CCNA FAQ: Advanced IP Access Control Lists

CCNA FAQ: Advanced IP Access Control Lists

Q1. Which of the following fields cannot be compared based on an extended IP ACL? (Choose two answers.)
e. Protocol
f. Source IP address
g. Destination IP address
h. TOS byte
i. URL
j. Filename for FTP transfers

Explanation: E and F. Extended ACLs can look at the Layer 3 (IP) and Layer 4 (TCP, UDP) headers, and a few others, but not any application layer information. Named extended ACLs can look for the same fields as numbered extended ACLs.

Q2. Which of the following access-list commands permits packets going from host 10.1.1.1 to all web servers whose IP addresses begin with 172.16.5? (Choose two answers.)
a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
c. access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
d. access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
e. access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www

Explanation: A and E. The correct range of ACL numbers for extended IP access lists is 100 to 199 and 2000 to 2699. The answers that list the eq www parameter after 10.1.1.1 match the source port number, and the packets are going toward the web server, not away from it.

Q3. Which of the following access-list commands permits packets going to any web client from all web servers whose IP addresses begin with 172.16.5?
a. access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
b. access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
c. access-list 2523 permit tcp any eq www 172.16.5.0 0.0.0.255
d. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www 172.16.5.0 0.0.0.255
e. access-list 2523 permit tcp 172.16.5.0 0.0.0.255 eq www any

Explanation: E. Because the packet is going toward any web client, you need to check for the web server’s port number as a source port. The client IP address range is not specified in the question, but the servers are, so the source address beginning with 172.16.5 is the correct answer.

Q4. Which of the following fields can be compared using a named extended IP ACL but not a numbered extended IP ACL?
a. Protocol
b. Source IP address
c. Destination IP address
d. TOS byte
e. None of the other answers are correct.

Explanation: E. Named extended IP ACLs can match the exact same set of fields as can numbered extended IP ACLs.

Q5. In a router running IOS 12.3, an engineer needs to delete the second line in ACL 101, which currently has four commands configured. Which of the following options could be used? (Choose two answers.)
a. Delete the entire ACL and reconfigure the three ACL statements that should remain in the ACL.
b. Delete one line from the ACL using the no access-list… global command.
c. Delete one line from the ACL by entering ACL configuration mode for the ACL and then deleting only the second line based on its sequence number.
d. Delete the last three lines from the ACL from ACL configuration mode, and then add the last two statements back into the ACL.

Explanation: A and C. Before IOS 12.3, numbered ACLs must be removed and then reconfigured to remove a line from the ACL. As of IOS 12.3, you can also use ACL configuration mode and sequence numbers to delete one ACL line at a time.

Q6. What general guideline should you follow when placing extended IP ACLs?
a. Perform all filtering on output if at all possible.
b. Put more general statements early in the ACL.
c. Filter packets as close to the source as possible.
d. Order the ACL commands based on the source IP addresses, lowest to highest, to improve performance.

Explanation: C. The authorized Cisco curriculum makes the suggestion in answer C for extended IP ACLs, suggesting that standard ACLs be placed as close to the destination as possible.

Q7. Which of the following tools requires the end user to telnet to a router to gain access to hosts on the other side of the router?
a. Named ACLs
b. Reflexive ACLs
c. Dynamic ACLs
d. Time-based ACLs

Explanation: C. Dynamic ACLs require the user to telnet to the router and authenticate using a username and password, which then causes the router to permit packets sent by the host.

About the author

Prasanna

Leave a Comment