CCNA FAQ: Basic IP Access Control Lists
Q1. Barney is a host with IP address 10.1.1.1 in subnet 10.1.1.0/24. Which of the following are things that a standard IP ACL could be configured to do? (Choose two answers.)
a. Match the exact source IP address
b. Match IP addresses 10.1.1.1 through 10.1.1.4 with one access-list command without matching other IP addresses
c. Match all IP addresses in Barney’s subnet with one access-list command without matching other IP addresses
d. Match only the packet’s destination IP address
Explanation: A and C. Standard ACLs check the source IP address. The address range 10.1.1.1 – 10.1.1.4 can be matched by an ACL, but it requires multiple access-list commands. Matching all hosts in Barney’s subnet can be accomplished with the access-list 1 permit 10.1.1.0 0.0.0.255 command.
Q2. Which of the following answers lists a valid number that can be used with standard numbered IP ACLs? (Choose two answers.)
Explanation:A and D. The range of valid ACL numbers for standard numbered IP ACLs is 1–99 and 1300–1999, inclusive
Q3. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.255.0?
Explanation: D. 0.0.0.255 matches all packets that have the same first 3 octets. This is useful when you want to match a subnet in which the subnet part comprises the first 3 octets, as in this case.
Q4. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.240.0?
Explanation: E. 0.0.15.255 matches all packets with the same first 20 bits. This is useful when you want to match a subnet in which the subnet part comprises the first 20 bits, as in this case.
Q5. ACL 1 has three statements, in the following order, with address and wildcard mask values as follows: 18.104.22.168 0.255.255.255, 22.214.171.124 0.0.255.255, and 126.96.36.199 0.0.0.255. If a router tried to match a packet sourced from IP address 188.8.131.52 using this ACL, which ACL statement does a router consider the packet to have matched?
d. Implied deny at the end of the ACL
Explanation: A. The router always searches the ACL statements in order, and stops trying to match ACL statements after a statement is matched. In other words, it uses first-match logic. A packet with source IP address 184.108.40.206 would match any of the three explicitly configured commands described in the question. As a result, the first statement will be used.
Q6. Which of the following access-list commands matches all packets in the range of addresses in subnet 172.16.5.0/25?
a. access-list 1 permit 172.16.0.5 0.0.255.0
b. access-list 1 permit 172.16.4.0 0.0.1.255
c. access-list 1 permit 172.16.5.0
d. access-list 1 permit 172.16.5.0 0.0.0.128
Explanation: B. One wrong answer, with wildcard mask 0.0.255.0, matches all packets with that begin with 172.16, with a 5 in the last octet. One wrong answer matches only specific IP address 172.16.5.0. One wrong answer uses a wildcard mask of 0.0.0.128, which has only one wildcard bit (in binary), and happens to only match addresses 172.16.5.0 and 172.16.5.128. The correct answer matches the range of addresses 172.16.4.0 – 172.16.5.255, which includes all addresses in the subnet listed in the question (172.16.5.0 – 172.16.5.127).
Q7. Your manager at the office asks you to explain the concept behind a standard access list. Using simple terms, explain these concepts.
Answer: A standard access list is nothing more than a generic list of permit and deny statements. It chooses what devices are allowed through a router based on who they are (their source IP addresses).
Q8. It is critical that an access list is applied correctly when it is used on a router for security purposes. What mantra dictates the rules behind access list application?
Answer: One access list, per protocol, per interface, per direction.
Q9. Explain how a router processes an access list filtering traffic inbound from the Internet.
Answer: Regardless of how an access list is applied, the router processes it the same: Statements are read from the top of the list down. If a packet matches one of the statements, the router executes the direction of the statement (permit or deny) and exits the access list processing. If the packet does not match any of the statements in the access list, it is implicitly denied.
Q10. What filtering options does an extended access list give you that are not supplied by a standard access list?
Answer: An extended access list gives you the option of filtering based on the TCP/IP sub-protocol (such as TCP, UDP, or ICMP), the destination address, and the source/destination port number. Beyond the CCNA level, an extended access list also enables you to filter based on criteria such as time of day or QoS marking.
Q11. One of the criteria an extended access list allows you to use in your filtering options is the source and destination port number. What is the difference between these? Why are two ports necessary for all communication?
Answer: When communicating on a TCP/IP-based network, the destination port helps identify what server application your client is attempting to access. For example, sending data to TCP port 80 indicates the HTTP server service. The source port number is used to identify the client application to which the server should respond. These two ports are always necessary in any communication to identify the applications on both ends of the connection.
Q12. Which of the following are valid reasons to implement access lists? (Choose all that apply.)
B. Route filtering
C. Dial-on-demand routing
D. Console port security
Answer: A, B, C. Access lists can be used with QoS in implementing many forms of queuing and congestion avoidance techniques. Access lists can filter routing protocol updates. Access lists can also specify interesting traffic to trigger dial-on-demand routing. Answer D is incorrect because access lists aren’t used for console port security.
