CCSP SECUR FAQ : Access Lists

CCSP SECUR FAQ : Access Lists

Q1. What is an access control list (ACL)?
A. An ACL is a method of only permitting IPX traffic.

B. ACLs are rules that deny or permit packets coming in to or out of a router’s interface.

C. ACLs are used only on switches.

D. ACLs are rules to prevent mail traffic from leaving a router interface only.

Answer: B

Q2. Which of the following steps are required to create an effective ACL?
A. Define an ACL by specifying an ACL number or name and access condition.
B. Administratively shut down the interface before applying the ACL.
C. Reboot the router after creating the ACL.
D. Apply the ACL to an interface or terminal line.

Answer: A, D

Q3. Which of the following ways can ACLs be used?
A. To control virtual terminal line access
B. To automatically shut down interfaces
C. To restrict contents of routing updates
D. To send alerts to the network administrator

Answer: A, C

Q4. Which of the following are ACL criteria?
A. Source address of the traffic
B. Length of the packet
C. Destination address of the traffic
D. Upper-layer protocol

Answer: A, C, D

Q5. What is the difference between a standard IP ACL and extended IP ACL?
A. Standard ACLs use source and destination of the packets, whereas extended IP ACLs use both source and destination with an additional criteria of upper-layer protocol.

B. Standard ACLs use IP ACL range 1 to 99, and extended IP ACLs use 100 to 199.

C. Standard ACLs use IP ACL range 100 to 199, and extended IP ACLs use 1 to 99.

D. Standard ACLs were introduced in the Cisco IOS Software 12.x.

Answer: B

Q6. What command enables you to apply an ACL to an interface?
A. ip access-group number in | out
B. access-list in | out
C. ip access-group in | out
D. access-list number in | out

Answer: A

Q7. Which of the range of numbers identify an extended IP ACL?
A. 1–89
B. 1–99
C. 99–200
D. 100–199

Answer: D

Q8. Which of the following is the correct syntax for a standard IP ACL?
A. access-list 50 192.168.1.87 deny 10.100.10.14
B. access-list 101 deny ip host 192.168.1.87 10.100.10.14
C. access-list 50 deny ip host 192.168.1.87
D. access-list 101 host 192.168.1.87 deny 10.100.10.14

Answer: C

Q9. Which is the correct syntax for blocking FTP access to host 192.168.10.1 from the FTP server 10.100.100.14 server?
A. access-list 11 deny ftp host 192.168.10.1 host 10.100.100.14
B. access-list 101 deny tcp host 192.168.10.1 host 10.100.100.14 eq ftp
C. access-list 11 tcp deny host 192.168.10.1 host 10.100.100.14 eq ftp
D. access-list 101 deny host 192.168.10.1 eq ftp host 10.100.100.14

Answer: B

Q10. Suppose you apply the command access-list 6 permit 0.0.0.0 255.255.255.255. What happens?
A. Nothing is permitted.
B. Everything is permitted.
C. This an incorrect ACL.
D. A and B.

Answer: B

Q11. What is the syntax to apply the IP ACL 107 for traffic leaving the interface?

Answer: ip access-group 107 out

Q12. Meron is a network administrator in a medium-size company. She wants to deny FTP access to the Marketing department on the 10.300.4.0 subnet on Friday, Saturday, and Sunday 7 a.m. until 10 p.m. Can she do this? If so, how?

Answer: Yes. Meron can use time-based ACL to fulfill her requirements. A sample configuration for Meron might look like the following:

Q13. What is the syntax to deny telnet access to source host 10.2.2.2 to telnet server 10.200.4.6?

Answer: access-list 101 deny tcp host 10.2.2.2 host 10.200.4.6 eq telnet

Q14. Why do you use the words “in” or “out” when applying an ACL to an interface?

Answer: The “in” ACL has a source on a segment of the interface to which it is applied and a destination off of any other interface. The “out” ACL has a source on a segment of any interface other than the interface to which it is applied and a destination off of the interface to which it is applied.

Q15. What is the command to apply ACL 101 for outgoing traffic from the internal network?

Answer: ip access-group 101 out

Q16. What range of numbers is used for extended IP ACLs?

Answer: 100 to 199 and 2000 to 2699

Q17. Create an ACL to deny 192.168.10.0 255.255.255.0 network web access to web server 10.100.10.14.

Answer: access-list 101 deny 192.168.10.0 0.0.0.255 host 10.100.10.14 eq 80

Q18. At a minimum, on which routers should you configure ACLs?

Answer: At a minimum, you should configure ACLs on your edge routers.

Q19. What type of ACL would you use to prevent a particular host from accessing your FTP server?

Answer: Extended IP ACLs give you the added granularity to specify which type of protocol to permit or deny to your network or servers.

Q20. Ryan configured the following ACL on his router: access-list 113 deny tcp host 10.2.2.7 any and access-list 113 deny tcp host 10.2.2.8 any. He then applied it to the serial interface of his router. No packets seem to passing through his router. Why?

Answer: There is an implied “deny” for traffic that is not permitted. Ryan must have at least one permit statement in an ACL or all traffic will be blocked.

More Resources

About the author

Scott

Leave a Comment