Home > Access-list Questions

Access-list Questions

January 27th, 2021 in ENCOR 350-401 Go to comments

If you are not sure about Access-list, please read our Access-list tutorial.

Question 1

Explanation

Remember, for the wildcard mask, 1′s are I DON’T CARE, and 0′s are I CARE. So now let’s analyze a simple ACL:

access-list 1 permit 172.23.16.0 0.0.15.255

Two first octets are all 0’s meaning that we care about the network 172.23.x.x. The third octet of the wildcard mask, 15 (0000 1111 in binary), means that we care about first 4 bits but don’t care about last 4 bits so we allow the third octet in the form of 0001xxxx (minimum:00010000 = 16; maximum: 0001111 = 31).

wildcard_mask.jpg

The fourth octet is 255 (all 1 bits) that means I don’t care.

Therefore network 172.23.16.0 0.0.15.255 ranges from 172.23.16.0 to 172.23.31.255.

Now let’s consider the wildcard mask of 0.0.0.254 (four octet: 254 = 1111 1110) which means we only care the last bit. Therefore if the last bit of the IP address is a “1” (0000 0001) then only odd numbers are allowed. If the last bit of the IP address is a “0” (0000 0000) then only even numbers are allowed.

Note: In binary, odd numbers are always end with a “1” while even numbers are always end with a “0”.

Therefore in this question, only the statement “permit 10.0.0.1 0.0.0.254” will allow all odd-numbered hosts in the 10.0.0.0/24 subnet.

Question 2

Question 3

Explanation

The syntax of an extended ACL is shown below:

access-list access-list-number {permit | deny} protocol source {source-mask} [eq source-port] destination {destination-mask} [eq destination-port]

Access_list_Inbound.jpg

According to the request in this question, we must apply the ACL on the port connected to the Web Server and with inbound direction. So it can only filter traffic sent from the Web Server to the Client. Please notice that the Client communicate to the Web Server with destination port of 80 but with random source port. So the Web Server must answer the Client with this random port (as the destination port) -> Therefore the destination port in the required ACL must be ignored. Also the Web Server must use port 80 as its source port.

So the structure of the ACL should be: permit tcp host <IP-address-of-Web-Server> eq 80 host <IP-address-of-Client>

-> Answer C is correct.

Question 4

Explanation

Although the statement “permit tcp any any gt … lt …” seems to be correct but in fact it is not. Each ACL statement only supports either “gt” or “lt” but not both:

Access-list_gt_lt.jpg

But it is still the best choice here.

Answer C is only correct if the order of the statement is in reverse order. Answer D is only correct if the first statement is “Deny tcp any any eq 80″.

Question 5

Explanation

We can insert a line (statement) between entries into an existing ACL by a number in between.

access_list_add_one_statement.jpg

So what will happen if we just enter a statement without the number? Well, that statement would be added at the bottom of an ACL. But in this case we already had an explicit “deny ip any any” statement so we cannot put another line under it.

Question 6

Explanation

We cannot filter traffic that is originated from the local router (R3 in this case) so we can only configure the ACL on R1 or R2. “Weekend hours” means from Saturday morning through Sunday night so we have to configure: “periodic weekend 00:00 to 23:59”.

Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23 and the minutes range from 0 to 59.

Question 7

Explanation

The established keyword is only applicable to TCP access list entries to match TCP segments that have the ACK and/or RST control bit set (regardless of the source and destination ports), which assumes that a TCP connection has already been established in one direction only. Let’s see an example below:

access-list_established.jpgSuppose you only want to allow the hosts inside your company to telnet to an outside server but not vice versa, you can simply use an “established” access-list like this:

access-list 100 permit tcp any any established
access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 100 in
ip access-group 101 out

Note:

Suppose host A wants to start communicating with host B using TCP. Before they can send real data, a three-way handshake must be established first. Let’s see how this process takes place:

TCP_Three_way_handshake.jpg

1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is short for SYNchronize) to indicate it wants to setup a connection with host B. This message includes a sequence (SEQ) number for tracking purpose. This sequence number can be any 32-bit number (range from 0 to 232) so we use “x” to represent it.

2. After receiving SYN message from host A, host B replies with SYN-ACK message (some books may call it “SYN/ACK” or “SYN, ACK” message. ACK is short for ACKnowledge). This message includes a SYN sequence number and an ACK number:
+ SYN sequence number (let’s called it “y”) is a random number and does not have any relationship with Host A’s SYN SEQ number.
+ ACK number is the next number of Host A’s SYN sequence number it received, so we represent it with “x+1”. It means “I received your part. Now send me the next part (x + 1)”.

The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if host A still wants to talk to it as well (via SYN part).

