Home > Access List

Access List

August 6th, 2017 in ROUTE 300-101 Go to comments

Question 1

Explanation

The first answer is not correct because the 10.0.0.0 network range is not correct. It should be 10.0.0.0. to 10.255.255.255.

Question 2

Explanation

Logging-enabled access control lists (ACLs) provide insight into traffic as it traverses the network or is dropped by network devices. Unfortunately, ACL logging can be CPU intensive and can negatively affect other functions of the network device. There are two primary factors that contribute to the CPU load increase from ACL logging: process switching of packets that match log-enabled access control entries (ACEs) and the generation and transmission of log messages.

Process switching is the slowest switching methods (compared to fast switching and Cisco Express Forwarding) because it must find a destination in the routing table. Process switching must also construct a new Layer 2 frame header for every packet. With process switching, when a packet comes in, the scheduler calls a process that examines the routing table, determines which interface the packet should be switched to and then switches the packet. The problem is, this happens for the every packet.

Reference: http://www.cisco.com/web/about/security/intelligence/acl-logging.html

Question 3

Explanation

If you use the “debug ip packet” command on a production router, you can bring it down since it generates an output for every packet and the output can be extensive. The best way to limit the output of debug ip packet is to create an access-list that linked to the debug. Only packets that match the access-list criteria will be subject to debug ip packet. For example, this is how to monitor traffic from 1.1.1.1 to 2.2.2.2

access-list 100 permit ip 1.1.1.1 2.2.2.2
debug ip packet 100

Note: The “debug ip packet” command is used to monitor packets that are processed by the routers routing engine and are not fast switched.

Question 4

Question 5

Question 6

Explanation

+ The question asks to “always” block traffic (every week) so we must use keyword “periodic”.
+ Traffic should be blocked to 11:59 PM, which means 23:59

Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23 and the minutes range from 0 to 59

Only answer B satisfies these two requirements so it is the best answer. In fact, all the above answers are not correct as the access-list should deny web traffic, not allow them as shown in the answers.

Question 7

Question 8

Explanation

Question about restricting IPv6 access to SSH. Had to pick 2 answers. One that is applied to the fa0/0 and one that is applied to vty lines. Its basically IN or OUT.

Question 9

Explanation

The established keyword is only applicable to TCP access list entries to match TCP segments that have the ACK and/or RST control bit set (regardless of the source and destination ports), which assumes that a TCP connection has already been established in one direction only. Let’s see an example below:

access-list_established.jpgSuppose you only want to allow the hosts inside your company to telnet to an outside server but not vice versa, you can simply use an “established” access-list like this:

access-list 100 permit tcp any any established
access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 100 in
ip access-group 101 out

Note:

Suppose host A wants to start communicating with host B using TCP. Before they can send real data, a three-way handshake must be established first. Let’s see how this process takes place:

TCP_Three_way_handshake.jpg

1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is short for SYNchronize) to indicate it wants to setup a connection with host B. This message includes a sequence (SEQ) number for tracking purpose. This sequence number can be any 32-bit number (range from 0 to 232) so we use “x” to represent it.

2. After receiving SYN message from host A, host B replies with SYN-ACK message (some books may call it “SYN/ACK” or “SYN, ACK” message. ACK is short for ACKnowledge). This message includes a SYN sequence number and an ACK number:
+ SYN sequence number (let’s called it “y”) is a random number and does not have any relationship with Host A’s SYN SEQ number.
+ ACK number is the next number of Host A’s SYN sequence number it received, so we represent it with “x+1”. It means “I received your part. Now send me the next part (x + 1)”.

The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if host A still wants to talk to it as well (via SYN part).

3. After Host A received the SYN-ACK message from host B, it sends an ACK message with ACK number “y+1” to host B. This confirms host A still wants to talk to host B.

Question 10

Question 11

Explanation

Reflexive access lists provide filtering on upper-layer IP protocol sessions. They contain temporary entries that are automatically created when a new IP session begins. They are nested within extended, named IP access lists that are applied to an interface. Reflexive access lists are typically configured on border routers, which pass traffic between an internal and external network. These are often firewall routers. Reflexive access lists do not end with an implicit deny statement because they are nested within an access list and the subsequent statements need to be examined.

Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-1s/sec-access-list-ov.html

Question 12

Explanation

The command “ipv6 traffic-filter access-list-name { in | out }” applies the access list to incoming or outgoing traffic on the interface.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swv6acl.html

Question 13

Question 14

Explanation

When the ACL logging feature is configured, the system monitors ACL flows and logs dropped packets and statistics for each flow that matches the deny conditions of the ACL entry.

The log and log-input options apply to an individual ACE and cause packets that match the ACE to be logged. The sample below illustrates the initial message and periodic updates sent by an IOS device with a default configuration using the log ACE option.

*May 1 22:12:13.243: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 1 packet

Reference: https://www.cisco.com/c/en/us/about/security-center/access-control-list-logging.html

From the example above we can see when an ACL drops a packet, it generates a level 6 Syslog (%SEC-6-)

Comments
Comment pages
1 2 1058
  1. Jovce
    September 14th, 2017

    Hi guys, can someone please send me the latest dumps jovce123 @ gmail .com

    Thanks in advance

  2. John
    September 27th, 2017

    Hi guys, can someone please send me the latest dumps ezrading @ gmail .com

  3. dude
    September 29th, 2017

    Is anyone really sending anything. If anyone can share rjshinigami @ gmail.com

  4. Peter Pan
    October 2nd, 2017

    Question 9. C or D ?

    isn’t 149 be using “extended” ip access-list ?

  5. Peter Pan
    October 2nd, 2017

    Question 15.

    B- shouldn’t it be deny instead ? why permit the port 80 traffic ?

  6. Khal Drogo
    October 3rd, 2017

    “Question 15.
    B- shouldn’t it be deny instead ? why permit the port 80 traffic ?” – Peter Pan

    Exactly!!! Ultimately none of the ACLs are correct. The only relevant details in the answers that properly relate to the question are the “periodic” and “absolute” terms as well as the time ranges. If you just go off of that, then B makes sense.

  7. Peter Pan
    October 4th, 2017

    @ Khal

    yes, “periodic” and” 1.00 – 2359″ would make B the closest answer for the question.

    Cheers

  8. Axen
    November 9th, 2017

    Hi Please Send me latest Dumps for CCNP route & CCNP Switch exam on–> agosavi99 @ gmail com

  9. durshen
    November 11th, 2017

    Hi everyone, I have the valid dump with me and I’m wiling to share. Please contact me via durshen81 @ gmail .com

  10. Anonymous
    November 17th, 2017

    Hi I am just wondering how can I see questions? Anyone can get me a hint.

  11. Si Dao
    November 17th, 2017

    Please reach to me via email {email not allowed} and show me how to see question on this page.
    Thanks in advance.

  12. Anonymous
    November 23rd, 2017

    where can we find the questions here?

  13. Howard
    November 28th, 2017

    Passed used the 21q dumps from IT-Libraries

  14. Galen
    November 28th, 2017

    Passed, it-libraries questions are still good. check the comments on this forum for the new questions since there are a couple of them posted here.

  15. Corey
    November 28th, 2017

    Thanks all, done with the router. 539q dumps from IT-Libraries are valid. Practice the labs since the ips change on the exam

  16. durshen
    December 13th, 2017

    Hi everyone, I have the valid dump with me and I’m wiling to share. Please contact me via durshen81 @ gmail .com

  17. durshen
    December 13th, 2017

    Hi everyone, I’m having the valid dump with me and I’m wiling to share. Please contact me via durshen81 @ gmail .com

  18. Clock
    January 13th, 2018

    Hello Team,

    I would like to thank you for the advises and that you share your experience, I recently pass the route exam :D….
    I study with the Official cert Kevin Wallace, CBT nuggets (nothing that you cannt find for your own in a torrent) and with this site.
    I can say that I found a couple of new questions and a new Frame relay drag and drop that is not here:

    SVC —— A circuit that provides temporary on-demand connections between DTEs
    DLCI—— A locally significant ID
    PVC ——-A logical connection comprising two endpoints and CIR
    LMI ——- A signaling mechanism for frame relay devices
    FECN—– An indicator of congestion on the network.

