CCNA DC FAQ: IPv4 Access Control Lists on Cisco Nexus Switches

CCNA DC FAQ: IPv4 Access Control Lists on Cisco Nexus Switches



Figure: Backdrop for Discussion of List Process with IP ACLs

Q1. Barney is a host with IP address 10.1.1.1 in subnet 10.1.1.0/24. Which of the following are things that a standard IP ACL could be configured to do? (Choose two answers.)
a. Match the exact source IP address.
b. Match IP addresses 10.1.1.1 through 10.1.1.4 with one access-list command without matching other IP addresses.
c. Match all IP addresses in Barney’s subnet with one access-list command without matching other IP addresses.
d. Match only the packet’s destination IP address.

Answer: A and C. An IP ACL can be configured to match the exact IP address by using the host keyword or using a /32 subnet mask for the source address. This can be done in one entry.

Q2. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.255.0?
a. 0.0.0.0
b. 0.0.0.31
c. 0.0.0.240
d. 0.0.0.255
e. 0.0.15.0
f. 0.0.248.255

Answer: D. When creating an IOS ACL, you use the wildcard mask to match the ACL entry. The wildcard mask for 255.255.255.0 is 0.0.0.255.

Q3. Which of the following masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.240.0?
a. 0.0.0.0
b. 0.0.0.31
c. 0.0.0.240
d. 0.0.0.255
e. 0.0.15.255
f. 0.0.248.255

Answer: E. When creating an IOS ACL, you use the wildcard mask to match the ACL entry. The wildcard mask for 255.255.240.0 is 0.0.15.255.

Q4. ACL 1 has three statements, in the following order, with address and mask values as follows: 1.0.0.0/8, 1.1.0.0/16, and 1.1.1.0/24. If a router tried to match a packet sourced from IP address 1.1.1.1 using this ACL, which ACL statement does a router consider the packet to have matched?
a. First
b. Second
c. Third
d. Implied deny at the end of the ACL

Answer: A. In an ACL the first match is used; in this case, 1.1.1.1 would match 1.0.0.0/8.

Q5. On a Cisco Nexus switch, what command will allow only host 10.1.1.1 to talk with host 192.168.1.3 for web traffic that is unencrypted for ACL web subcommands?
a. permit tcp host 10.1.1.1 host 192.168.1.3 eq 80
b. permit ip 10.1.1.0/24 host 192.168.1.3
c. permit tcp 10.1.1.0/24 192.168.1.0/24 eq 80
d. permit ip any any

Answer: A. To permit only host 10.1.1.1 to host 192.168.1.3 on port 80 or the web, you must use the host keyword or a /32 subnet address. Using the host keyword will only allow a host to talk to a host on a particular port, in this case, port 80.

Q6. Which AAA method allows a user after login to access to a certain configuration level on a Cisco network device?
a. Authentication
b. Access-List
c. Authorization
d. Accounting

Answer: C. Following authentication, a user must gain authorization for doing certain tasks. After logging into a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands.

About the author

James Palmer

Leave a Comment