CCNAv7 Module 5 Quiz: IPv4 Configuration ACLs Answers (2023)

1. The computers used by a school's network administrators are on the 10.7.0.0/27 network. What are the minimum two commands required to apply an ACL that ensures only devices used by network administrators have telnet access to routers? (Choose two.)

  • Access class 5 inches
  • VTY access list pattern
    License 10.7.0.0 0.0.0.127
  • Access List 5 Permission 10.7.0.0 0.0.0.31
  • access group ip 5 in
  • IP access group 5 off
  • Access list 5 denied all

Explanation:Named and numbered access lists can be used on VTY lines to control remote access. The first ACL commandAccess List 5 Permission 10.7.0.0 0.0.0.31, allows traffic from any device on the 10.7.0.0/27 network. The second ACL command,Access class 5 inches, applies the access list to a vty line.

2. View the configured access list.

R1# show access-listsextended IP access list 100deny tcp host 10.1.1.2 host 10.1.1.1 eq telnetdeny tcp host 10.1.2.2 host 10.1.2.1 eq telnetpermit ip any any (15 Korrespondenzen)

What are two characteristics of this access list? (Choose two.)

  • Only the device 10.1.1.2 can telnet to the router assigned the IP address 10.1.1.1.
  • Device 10.1.2.1 must not telnet to device 10.1.2.2.
  • Any device can telnet to device 10.1.2.1.
  • A network administrator would not be able to determine whether or not the access list was applied to an interface.
  • Any device on the 10.1.1.0/24 network (except 10.1.1.2 device) can telnet to the router assigned the IP address 10.1.1.1.
  • The access list was applied to an interface.

Explanation:The access list stops telnet traffic from device 10.1.1.2 to device 10.1.1.1. It also stops telnet traffic from device 10.1.2.2 to device 10.1.2.1. All other TCP/IP based transfers are allowed. The access list works because there were 15 matches in the last ACE.

(Video) CCNA3 v7 Module 5 Extended ACLs Configuration

3. Which command checks the number of packets allowed or denied by an ACL restricting SSH access?

See Also
5.5.4 Module Quiz: ACLs for IPv4 Configuration (Answers)CCNA 2 Chapter 7 V6.0 AnswersWeb Security 1.0 Final Exam Answers - Cisco ExamU.S. Patent (Patent No. 11,632,360 issued April 18, 2023) for Remote Storage Device Access Patents

  • Show summary of IP interface
  • mostrar ip ssh
  • show running configuration
  • View Access Lists

Explanation:ÖView Access ListsThe command displays each line of an access list and the number of matches for each statement. EITHERshow running configurationThe command displays the configured directives but does not provide any information about the matches. EITHERmostrar ip sshThe command provides general information about the SSH configuration.

4. Which access-list directive allows HTTP traffic originating from host 10.1.129.100, port 4300 and destined for host 192.168.30.10?

  • access list 101 allows tcp any eq 4300
  • Access list 101 allows TCP 192.168.30.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
  • Access List 101 TCP Permission 10.1.129.0 0.0.0.255 www eq 192.168.30.10 0.0.0.0 www eq
  • access list 101 tcp permission 10.1.128.0 0.0.1.255 eq 4300 192.168.30.0 0.0.0.15 eq www
  • Access list 101 allows tcp host 192.168.30.10 eq 80 10.1.0.0 0.0.255.255 eq 4300

Explanation:The HTTP protocol uses port 80 and is denoted in an ACL with the parameter "eq 80" or with "eq www". The first IP address listed in an ACL is the source address along with the appropriate wildcard mask. With a source IP address of 10.1.128.0 and a wildcard mask of 0.0.1.255, IP addresses from 10.1.128.0 to 10.1.129.255 are allowed.

5. When configuring router security, which statement describes the most effective way to use ACLs to control Telnet traffic destined for the router itself?

(Video) 5.2.7 Packet Tracer - Configure and Modify Standard IPv4 ACLs

  • The ACL must be applied to each vty line individually.
  • The ACL is applied to the telnet port using the ip access-group command.
  • The ACL must be applied to all inbound vty lines to prevent an unwanted user from connecting to an unsecured port.
  • Apply ACL to vty ilines without requiring an ingress or egress option when applying ACLS to interfaces.

Explanation:Because someone outside the router is trying to access the router using a protocol like Telnet or SSH, the ACL address for the router must be internal over the vty lines.

6. Which packages would match the access control list declaration shown below?

See Also
Security Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9500 Switches) - Configuring PKI Certificate Authorization and Revocation [Supported]U.S. Patent Application for Automatic Multipath Routing Based on SD-WAN Patent Application (Application No. 20230080537, Issued March 16, 2023)

Access list 110 allows TCP 172.16.0.0 0.0.0.255 any eq 22
  • any TCP traffic from the 172.16.0.0 network to any destination network
  • SSH traffic from 172.16.0.0 network to any target network
  • SSH traffic from any source network to network 172.16.0.0
  • any TCP traffic from any host to the 172.16.0.0 network

Explanation:the explanation,Access list 110 allows TCP 172.16.0.0 0.0.0.255 any eq 22, it matches traffic on port 22, which is SSH and comes from network 172.16.0.0/24 to any destination.

7. Consider the Access-List command applied outbound on a serial router interface.

Access list 100 denies icmp 192.168.10.0 0.0.0.255 any echo reply

What is the effect of applying this access list command?

