CCSP SECUR FAQ : Access Lists
Q1. What is an access control list (ACL)?
A. An ACL is a method of only permitting IPX traffic.
B. ACLs are rules that deny or permit packets coming in to or out of a router’s interface.
C. ACLs are used only on switches.
D. ACLs are rules to prevent mail traffic from leaving a router interface only.
Q2. Which of the following steps are required to create an effective ACL?
A. Define an ACL by specifying an ACL number or name and access condition.
B. Administratively shut down the interface before applying the ACL.
C. Reboot the router after creating the ACL.
D. Apply the ACL to an interface or terminal line.
Q3. Which of the following ways can ACLs be used?
A. To control virtual terminal line access
B. To automatically shut down interfaces
C. To restrict contents of routing updates
D. To send alerts to the network administrator
Q4. Which of the following are ACL criteria?
A. Source address of the traffic
B. Length of the packet
C. Destination address of the traffic
D. Upper-layer protocol
Q5. What is the difference between a standard IP ACL and extended IP ACL?
A. Standard ACLs use source and destination of the packets, whereas extended IP ACLs use both source and destination with an additional criteria of upper-layer protocol.
B. Standard ACLs use IP ACL range 1 to 99, and extended IP ACLs use 100 to 199.
C. Standard ACLs use IP ACL range 100 to 199, and extended IP ACLs use 1 to 99.
D. Standard ACLs were introduced in the Cisco IOS Software 12.x.
Q6. What command enables you to apply an ACL to an interface?
A. ip access-group number in | out
B. access-list in | out
C. ip access-group in | out
D. access-list number in | out
Q7. Which of the range of numbers identify an extended IP ACL?
A. 1–89
B. 1–99
C. 99–200
D. 100–199
Q8. Which of the following is the correct syntax for a standard IP ACL?
A. access-list 50 192.168.1.87 deny 10.100.10.14
B. access-list 101 deny ip host 192.168.1.87 10.100.10.14
C. access-list 50 deny ip host 192.168.1.87
D. access-list 101 host 192.168.1.87 deny 10.100.10.14
Q9. Which is the correct syntax for blocking FTP access to host 192.168.10.1 from the FTP server 10.100.100.14 server?
A. access-list 11 deny ftp host 192.168.10.1 host 10.100.100.14
B. access-list 101 deny tcp host 192.168.10.1 host 10.100.100.14 eq ftp
C. access-list 11 tcp deny host 192.168.10.1 host 10.100.100.14 eq ftp
D. access-list 101 deny host 192.168.10.1 eq ftp host 10.100.100.14
Q10. Suppose you apply the command access-list 6 permit 0.0.0.0 255.255.255.255. What happens?
A. Nothing is permitted.
B. Everything is permitted.
C. This an incorrect ACL.
D. A and B.
Q11. What is the syntax to apply the IP ACL 107 for traffic leaving the interface?
Q12. Meron is a network administrator in a medium-size company. She wants to deny FTP access to the Marketing department on the 10.300.4.0 subnet on Friday, Saturday, and Sunday 7 a.m. until 10 p.m. Can she do this? If so, how?
Answer: Yes. Meron can use time-based ACL to fulfill her requirements. A sample configuration for Meron might look like the following:
Firewall(config-if)#ip access-group 110 in
Firewall(config)#access-list 110 deny tcp
10.300.4.0 0.0.0.255 host 192.168.100.21 eq ftp time-range Mrktgrp
Firewall(config)#time-range Mrktgrp
Firewall(config-time-range)#periodic saturday sunday 7:00 to 20:00
Firewall(config-if)#ip access-group 110 in
Q13. What is the syntax to deny telnet access to source host 10.2.2.2 to telnet server 10.200.4.6?
Q14. Why do you use the words “in” or “out” when applying an ACL to an interface?
Q15. What is the command to apply ACL 101 for outgoing traffic from the internal network?
Q16. What range of numbers is used for extended IP ACLs?
Q17. Create an ACL to deny 192.168.10.0 255.255.255.0 network web access to web server 10.100.10.14.
Q18. At a minimum, on which routers should you configure ACLs?
Q19. What type of ACL would you use to prevent a particular host from accessing your FTP server?
Q20. Ryan configured the following ACL on his router: access-list 113 deny tcp host 10.2.2.7 any and access-list 113 deny tcp host 10.2.2.8 any. He then applied it to the serial interface of his router. No packets seem to passing through his router. Why?
More Resources