Professional Documents
Culture Documents
Refer to the exhibit. A network administrator needs to add the command deny ip
10.0.0.0 0.255.255.255 any log to R3. After adding the command, the administrator
verifies the change using the show access-list command. What sequence number does
the new entry have?
0
10, and all other items are shifted down to the next sequence number
50
60 *****
Refer to the exhibit. What happens if the network administrator issues the commands
shown when an ACL called Managers already exists on the router?
The new commands overwrite the current Managers ACL.
The new commands are added to the end of the current Managers ACL. *****
The new commands are added to the beginning of the current Managers ACL.
An error appears stating that the ACL already exists.
3
Why are inbound ACLs more efficient for the router than outbound ACLs?
Inbound ACLs deny packets before routing lookups are required. *****
Inbound ACL operation requires less network bandwidth than outbound.
Inbound ACLs permit or deny packets to LANs, which are typically more efficient
than WANs.
Inbound ACLs are applied to Ethernet interfaces, while outbound ACLs are applied to
slower serial interfaces.
Refer to the exhibit. The network administrator of a company needs to configure the
router RTA to allow its business partner (Partner A) to access the web server located
in the internal network. The web server is assigned a private IP address, and a static
NAT is configured on the router for its public IP address. Finally, the administrator
adds the ACL. However, Partner A is denied access to the web server. What is the
cause of the problem?
Port 80 should be specified in the ACL. *****
The public IP address of the server, 209.165.201.5, should be specified as the
destination.
The ACL should be applied on the s0/0 outbound interface.
The source address should be specified as 198.133.219.0 255.255.255.0 in the ACL.
CCNA Discovery 4.1 - CCNA Discovery Answers
http://ccna-discovery-4.blogspot.com/
5
ACL logging generates what type of syslog message?
unstable network
warning
informational *****
critical situation
6
Which two host addresses are included in the range specified by 172.16.31.64
0.0.0.31? (Choose two.)
172.16.31.64
172.16.31.77 ****
172.16.31.78 ****
172.16.31.95
172.16.31.96
7
Traffic from the 64.104.48.0 to 64.104.63.255 range must be denied access to the
network. What wildcard mask would the network administrator configure in the
access list to cover this range?
0.0.15.255 *****
0.0.47.255
0.0.63.255
255.255.240.0
8
ACLs are used primarily to filter traffic. What are two additional uses of ACLs?
(Choose two.)
specifying source addresses for authentication
specifying internal hosts for NAT ****
identifying traffic for QoS ****
reorganizing traffic into VLANs
filtering VTP packets
9
What can an administrator do to ensure that ICMP DoS attacks from the outside are
mitigated as much as possible, without hampering connectivity tests initiated from the
inside out?
Create an access list permitting only echo reply and destination unreachable packets
CCNA Discovery 4.1 - CCNA Discovery Answers
http://ccna-discovery-4.blogspot.com/
10
What effect does the command reload in 30 have when entered into a router?
If a router process freezes, the router reloads automatically.
If a packet from a denied source attempts to enter an interface where an ACL is
applied, the router reloads in 30 minutes.
If a remote connection lasts for longer than 30 minutes, the router forces the remote
user off.
A router automatically reloads in 30 minutes. *****
11
12
Refer to the exhibit. The new security policy for the company allows all IP traffic
from the Engineering LAN to the Internet while only web traffic from the Marketing
LAN is allowed to the Internet. Which ACL can be applied in the outbound direction
of Serial 0/1 on the Marketing router to implement the new security policy?
access-list 197 permit ip 192.0.2.0 0.0.0.255 any
access-list 197 permit ip 198.18.112.0 0.0.0.255 any eq www
13
Which three statements are true concerning standard and extended ACLs? (Choose
three.)
Extended ACLs are usually placed so that all packets go through the network and are
filtered at the destination.
Standard ACLs are usually placed so that all packets go through the network and are
filtered at the destination. ****
Extended ACLs filter based on source address only, and must be placed near the
destination if other traffic is to flow.
Standard ACLs filter based on source address only, and must be placed near the
destination if other traffic is to flow. ****
Extended ACLs filter with many possible factors, and they allow only desired packets
to pass through the network if placed near the source. ****
Standard ACLs filter with many possible factors, and they allow only desired packets
to pass through the network if placed near the source.
14
Refer to the exhibit. Company policy for the network that is shown indicates the
following guidelines:
1) All hosts on the 192.168.3.0/24 network, except host 192.168.3.77, should be able
to reach the 192.168.2.0/24 network.
2) All hosts on the 192.168.3.0/24 network should be able to reach the 192.168.1.0/24
network.
3) All other traffic originating from the 192.168.3.0 network should be denied.
Which set of ACL statements meets the stated requirements when they are applied to
the Fa0/0 interface of router R2 in the inbound direction?
access-list 101 deny ip any any
access-list 101 deny ip 192.168.3.77 0.0.0.0 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
15
Hosts from the Limerick LAN are not allowed access to the Shannon LAN but should
be able to access the Internet. Which set of commands will create a standard ACL that
will apply to traffic on the Shannon router interface Fa0/0 implementing this security?
access-list 42 deny 172.19.123.0 0.0.0.255 192.0.2.0 0.0.0.255
access-list 42 permit any
16
Refer to the exhibit. A network administrator needs to configure an access list that
will allow the management host with an IP address of 192.168.10.25/24 to be the only
host to remotely access and configure router RTA. All vty and enable passwords are
configured on the router. Which group of commands will accomplish this task?
Router(config)# access-list 101 permit tcp any 192.168.10.25 0.0.0.0 eq telnet
Router(config)# access-list 101 deny ip any any ******
Router(config)# int s0/0
Router(config-if)# ip access-group 101 in
Router(config-if)# int fa0/0
Router(config-if)#ip access-group 101 in
17
Which ACL permits host 10.220.158.10 access to the web server 192.168.3.244?
access-list 101 permit tcp host 10.220.158.10 eq 80 host 192.168.3.224
access-list 101 permit tcp 10.220.158.10 0.0.0.0 host 192.168.3.224 0.0.0.0 eq 80
access-list 101 permit host 10.220.158.10 0.0.0.0 host 192.168.3.224 0.0.0.0 eq 80
access-list 101 permit tcp 10.220.158.10 0.0.0.0 host 192.168.3.224 eq 80 *****
18
Which wildcard mask would match the host range for the subnet 192.16.5.32 /27?
0.0.0.32
0.0.0.63
0.0.63.255
0.0.0.31 *****
19
A security administrator wants to secure password exchanges on the vty lines on all
routers in the enterprise. What option should be implemented to ensure that passwords
are not sent in clear text across the public network?
Use Telnet with an authentication server to ensure effective authentication.
Apply an access list on the router interfaces to allow only authorized computers.
Apply an access list on the vty line to allow only authorized computers.
Use only Secure Shell (SSH) on the vty lines. *****
20