(Video) 5.1.9 Packet Tracer - Configure Named Standard IPv4 ACLs

  • Users on the 192.168.10.0/24 network cannot route traffic to other destinations.
  • The only traffic rejected is ICMP-based traffic. Any other traffic is allowed.
  • The only denied traffic is echo responses from network 192.168.10.0/24. Any other traffic is allowed.
  • Outgoing data traffic is not allowed on the serial interface.

Explanation:At the end of each extended access list is an implicit deny ip any any statement, so no traffic can be sent over the serial port.

8. Consider the following output for an ACL applied to a router using the access-class command. What can a network administrator determine from the displayed output?

R1# <skipped output> default IP access list 210 allowed 192.168.10.0, wildcard bits 0.0.0.255 (2 matches) 20 denied all (1 match)
  • Traffic from a device could not enter one port of the router and be forwarded to another port of the router.
  • Two devices could access the router via SSH or Telnet.
  • Two devices connected to the router have the IP addresses 192.168.10.x.
  • Traffic from two devices was allowed to enter one port of the router and be forwarded to another port of the router.

Explanation:Öaccess classThe command is only used on VTY ports. The VTY ports support Telnet and/or SSH traffic. The allowed ACE match indicates how many attempts were allowed using the VTY ports. The Deny Match ACE shows that a device on a network other than 192.168.10.0 could not reach the router via the VTY ports.

9. What are the two commands that set a default ACL? (Choose two.)

  • router (config) # access list 45 permission 192.168.200.4 host
  • router (config) # access list 10 permission 10.20.5.0 0.255.255.255 any
  • Router(config)# access-list 20 permissions host 192.168.5.5 any any
  • Router(config)# access-list 35 host de permisos 172.31.22.7
  • Router(config)# access-list 90 permiso 192.168.10.5 0.0.0.0

Explanation:Default access lists have the syntax ofaccess listand a number between 1 and 99 followed byallowÖdenyKeyword and source IP address (including a wildcard mask).

(Video) 5.5.1 Packet Tracer - IPv4 ACL Implementation Challenge

10. What incoming ICMP message should be allowed on an external interface to help debug?

  • Response with timestamp
  • Timestamp Request
  • echo request
  • echo response
  • Router Advertisement

Explanation:By allowing the ICMP echo reply message to reach the organization, internal users can ping external addresses (and the reply message can be retrieved).

11. Which two ACEs can be used to deny IP traffic from a single source host 10.1.1.1 to network 192.168.0.0/16? (Choose two.)

  • Access list 100 deny IP 192.168.0.0 0.0.255.255 10.1.1.1 0.0.0.0
  • Access list 100 deny IP 192.168.0.0 0.0.255.255 host 10.1.1.1
  • deny access list 100 host ip 10.1.1.1 192.168.0.0 0.0.255.255
  • Access list 100 deny IP 192.168.0.0 0.0.255.255 10.1.1.1 255.255.255.255
  • Access list 100 deny IP 10.1.1.1 255.255.255.255 192.168.0.0 0.0.255.255
  • Access list 100 deny IP 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255

Explanation:There are two ways to identify a single host in an access list entry. One is to use the host keyword with the host's IP address, the other is to use a wildcard mask of 0.0.0.0 with the host's IP address. The source of the traffic to be examined by the access list is first in the syntax and the destination is last.

12. An administrator configured an access list on R1 to allow SSH administrative access from host 172.16.1.100. Which command applies the ACL correctly?

(Video) 5.1.8 Packet Tracer - Configure Numbered Standard IPv4 ACLs

  • R1 (configuration line) # access class 1 in
  • R1 (configuration line) # access to class 1 output
  • R1 (config-if) # IP access group 1 off
  • R1 (config-if) # IP access group 1 on

Explanation:Administrative SSH access to the router is through the vty lines. Therefore, the ACL must be applied to these lines in the input address. To do this, enter the line configuration mode and issue theaccess classDomain.

Videos

1. 5.5.2 Packet Tracer - Configure and Verify Extended IPv4 ACLs - Physical Mode
(Christian Augusto Romero Goyzueta)
2. [CCNA3 Exam] Network Security Exam Answers | Modules 3-5 | Network Security and ACL Concepts
(Gurutech Networking Training)
3. 11.5.5 Packet Tracer - Subnet an IPv4 Network
(Tech Acad)
4. 5.5.2 Lab - Configure and Verify Extended IPv4 ACLs
(Tech Acad)
5. 5.2.7 Packet Tracer Configure and Modify Standard IPv4 ACLs
(Cisco Packet Tracer Labs)
6. 5.1.8 Packet Tracer - Configure Numbered Standard IPv4 ACLs
(Christian Augusto Romero Goyzueta)
Top Articles
Latest Posts
Article information

Author: Duncan Muller

Last Updated: 07/01/2023

Views: 5798

Rating: 4.9 / 5 (59 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Duncan Muller

Birthday: 1997-01-13

Address: Apt. 505 914 Phillip Crossroad, O'Konborough, NV 62411

Phone: +8555305800947

Job: Construction Agent

Hobby: Shopping, Table tennis, Snowboarding, Rafting, Motor sports, Homebrewing, Taxidermy

Introduction: My name is Duncan Muller, I am a enchanting, good, gentle, modern, tasty, nice, elegant person who loves writing and wants to share my knowledge and understanding with you.