3. After Host A received the SYN-ACK message from host B, it sends an ACK message with ACK number “y+1” to host B. This confirms host A still wants to talk to host B.

Question 8

Explanation

The inbound direction of G0/0 of SW2 only filter traffic from Web Server to PC-1 so the source IP address and port is of the Web Server.

Question 9

Question 10

Explanation

We see in the traceroute result the packet could reach 10.99.69.5 (on R2) but it could not go any further so we can deduce an ACL on R3 was blocking it.

Note: Record option displays the address(es) of the hops (up to nine) the packet goes through.

Comments
  1. anonymous
    April 6th, 2020

    Where can I get the questions for these answers?

  2. test
    April 21st, 2020

    shouldn’t question 4’s answer be D ?

  3. NedalSniper
    May 18th, 2020

    Why B, not D
    Question 3

    A client with IP address 209.165.201.25 must access a web server on port 80 at 209.165.200.225. To allow this traffic, an engineer must add a statement to an access control list that is applied in the inbound direction on the port connecting to the web server. Which statement allows this traffic?
    A. permit tcp host 209.165.200.225 eq 80 host 209.165.201.25
    B. permit tcp host 209.165.201.25 host 209.165.200.225 eq 80
    C. permit tcp host 209.165.200.225 eq 80 host 209.165.201.25
    D. permit tcp host 209.165.200.225 host 209.165.201.25 eq 80

    Answer: B

  4. ccdp
    May 23rd, 2020

    Question 3
    “in the inbound direction on the port connecting to the web server”
    this direction from “port where connect web-server” point of view is from webserver 209.165.200.225 port 80 to client 209.165.201.25
    answer should be A.

  5. whoamI
    May 30th, 2020

    @digitut. The question 3 is wrong. is the duplicated one. A or C. thxs

  6. Chromatica II / 911 Transition
    May 30th, 2020

    Q3 is either A or C because the questions states the ACL is applied in inbound direction in the port CONNECTED TO THE SERVER.

  7. digitaltut
    May 31st, 2020

    @whoamI, @Chromatica II: Thanks for your detection, we have just updated Q.3

  8. jlai
    May 31st, 2020

    @digitaltut can you update this also on the access-list-questions quiz? its not updated on the quiz. thanks

  9. jlai
    June 2nd, 2020

    @digitaltut – answer on the site and on the quiz (answer is letter B on the quiz) is different please update it. thanks a lot!

    Question 3
    A client with IP address 209.165.201.25 must access a web server on port 80 at 209.165.200.225. To allow this traffic, an engineer must add a statement to an access control list that is applied in the inbound direction on the port connecting to the web server. Which statement allows this traffic?

    A. permit tcp host 209.165.201.25 eq 80 host 209.165.200.225
    B. permit tcp host 209.165.201.25 host 209.165.200.225 eq 80
    C. permit tcp host 209.165.200.225 eq 80 host 209.165.201.25
    D. permit tcp host 209.165.200.225 host 209.165.201.25 eq 80

    Answer: C

  10. ccie ccie
    June 2nd, 2020

    A client with IP address 209.165.201.25 must access a web server on port 80 at 209.165.200.225. To allow this traffic, an engineer must add a statement to an access control list that is applied in the inbound direction on the port connecting to the web server. Which statement allows this traffic?

    A. permit tcp host 209.165.201.25 eq 80 host 209.165.200.225
    B. permit tcp host 209.165.201.25 host 209.165.200.225 eq 80
    C. permit tcp host 209.165.200.225 eq 80 host 209.165.201.25
    D. permit tcp host 209.165.200.225 host 209.165.201.25 eq 80

    Ans should be B … Because in inbound direction towards server , source IP would be client IP not server IP .. When server replies i.e outbound direction , source IP would be server.

    So , inbound traffic to server would be as follows :

    Source IP : 209.165.201.25 , Destination IP:Port : 209.165.200.225:80

  11. Anonymous
    June 17th, 2020

    Question 4

    Which access controls list allows only TCP traffic with a destination port range of 22-443, excluding port 80?
    A. Deny tcp any any eq 80
    Permit tcp any any gt 21 lt 444

    B. Permit tcp any any neq 80

    C. Permit tcp any any range 22 443
    Deny tcp any any eq 80

    D. Deny tcp any any neq 80
    Permit tcp any any range 22 443

    Answer should be B

  12. DMX
    June 29th, 2020

    Question 3 is B

  13. schustah
    July 8th, 2020

    Question 2

    Refer to the exhibit. An engineer must block all traffic from a router to its directly connected subnet 209.165.200.0/24. The engineer applies access control list EGRESS in the outbound direction on the GigabitEthemet0/0 interface of the router. However, the router can still ping hosts on the 209.165.200.0/24 subnet. Which explanation of this behavior is true?
    Extended IP access list EGRESS
    10 permit ip 10.0.0.0 0.0.0.255 any
    !
    —output omitted—
    !
    interface GigabitEthernet0/0
    ip address 209.165.200.255/24 <– Broadcast ??

    ip access-group EGRESS out
    duplex auto
    speed auto
    media-type rj45
    !

