1. The computers used by a school's network administrators are on the 10.7.0.0/27 network. What are the minimum two commands required to apply an ACL that ensures only devices used by network administrators have telnet access to routers? (Choose two.)
- Access class 5 inches
- VTY access list pattern
License 10.7.0.0 0.0.0.127
- Access List 5 Permission 10.7.0.0 0.0.0.31
- access group ip 5 in
- IP access group 5 off
- Access list 5 denied all
Explanation:Named and numbered access lists can be used on VTY lines to control remote access. The first ACL commandAccess List 5 Permission 10.7.0.0 0.0.0.31, allows traffic from any device on the 10.7.0.0/27 network. The second ACL command,Access class 5 inches, applies the access list to a vty line.
2. View the configured access list.
R1# show access-listsextended IP access list 100deny tcp host 10.1.1.2 host 10.1.1.1 eq telnetdeny tcp host 10.1.2.2 host 10.1.2.1 eq telnetpermit ip any any (15 Korrespondenzen)
What are two characteristics of this access list? (Choose two.)
- Only the device 10.1.1.2 can telnet to the router assigned the IP address 10.1.1.1.
- Device 10.1.2.1 must not telnet to device 10.1.2.2.
- Any device can telnet to device 10.1.2.1.
- A network administrator would not be able to determine whether or not the access list was applied to an interface.
- Any device on the 10.1.1.0/24 network (except 10.1.1.2 device) can telnet to the router assigned the IP address 10.1.1.1.
- The access list was applied to an interface.
Explanation:The access list stops telnet traffic from device 10.1.1.2 to device 10.1.1.1. It also stops telnet traffic from device 10.1.2.2 to device 10.1.2.1. All other TCP/IP based transfers are allowed. The access list works because there were 15 matches in the last ACE.
3. Which command checks the number of packets allowed or denied by an ACL restricting SSH access?
- Show summary of IP interface
- mostrar ip ssh
- show running configuration
- View Access Lists
Explanation:ÖView Access ListsThe command displays each line of an access list and the number of matches for each statement. EITHERshow running configurationThe command displays the configured directives but does not provide any information about the matches. EITHERmostrar ip sshThe command provides general information about the SSH configuration.
4. Which access-list directive allows HTTP traffic originating from host 10.1.129.100, port 4300 and destined for host 192.168.30.10?
- access list 101 allows tcp any eq 4300
- Access list 101 allows TCP 192.168.30.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
- Access List 101 TCP Permission 10.1.129.0 0.0.0.255 www eq 192.168.30.10 0.0.0.0 www eq
- access list 101 tcp permission 10.1.128.0 0.0.1.255 eq 4300 192.168.30.0 0.0.0.15 eq www
- Access list 101 allows tcp host 192.168.30.10 eq 80 10.1.0.0 0.0.255.255 eq 4300
Explanation:The HTTP protocol uses port 80 and is denoted in an ACL with the parameter "eq 80" or with "eq www". The first IP address listed in an ACL is the source address along with the appropriate wildcard mask. With a source IP address of 10.1.128.0 and a wildcard mask of 0.0.1.255, IP addresses from 10.1.128.0 to 10.1.129.255 are allowed.
5. When configuring router security, which statement describes the most effective way to use ACLs to control Telnet traffic destined for the router itself?
- The ACL must be applied to each vty line individually.
- The ACL is applied to the telnet port using the ip access-group command.
- The ACL must be applied to all inbound vty lines to prevent an unwanted user from connecting to an unsecured port.
- Apply ACL to vty ilines without requiring an ingress or egress option when applying ACLS to interfaces.
Explanation:Because someone outside the router is trying to access the router using a protocol like Telnet or SSH, the ACL address for the router must be internal over the vty lines.
6. Which packages would match the access control list declaration shown below?
Access list 110 allows TCP 172.16.0.0 0.0.0.255 any eq 22
- any TCP traffic from the 172.16.0.0 network to any destination network
- SSH traffic from 172.16.0.0 network to any target network
- SSH traffic from any source network to network 172.16.0.0
- any TCP traffic from any host to the 172.16.0.0 network
Explanation:the explanation,Access list 110 allows TCP 172.16.0.0 0.0.0.255 any eq 22, it matches traffic on port 22, which is SSH and comes from network 172.16.0.0/24 to any destination.