Q13. Which type of access list can filter traffic based on the source port? (Choose all that apply.)
Answer: B, E. Extended access lists can use source and destination information, including the source port, and named access lists can be either extended or standard, so they have the capability to filter based on the source port. Answer A is incorrect because standard access lists can filter on source address information, but not source port. Answer C is incorrect because there are no user-based access lists. Answer D is incorrect because there are no static access lists. Answer F is incorrect because there are no unnamed access lists.
Q14. You are filtering traffic to an FTP site and you want only FTP traffic to reach the server. You do not want additional traffic to reach the server. Which traffic should be allowed?
A. TCP on ports 20 and 21
B. UDP on ports 20 and 21
C. TCP on port 21
D. TCP and UDP on ports 20 and 21
Answer: A. FTP uses TCP and ports 20 and 21. Answer B is incorrect because FTP uses TCP. Answer C is incorrect because port 20 is required as well. Answer D is incorrect because UDP is not necessary.
Q15. What happens to a packet that does not meet the conditions of any access list filters?
A. The packet is routed normally.
B. The packet is flagged and then routed.
C. The packet is dropped.
D. The administrator is notified.
Answer: C. A packet that does not meet any filters is dropped. Answer A is incorrect because the packet is discarded rather than routed. Answer B is incorrect because there is no mechanism to flag the packet. Answer D is incorrect because although it is conceivable that an administrator could be notified by default, the packet is simply dropped.
Q16. You have an IP address and wildcard mask of 10.0.20.5 255.255.0.0. Which of the following IP addresses will be affected by this access list? (Choose all that apply.)
Answer: B, C. The significant bits are the last 16, indicated by the wildcard mask of 255.255.0.0. 192.168.20.5 and 172.30.20.5 match the last two octets, or 16 bits, of the 10.0.20.5 IP address. Answers A and D are incorrect because although the first portions of the IP address match, it is the last two octets that are significant.
Q17. You want to create an access list to filter all traffic from the 172.16.16.0 255.255.240.0 network.
What wildcard mask is appropriate?
Answer: B. 0.0.15.255 affects the 172.16.16.0 255.255.240.0 network. In the third octet, the first four bits are checked in binary, resulting in 00000000.00000000.00001111.11111111. Answer A is incorrect because this does not match the given problem, checking too many bits (five) in the last octet. Answer C is incorrect because this mask checks only three bits in the third octet. Answer D is incorrect because this mask checks only two bits in the third octet.
Q18. Regarding access lists, which of the following statements is correct?
A. Only one access list per protocol, per direction, per interface
B. Only one access list per port number, per protocol, per interface
C. Only one access list per port number, per direction, per interface
D. Only one access list per port number, per protocol, per direction
Answer: A. You may create only one access list per protocol, per direction, per interface. Answer B is incorrect because you can have multiple access lists for a single port number, and only one per direction. Answer C is incorrect because you may have only one access list per protocol, not per port number. Answer D is incorrect because you may not have more than one access list per interface.
Q19. You need to temporarily remove access list 101 from one of your interfaces—which command is appropriate?
A. no access-list 101
B. no ip access-group 101
C. access-list 101 disable
D. access-group 101 disable
Answer: B. The correct syntax is no ip access-group 101 . This removes the access list from the interface. Answer A is incorrect because this line deletes the access list entirely. Answers C and D use invalid syntax.
Q20. Which of the following creates a standard access list that allows traffic from the 172.16 subnet?
A. access-list 1 permit 172.16.0.0 0.0.255.255
B. access-list 100 permit 172.16.0.0 255.255.0.0
C. access-list 1 permit 172.16.0.0 255.255.0.0
D. access-list 100 permit 172.16.0.0 0.0.255.255
Answer: A. This answer has the correct syntax of the access-list command followed by the list number, permit/deny, IP address, and a wildcard mask. Answers B and D are incorrect because they indicate an extended access list. Answer C is incorrect because the wildcard mask has been reversed.
Q21. You want to create an access list that denies all outbound traffic to port 80 from the 10.10.0.0 network. Which access list entry meets your requirements?
A. access-list 101 deny tcp 10.10.0.0 0.0.255.255 eq 80
B. access-list 91 deny tcp 10.10.0.0 0.0.255.255 any eq 80
C. access-list 101 deny tcp 10.10.0.0 0.0.255.255 all eq 80
D. access-list 101 deny tcp 10.10.0.0 0.0.255.255 any eq 80
Answer: D. Use the any keyword to specify all destinations. Answer A is incorrect because no destination is specified. Answer B is incorrect; this specifies a standard access list. Answer C is incorrect because all is not the proper keyword.