  14. Innocent
    July 14th, 2020

    Question 4

    Which access controls list allows only TCP traffic with a destination port range of 22-443, excluding port 80?
    A. Deny tcp any any eq 80
    Permit tcp any any gt 21 lt 444

    B. Permit tcp any any neq 80

    C. Permit tcp any any range 22 443
    Deny tcp any any eq 80

    D. Deny tcp any any neq 80
    Permit tcp any any range 22 443

    the first command should be *Deny tcp any any eq 80* this command cant be in 2nd line

  15. Innocent
    July 14th, 2020

    I THINK D will be correct

  16. Innocent
    July 14th, 2020

    Sorry i missed “neq” D is also wrong of it was “eq 80” then D would be correct

  17. Mark
    July 27th, 2020

    Question 4

    Which access controls list allows only TCP traffic with a destination port range of 22-443, excluding port 80?
    A. Deny tcp any any eq 80
    Permit tcp any any gt 21 lt 444

    B. Permit tcp any any neq 80

    C. Permit tcp any any range 22 443
    Deny tcp any any eq 80

    D. Deny tcp any any neq 80
    Permit tcp any any range 22 443

    B is correct. The question indicates ONLY TCP, then it’s reffered to protocol only, and not to port range. Therefore B exclude port 80 and permit all port, only TCP

  18. As
    September 10th, 2020

    Question 4
    Which access controls list allows only TCP traffic with a destination port range of 22-443, excluding port 80?
    A. Deny tcp any any eq 80 Permit tcp any any gt 21 lt 444
    B. Permit tcp any any neq 80
    C. Permit tcp any any range 22 443 Deny tcp any any eq 80
    D. Deny tcp any any neq 80 Permit tcp any any range 22 443
    answer A 100%

  19. Paswd
    October 19th, 2020

    @digitaltut Q4: We are saying option it the best choiced. But on the premium member test link that same answer is marked as wrong not sure if it is an error.

  20. Paswd
    October 19th, 2020

    Option A

  21. digitaltutq
    October 20th, 2020

    @Paswd: Thanks for your detection, we have just updated Q.4.

  22. hello
    December 15th, 2020

    Q3 based on explanation under the question answer should be D

    The syntax of an extended ACL is shown below:

    access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]

    Please correct me if I am wrong

  23. digitaltut
    December 15th, 2020

    @hello: That explanation was missing [eq source-port] part. Thanks for your detection, we have just updated it but the answer is still correct.

  24. Kuku
    February 20th, 2021

    Answer should be
    Deny tcp any any eq 80
    Permit tcp any any range 22 443
    So there is a typo somewhere!

  25. zaphod
    March 14th, 2021

    Agree with Kuku. question 4 in the set of questions above does not have a correct answer. Close enough is not possible when the syntax does not allow a particular format.

    The Deny and Permit supplied by Kuku above is a correct and efficient solution.

  26. contoso
    March 28th, 2021

    Agree to @Mark, Q4, best answer should be B.
    permit tcp any any neq 80, which will permit all other tcp ports except tcp/80. Fulfilled the question.
    A. Deny tcp any any eq 80
    Permit tcp any any gt 21 lt 444
    (command syntax is not valid)

    C. Permit tcp any any range 22 443
    Deny tcp any any eq 80
    (correct syntax, but wrong order)

    D. Deny tcp any any neq 80
    Permit tcp any any range 22 443
    (correct syntax, but that’s not what Q is asking for.)

  27. zaphod
    March 28th, 2021

    @contoso RE Q4:
    The problem statement has 2 requirements:
    1- Which access controls list allows only TCP traffic with a destination port range of 22-443
    2- Excluding port 80

    simply: permit tcp any any neq 80 meets the second, but NOT the first requirement.

    As written, there is NOT a correct solution. Close enough when the syntax is not supported is NOT close enough.

    As I stated earlier, there must be a typo in there as none of the answers is valid.

  28. thorr18
    April 18th, 2021

    Graphic is wrong. Look at the “permits from odd-numbered hosts” question.
    It *should* look like this:
    00010000=16
    00010001=17
    00010010=18
    00010011=19
    It shows the wrong bits on for the decimal value of 18.

  1. No trackbacks yet.