7. Consider the Access-List command applied outbound on a serial router interface.
Access list 100 denies icmp 192.168.10.0 0.0.0.255 any echo reply
What is the effect of applying this access list command?
- Users on the 192.168.10.0/24 network cannot route traffic to other destinations.
- The only traffic rejected is ICMP-based traffic. Any other traffic is allowed.
- The only denied traffic is echo responses from network 192.168.10.0/24. Any other traffic is allowed.
- Outgoing data traffic is not allowed on the serial interface.
Explanation:At the end of each extended access list is an implicit deny ip any any statement, so no traffic can be sent over the serial port.
8. Consider the following output for an ACL applied to a router using the access-class command. What can a network administrator determine from the displayed output?
R1# <skipped output> default IP access list 210 allowed 192.168.10.0, wildcard bits 0.0.0.255 (2 matches) 20 denied all (1 match)
- Traffic from a device could not enter one port of the router and be forwarded to another port of the router.
- Two devices could access the router via SSH or Telnet.
- Two devices connected to the router have the IP addresses 192.168.10.x.
- Traffic from two devices was allowed to enter one port of the router and be forwarded to another port of the router.
Explanation:Öaccess classThe command is only used on VTY ports. The VTY ports support Telnet and/or SSH traffic. The allowed ACE match indicates how many attempts were allowed using the VTY ports. The Deny Match ACE shows that a device on a network other than 192.168.10.0 could not reach the router via the VTY ports.
9. What are the two commands that set a default ACL? (Choose two.)
- router (config) # access list 45 permission 192.168.200.4 host
- router (config) # access list 10 permission 10.20.5.0 0.255.255.255 any
- Router(config)# access-list 20 permissions host 192.168.5.5 any any
- Router(config)# access-list 35 host de permisos 172.31.22.7
- Router(config)# access-list 90 permiso 192.168.10.5 0.0.0.0
Explanation:Default access lists have the syntax ofaccess listand a number between 1 and 99 followed byallowÖdenyKeyword and source IP address (including a wildcard mask).
10. What incoming ICMP message should be allowed on an external interface to help debug?
- Response with timestamp
- Timestamp Request
- echo request
- echo response
- Router Advertisement
Explanation:By allowing the ICMP echo reply message to reach the organization, internal users can ping external addresses (and the reply message can be retrieved).
11. Which two ACEs can be used to deny IP traffic from a single source host 10.1.1.1 to network 192.168.0.0/16? (Choose two.)
- Access list 100 deny IP 192.168.0.0 0.0.255.255 10.1.1.1 0.0.0.0
- Access list 100 deny IP 192.168.0.0 0.0.255.255 host 10.1.1.1
- deny access list 100 host ip 10.1.1.1 192.168.0.0 0.0.255.255
- Access list 100 deny IP 192.168.0.0 0.0.255.255 10.1.1.1 255.255.255.255
- Access list 100 deny IP 10.1.1.1 255.255.255.255 192.168.0.0 0.0.255.255
- Access list 100 deny IP 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255
Explanation:There are two ways to identify a single host in an access list entry. One is to use the host keyword with the host's IP address, the other is to use a wildcard mask of 0.0.0.0 with the host's IP address. The source of the traffic to be examined by the access list is first in the syntax and the destination is last.
12. An administrator configured an access list on R1 to allow SSH administrative access from host 172.16.1.100. Which command applies the ACL correctly?
- R1 (configuration line) # access class 1 in
- R1 (configuration line) # access to class 1 output
- R1 (config-if) # IP access group 1 off
- R1 (config-if) # IP access group 1 on
Explanation:Administrative SSH access to the router is through the vty lines. Therefore, the ACL must be applied to these lines in the input address. To do this, enter the line configuration mode and issue theaccess classDomain.