options- A. Email and Telnet will be allowed out E0.
- B. Email and Telnet will be allowed in E0.
- C. Everything but email and Telnet will be allowed out E0.
- D. No IP traffic will be allowed out E0. Discuss
- 3. What command will permit SMTP mail to only host 1.1.1.1?
Options- A. access-list 10 permit smtp host 1.1.1.1
- B. access-list 110 permit ip smtp host 1.1.1.1
- C. access-list 10 permit tcp any host 1.1.1.1 eq smtp
- D. access-list 110 permit tcp any host 1.1.1.1 eq smtp Discuss
- 4. Which of the following is an example of a standard IP access list?
Options- A. access-list 110 permit host 1.1.1.1
- B. access-list 1 deny 172.16.10.1 0.0.0.0
- C. access-list 1 permit 172.16.10.1 255.255.0.0
- D. access-list standard 1.1.1.1 Discuss
- 5. Which command would you use to apply an access list to a router interface?
Options- A. ip access-list 101 out
- B. access-list ip 101 in
- C. ip access-group 101 in
- D. access-group ip 101 in Discuss
- 6. Which of the following access lists will allow only HTTP traffic into network 196.15.7.0?
Options- A. access-list 100 permit tcp any 196.15.7.0 0.0.0.255 eq www
- B. access-list 10 deny tcp any 196.15.7.0 eq www
- C. access-list 100 permit 196.15.7.0 0.0.0.255 eq www
- D. access-list 110 permit ip any 196.15.7.0 0.0.0.255
- E. access-list 110 permit www 196.15.7.0 0.0.0.255 Discuss
- 7. You want to create a standard access list that denies the subnet of the following host: 172.16.144.17/21. Which of the following would you start your list with?
Options- A. access-list 10 deny 172.16.48.0 255.255.240.0
- B. access-list 10 deny 172.16.144.0 0.0.7.255
- C. access-list 10 deny 172.16.64.0 0.0.31.255
- D. access-list 10 deny 172.16.136.0 0.0.15.255 Discuss
- 8. What router command allows you to determine whether an IP access list is enabled on a particular interface?
Options- A. show ip port
- B. show access-lists
- C. show ip interface
- D. show access-lists interface Discuss
- 9. Which of the following commands connect access list 110 inbound to interface ethernet0?
Options- A. Router(config)# ip access-group 110 in
- B. Router(config)# ip access-list 110 in
- C. Router(config-if)# ip access-group 110 in
- D. Router(config-if)# ip access-list 110 in Discuss
- 10. You need to create an access list that will prevent hosts in the network range of 192.168.160.0 to 192.168.191.0. Which of the following lists will you use?
Options- A. access-list 10 deny 192.168.160.0 255.255.224.0
- B. access-list 10 deny 192.168.160.0 0.0.191.255
- C. access-list 10 deny 192.168.160.0 0.0.31.255
- D. access-list 10 deny 192.168.0.0 0.0.31.255 Discuss
Security problems
Search Results
Correct Answer: access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23
Explanation:
The extended access list ranges are 100-199 and 2000-2699, so the access-list number of 100 is valid. Telnet uses TCP, so the protocol TCP is valid. Now you just need to look for the source and destination address. Only the third option has the correct sequence of parameters. Answer B may work, but the question specifically states "only" to network 192.168.10.0, and the wildcard in answer B is too broad.
Correct Answer: No IP traffic will be allowed out E0.
Explanation:
If you add an access list to an interface and you do not have at least one
permit statement, then you will effectively shut down the interface because of the implicit
deny any at the end of every list.
Correct Answer: access-list 110 permit tcp any host 1.1.1.1 eq smtp
Explanation:
When trying to find the best answer to an access-list question, always check the access-list number and then the protocol. When filtering to an upper-layer protocol, you must use an extended list, numbers 100-199 and 2000-2699. Also, when you filter to an upper-layer protocol, you must use either
tcp or
udp in the protocol field. If it says
ip in the protocol field, you cannot filter to an upper-layer protocol. SMTP uses TCP.
Correct Answer: access-list 1 deny 172.16.10.1 0.0.0.0
Explanation:
Standard IP access lists use the numbers 1-99 and 1300-1999 and filter based on source IP address only. Option C is incorrect because the mask must be in wildcard format.
Correct Answer: ip access-group 101 in
Explanation:
To apply an access list, the proper command is
ip access-group 101 in.
Correct Answer: access-list 100 permit tcp any 196.15.7.0 0.0.0.255 eq www
Explanation:
The first thing to check in a question like this is the access-list number. Right away, you can see that the second option is wrong because it is using a standard IP access-list number. The second thing to check is the protocol. If you are filtering by upper-layer protocol, then you must be using either UDP or TCP; this eliminates the fourth option. The third and last answers have the wrong syntax.
Correct Answer: access-list 10 deny 172.16.144.0 0.0.7.255
Explanation:
First, you must know that a /21 is 255.255.248.0, which is a block size of 8 in the third octet. Counting by eight, this makes our subnet 144 in the third octet, and the wildcard for the third octet would be 7 since the wildcard is always one less than the block size.
Correct Answer: show ip interface
Explanation:
Only the
show ip interface command will tell you which interfaces have access lists applied.
show access-lists will not show you which interfaces have an access list applied.
Correct Answer: Router(config-if)# ip access-group 110 in
Explanation:
To place an access list on an interface, use the
ip access-group command in interface configuration mode.
Correct Answer: access-list 10 deny 192.168.160.0 0.0.31.255
Explanation:
The range of 192.168.160.0 to 192.168.191.0 is a block size of 32. The network address is 192.168.160.0 and the mask would be 255.255.224.0, which for an access list must be a wildcard format of 0.0.31.255. The 31 is used for a block size of 32. The wildcard is always one less than the block size.
Comments
There are no comments.Programming
Copyright ©CuriousTab. All rights reserved.