CCNA FAQ: Basic IP Access Control Lists
Q1. Barney is a host with IP address 10.1.1.1 in subnet 10.1.1.0/24. Which of the following are things that a standard IP ACL could be configured to do? (Choose two answers.)
a. Match the exact source IP address
b. Match IP addresses 10.1.1.1 through 10.1.1.4 with one access-list command without matching other IP addresses
c. Match all IP addresses in Barney’s subnet with one access-list command without matching other IP addresses
d. Match only the packet’s destination IP address
Q2. Which of the following answers lists a valid number that can be used with standard numbered IP ACLs? (Choose two answers.)
Q3. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.255.0?
Q4. Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.240.0?
Q5. ACL 1 has three statements, in the following order, with address and wildcard mask values as follows: 126.96.36.199 0.255.255.255, 188.8.131.52 0.0.255.255, and 184.108.40.206 0.0.0.255. If a router tried to match a packet sourced from IP address 220.127.116.11 using this ACL, which ACL statement does a router consider the packet to have matched?
d. Implied deny at the end of the ACL
Q6. Which of the following access-list commands matches all packets in the range of addresses in subnet 172.16.5.0/25?
a. access-list 1 permit 172.16.0.5 0.0.255.0
b. access-list 1 permit 172.16.4.0 0.0.1.255
c. access-list 1 permit 172.16.5.0
d. access-list 1 permit 172.16.5.0 0.0.0.128
Q7. Your manager at the office asks you to explain the concept behind a standard access list. Using simple terms, explain these concepts.
Q8. It is critical that an access list is applied correctly when it is used on a router for security purposes. What mantra dictates the rules behind access list application?
Q9. Explain how a router processes an access list filtering traffic inbound from the Internet.
Q10. What filtering options does an extended access list give you that are not supplied by a standard access list?
Q11. One of the criteria an extended access list allows you to use in your filtering options is the source and destination port number. What is the difference between these? Why are two ports necessary for all communication?
Q12. Which of the following are valid reasons to implement access lists? (Choose all that apply.)
B. Route filtering
C. Dial-on-demand routing
D. Console port security
Q13. Which type of access list can filter traffic based on the source port? (Choose all that apply.)
Q14. You are filtering traffic to an FTP site and you want only FTP traffic to reach the server. You do not want additional traffic to reach the server. Which traffic should be allowed?
A. TCP on ports 20 and 21
B. UDP on ports 20 and 21
C. TCP on port 21
D. TCP and UDP on ports 20 and 21
Q15. What happens to a packet that does not meet the conditions of any access list filters?
A. The packet is routed normally.
B. The packet is flagged and then routed.
C. The packet is dropped.
D. The administrator is notified.
Q16. You have an IP address and wildcard mask of 10.0.20.5 255.255.0.0. Which of the following IP addresses will be affected by this access list? (Choose all that apply.)
Q17. You want to create an access list to filter all traffic from the 172.16.16.0 255.255.240.0 network.
What wildcard mask is appropriate?
Q18. Regarding access lists, which of the following statements is correct?
A. Only one access list per protocol, per direction, per interface
B. Only one access list per port number, per protocol, per interface
C. Only one access list per port number, per direction, per interface
D. Only one access list per port number, per protocol, per direction
Q19. You need to temporarily remove access list 101 from one of your interfaces—which command is appropriate?
A. no access-list 101
B. no ip access-group 101
C. access-list 101 disable
D. access-group 101 disable
Q20. Which of the following creates a standard access list that allows traffic from the 172.16 subnet?
A. access-list 1 permit 172.16.0.0 0.0.255.255
B. access-list 100 permit 172.16.0.0 255.255.0.0
C. access-list 1 permit 172.16.0.0 255.255.0.0
D. access-list 100 permit 172.16.0.0 0.0.255.255
Q21. You want to create an access list that denies all outbound traffic to port 80 from the 10.10.0.0 network. Which access list entry meets your requirements?
A. access-list 101 deny tcp 10.10.0.0 0.0.255.255 eq 80
B. access-list 91 deny tcp 10.10.0.0 0.0.255.255 any eq 80
C. access-list 101 deny tcp 10.10.0.0 0.0.255.255 all eq 80
D. access-list 101 deny tcp 10.10.0.0 0.0.255.255 any eq 80