    Please do not pay for dumps or believe in guys who post “new dump” or “I have the new dump”, or “I failed the exam”, those guys should be rape and kill!!!!!!

    Anyway, hope you pass the exam and share your real experience for the other exams.

  19. bk
    January 18th, 2018

    can you please send the valid dump to biruktil111@yahoo dotcom

  20. MJ
    January 19th, 2018

    can you send me working dumps please, {email not allowed}

  21. Efrain
    January 22nd, 2018

    Thanks all, done with the router. 440q dumps from IT-Libraries are valid. Practice the labs since the ips change on the exam

  22. Rizwan
    February 6th, 2018

    Can i get the dexter dumps please at pro6151945 at gmail dot com

  23. LATEST DUMPS + VCE Player + LABs + etc
    February 20th, 2018

    Guaranteed Latest Stuff to pass exam.
    HERE Instant DOWNLOAD
    20 US$ only

    Below link
    https://docs.google.com/document/d/1afXgWBvIWTSr8R0Mt-kDRdMmFCI3ytfuSK-1vOyWov0/edit?usp=sharing

  24. trytohelp
    February 26th, 2018

    you can practice question here : http://chen-academy.com/edukn

  25. LATEST DUMPS +VCE PLAYERS
    March 19th, 2018

    Hey could someone please send me the latest dumps and/or the VCE player software to this email puppy_wuv15 @ Yahoo

  26. MissT
    April 6th, 2018

    Hi digitaltut team i am unable to access the composite questions kindly assist

  27. digitaltut
    April 7th, 2018

    @MissT: Please make sure you have installed latest Flash plugin at https://get.adobe.com/flashplayer and enable it on your web browser.

  28. Elv
    April 19th, 2018

    I think question 12 should be B. ipv6 access-list [access-list-name]. The question asked about enabling IPv6 ACL and it did not mention anything about the interface.

  29. sugmados
    April 20th, 2018

    Hi, could someone please send me the latest Dumps of routing 300-101 PDF in to this email: {email not allowed}

  30. sugmados
    April 20th, 2018

    email sugmados @ Yahoo Fr

  31. unstoppable
    April 21st, 2018

    @Elv,

    The IPv6 neighbor discovery process uses the IPv6 network-layer service; therefore, to enable IPv6 neighbor discovery, you must add IPv6 ACLs to allow IPv6 neighbor discovery packets to be sent and received on an interface.

    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/ip6-acls-xe.html

  32. Zero
    April 28th, 2018

    Q2
    In all software releases, the access-list-number can be 100 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs begin to use additional numbers (2000 to 2699). These additional numbers are referred to as expanded IP ACLs. Cisco IOS Software Release 11.2 added the ability to use list name in extended ACLs.

    https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#extacls

  33. Zero
    April 28th, 2018

    should be Q4,

  34. Elv
    April 28th, 2018

    Thanks digitaltut.

  35. Kakakaz75
    April 28th, 2018

    Hi guys, can someone please send me the latest dumps devastante75 @Yahoo. com

    10ks

  36. Anonymous
    May 7th, 2018

    Who can assist with a password access issue

  37. irrsjdas234234
    May 30th, 2018

    Latest Update 100% Real CCNP Exam Questions

    dumps
    pro
    dot
    com

  38. Moosa
    June 1st, 2018

    Guys For God sake please stop asking for dumps. This is the website. Use it and get prepare. PLEASE. Thanks

  39. cisconinja
    June 3rd, 2018

    @digitaltut

    question 10- The answer should be reflexive access

    https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.pdf

  40. NNNNNNNNNNNN
    June 3rd, 2018

    @cisconinja

    Reflexive access lists provide the ability to filter network traffic at a router, based on IP upper-layer protocol “session” information.

    Extended ACLs is the correct.

  41. sonjoy
    June 18th, 2018

    Hi All:
    Can anybody send me latest dumps for CCNP_ROUTE at {email not allowed}

    Thanks,

  42. sonjoy
    June 18th, 2018

    Can anybody send me latest dumps for CCNP_ROUTE at eng.sonjoy @ gmail . com

  43. Oliver
    June 22nd, 2018

    Passed, if you go the exam study the 440q dumps.

Comment pages
1 2 1058
  1. No trackbacks yet.