Scribd
Upload
350 views

Access-List Questions

This document provides 7 questions to test knowledge of access control lists (ACLs). Each question includes a network diagram and configuration scenario followed by multiple choice answers. Explanations are provided for each answer detailing how the ACL rules would apply and why certain options are correct or incorrect. The questions cover a range of ACL topics including permitting and denying traffic by source/destination, applying ACLs to appropriate interfaces, and properly ordering rules.

Uploaded by

Jowel Rana
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
350 views

Access-List Questions

This document provides 7 questions to test knowledge of access control lists (ACLs). Each question includes a network diagram and configuration scenario followed by multiple choice answers. Explanations are provided for each answer detailing how the ACL rules would apply and why certain options are correct or incorrect. The questions cover a range of ACL topics including permitting and denying traffic by source/destination, applying ACLs to appropriate interfaces, and properly ordering rules.

Uploaded by

Jowel Rana
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Access-list Questions

9tut.com/access-list-questions-2

Home > Access-list Questions


January 13th, 2021 Go to comments
Premium Member: You can test your knowledge with these questions first via this link
(via HTML).

Note: If you are not sure about Access list, please read our Access List Tutorial.

Question 1

Refer to the exhibit. A network engineer must block access for all computers on VLAN 20
to the web server via HTTP. All other computers must be able to access the web server.
Which configuration when applied to switch A accomplishes this task?

A.
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
int vlan 100
ip access-group wwwblock in

B.
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
permit ip any any
int vlan 20
ip access-group wwwblock in

C. config t
ip access-list extended wwwblock
permit ip any any
deny tcp any host 10.30.0.100 eq 80
int vlan 30
ip access-group wwwblock in

D.
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
int vlan 20
ip access-group wwwblock in

Answer: B

1/6
Explanation

The “deny tcp any host 10.30.0.100 eq 80” command means “block all (any) traffic from
accessing web server at 10.30.0.100 on port 80”. And since it is applied to VLAN 20
interface so only computers on VLAN 20 are affected.

In summary, just notice that 10.30.0.100 here is the destination IP address, not source
address.

Note: The traffic flow from hosts in VLAN 20 to the Web Server is: host in VLAN 20 ->
Interface VLAN 20 -> Interface VLAN 30 -> Web Server. If we place the ACL: host in
VLAN 20 -> (ACL Inbound) Interface VLAN 20 -> Interface VLAN 30 -> Web Server.
Therefore the ACL can block traffic from VLAN 20.

Question 2

Refer to the exhibit. An extended ACL has been configured and applied to router R2. The
configuration failed to work as intended. Which two changes stop outbound traffic on TCP
ports 25 and 80 to 10.0.20.0/26 from the 10.0.10.0/26 subnet while still allowing all
other traffic? (Choose two)

R2#config t
R2(config)#access-list 101 deny tcp 10.0.20.0 0.0.0.63 10.0.10.0 0.0.0.63 eq smtp
R2(config)#access-list 101 deny tcp 10.0.20.0 0.0.0.63 10.0.10.0 0.0.0.63 eq www
R2(config)#int gi0/2
R2(config-if)#ip access-group 101 in

A. Add a “permit ip any any” statement to the beginning of ACL 101 for allowed traffic
B. Add a “permit ip any any” statement at the end of ACL 101 for allowed traffic
C. The source and destination IPs must be swapped in ACL 101
D. The ACL must be configured the Gi0/2 interface inbound on R1
E. The ACL must be moved to the Gi0/1 interface outbound on R2

Answer: B C

Question 3

2/6
While examining excessive traffic on the network, it is noted that all incoming packets on
an interface appear to be allowed even though an IPv4 ACL is applied to the interface.
Which two misconfigurations cause this behavior? (Choose two)
A. The packets fail to match any permit statement
B. A matching permit statement is too high in the access list
C. A matching permit statement is too broadly defined
D. The ACL is empty
E. A matching deny statement is too high in the access list

Answer: B C

Explanation

If we have a matching permit statement too high in the access list then it will be matched
first before we can deny it. If a matching permit statement is too broadly defined (for
example if we only want to permit TCP traffic then we should not permit “ip” traffic,
which includes both TCP and UDP).

Question 4

Refer to the exhibit. What configuration on R1 denies SSH access from PC-1 to any R1
interface and allows all other traffic?

A. access-list 100 deny tcp host 172.16.1.33 any eq 22


access-list 100 permit ip any any
interface GigabitEthernet0/0
ip access-group 100 in

B. access-list 100 deny tcp host 172.16.1.33 any eq 22


access-list 100 permit ip any any

C. line vty 0 15
access-class 100 in
access-list 100 deny tcp host 172.16.1.33 any eq 23
access-list 100 permit ip any any

3/6
interface GigabitEthernet0/0
ip access-group 100 in

D. access-list 100 deny tcp host 172.16.1.33 any eq 23


access-list 100 permit ip any any
line vty 0 15
access-class 100 in

Answer: A

Question 5

Refer to the exhibit. An administrator configures the following ACL in order to prevent
devices on the 192.168.1.0 subnet from accessing the server at 10.1.1.5:

access-list 100 deny ip 192.168.1.0 0.0.0.255


host 10.1.1.5
access-list 100 permit ip any any

Where should the administrator place this ACL for


the most efficient use of network resources?

A. inbound on router A Fa0/0


B. outbound on router B Fa0/0
C. outbound on router A Fa0/1
D. inbound on router B Fa0/1

Answer: A

Explanation

By placing the ACL closest to the source, we can reduce unnecessary traffic passing
between two routers and the processing time of the router.

Question 6

Refer to the exhibit. Which two configurations would be used to create and apply a
standard access list on R1, so that only the 10.0.70.0/25 network devices are allowed to
access the internal database server? (Choose two)

A. R1(config)# interface GigabitEthernet0/0


R1(config-if)# ip access-group 5 out

B. R1(config)# access-list 5 permit 10.0.54.0 0.0.1.255

C. R1(config)# interface Serial0/0/0


R1(config-if)# ip access-group 5 in

D. R1(config)# access-list 5 permit 10.0.70.0 0.0.0.127

4/6
E. R1(config)# access-list 5 permit any

Answer: A D

Question 7

Refer to the exhibit.

interface GigabitEthernet0/1
ip address 192.168.1.2
255.255.255.0
ip access-group 2699 in
!
access-list 2699 deny icmp any
10.10.1.0 0.0.0.255 echo
access-list 2699 deny ip any
10.20.1.0 0.0.0.255
access-list 2699 permit ip any
10.10.1.0 0.0.0.255
access-list 2699 permit tcp any
10.20.1.0 0.0.0.127 eq 22

A network administrator must permit SSH access to remotely manage routers in a


network. The operations team resides on the 10.20.1.0/25 network. Which command will
accomplish this task?

A. access-list 2699 permit udp 10.20.1.0 0.0.0.255


B. no access-list 2699 deny tcp any 10.20.1.0 0.0.0.127 eq 22
C. access-list 2699 permit tcp any 10.20.1.0 0.0.0.255 eq 22
D. no access-list 2699 deny ip any 10.20.1.0 0.0.0.255

Answer: D

Explanation

The operations team resides on 10.20.1.0/25 network which is a part of 10.20.1.0/24


network so we need to remove the “deny” statement of the 10.20.1.0/25 network to allow
SSH.

Comments (3) Comments


1. Mohammed
June 21st, 2020

Hello

2. Anonymous
June 29th, 2020

very good

5/6
3. Mouloud
October 22nd, 2020

very good , thank you

Add a Comment

Subscribe to comments feed

6/6

You might also like