Access-list Questions
Question 1
Explanation
Remember, for the wildcard mask, 1′s are I DON’T CARE, and 0′s are I CARE. So now let’s analyze a simple ACL:
access-list 1 permit 172.23.16.0 0.0.15.255
Two first octets are all 0’s meaning that we care about the network 172.23.x.x. The third octet of the wildcard mask, 15 (0000 1111 in binary), means that we care about first 4 bits but don’t care about last 4 bits so we allow the third octet in the form of 0001xxxx (minimum:00010000 = 16; maximum: 0001111 = 31).
The fourth octet is 255 (all 1 bits) that means I don’t care.
Therefore network 172.23.16.0 0.0.15.255 ranges from 172.23.16.0 to 172.23.31.255.
Now let’s consider the wildcard mask of 0.0.0.254 (four octet: 254 = 1111 1110) which means we only care the last bit. Therefore if the last bit of the IP address is a “1” (0000 0001) then only odd numbers are allowed. If the last bit of the IP address is a “0” (0000 0000) then only even numbers are allowed.
Note: In binary, odd numbers are always end with a “1” while even numbers are always end with a “0”.
Therefore in this question, only the statement “permit 10.0.0.1 0.0.0.254” will allow all odd-numbered hosts in the 10.0.0.0/24 subnet.
Question 2
Question 3
Explanation
The syntax of an extended ACL is shown below:
access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]
According to the request in this question, we must apply the ACL on the port connected to the Web Server and with inbound direction. So it can only filter traffic sent from the Web Server to the Client. Please notice that the Client communicate to the Web Server with destination port of 80 but with random source port. So the Web Server must answer the Client with this random port (as the destination port) -> Therefore the destination port in the required ACL must be ignored. Also the Web Server must use port 80 as its source port.
So the structure of the ACL should be: permit tcp host <IP-address-of-Web-Server> eq 80 host <IP-address-of-Client>
-> Answer C is correct.
Question 4
Explanation
Although the statement “permit tcp any any gt … lt …” seems to be correct but in fact it is not. Each ACL statement only supports either “gt” or “lt” but not both:
In fact answer C is only correct if the order of the statement is in reverse order. Answer D is only correct if the first statement is “Deny tcp any any eq 80″.
Question 5
Explanation
We can insert a line (statement) between entries into an existing ACL by a number in between.
So what will happen if we just enter a statement without the number? Well, that statement would be added at the bottom of an ACL. But in this case we already had an explicit “deny ip any any” statement so we cannot put another line under it.
Where can I get the questions for these answers?
shouldn’t question 4’s answer be D ?
Why B, not D
Question 3
A client with IP address 209.165.201.25 must access a web server on port 80 at 209.165.200.225. To allow this traffic, an engineer must add a statement to an access control list that is applied in the inbound direction on the port connecting to the web server. Which statement allows this traffic?
A. permit tcp host 209.165.200.225 eq 80 host 209.165.201.25
B. permit tcp host 209.165.201.25 host 209.165.200.225 eq 80
C. permit tcp host 209.165.200.225 eq 80 host 209.165.201.25
D. permit tcp host 209.165.200.225 host 209.165.201.25 eq 80
Answer: B
Question 3
“in the inbound direction on the port connecting to the web server”
this direction from “port where connect web-server” point of view is from webserver 209.165.200.225 port 80 to client 209.165.201.25
answer should be A.
@digitut. The question 3 is wrong. is the duplicated one. A or C. thxs
Q3 is either A or C because the questions states the ACL is applied in inbound direction in the port CONNECTED TO THE SERVER.
@whoamI, @Chromatica II: Thanks for your detection, we have just updated Q.3
@digitaltut can you update this also on the access-list-questions quiz? its not updated on the quiz. thanks
@digitaltut – answer on the site and on the quiz (answer is letter B on the quiz) is different please update it. thanks a lot!
Question 3
A client with IP address 209.165.201.25 must access a web server on port 80 at 209.165.200.225. To allow this traffic, an engineer must add a statement to an access control list that is applied in the inbound direction on the port connecting to the web server. Which statement allows this traffic?
A. permit tcp host 209.165.201.25 eq 80 host 209.165.200.225
B. permit tcp host 209.165.201.25 host 209.165.200.225 eq 80
C. permit tcp host 209.165.200.225 eq 80 host 209.165.201.25
D. permit tcp host 209.165.200.225 host 209.165.201.25 eq 80
Answer: C
A client with IP address 209.165.201.25 must access a web server on port 80 at 209.165.200.225. To allow this traffic, an engineer must add a statement to an access control list that is applied in the inbound direction on the port connecting to the web server. Which statement allows this traffic?
A. permit tcp host 209.165.201.25 eq 80 host 209.165.200.225
B. permit tcp host 209.165.201.25 host 209.165.200.225 eq 80
C. permit tcp host 209.165.200.225 eq 80 host 209.165.201.25
D. permit tcp host 209.165.200.225 host 209.165.201.25 eq 80
Ans should be B … Because in inbound direction towards server , source IP would be client IP not server IP .. When server replies i.e outbound direction , source IP would be server.
So , inbound traffic to server would be as follows :
Source IP : 209.165.201.25 , Destination IP:Port : 209.165.200.225:80
Question 4
Which access controls list allows only TCP traffic with a destination port range of 22-443, excluding port 80?
A. Deny tcp any any eq 80
Permit tcp any any gt 21 lt 444
B. Permit tcp any any neq 80
C. Permit tcp any any range 22 443
Deny tcp any any eq 80
D. Deny tcp any any neq 80
Permit tcp any any range 22 443
Answer should be B
Question 3 is B
Question 2
Refer to the exhibit. An engineer must block all traffic from a router to its directly connected subnet 209.165.200.0/24. The engineer applies access control list EGRESS in the outbound direction on the GigabitEthemet0/0 interface of the router. However, the router can still ping hosts on the 209.165.200.0/24 subnet. Which explanation of this behavior is true?
Extended IP access list EGRESS
10 permit ip 10.0.0.0 0.0.0.255 any
!
—output omitted—
!
interface GigabitEthernet0/0
ip address 209.165.200.255/24 <– Broadcast ??
ip access-group EGRESS out
duplex auto
speed auto
media-type rj45
!
Question 4
Which access controls list allows only TCP traffic with a destination port range of 22-443, excluding port 80?
A. Deny tcp any any eq 80
Permit tcp any any gt 21 lt 444
B. Permit tcp any any neq 80
C. Permit tcp any any range 22 443
Deny tcp any any eq 80
D. Deny tcp any any neq 80
Permit tcp any any range 22 443
the first command should be *Deny tcp any any eq 80* this command cant be in 2nd line
I THINK D will be correct
Sorry i missed “neq” D is also wrong of it was “eq 80” then D would be correct
Question 4
Which access controls list allows only TCP traffic with a destination port range of 22-443, excluding port 80?
A. Deny tcp any any eq 80
Permit tcp any any gt 21 lt 444
B. Permit tcp any any neq 80
C. Permit tcp any any range 22 443
Deny tcp any any eq 80
D. Deny tcp any any neq 80
Permit tcp any any range 22 443
B is correct. The question indicates ONLY TCP, then it’s reffered to protocol only, and not to port range. Therefore B exclude port 80 and permit all port, only TCP