Home > Access-list Questions

Access-list Questions

March 16th, 2020 in ENCOR 350-401 Go to comments

If you are not sure about Access-list, please read our Access-list tutorial.

Question 1

Explanation

Remember, for the wildcard mask, 1′s are I DON’T CARE, and 0′s are I CARE. So now let’s analyze a simple ACL:

access-list 1 permit 172.23.16.0 0.0.15.255

Two first octets are all 0’s meaning that we care about the network 172.23.x.x. The third octet of the wildcard mask, 15 (0000 1111 in binary), means that we care about first 4 bits but don’t care about last 4 bits so we allow the third octet in the form of 0001xxxx (minimum:00010000 = 16; maximum: 0001111 = 31).

wildcard_mask.jpg

The fourth octet is 255 (all 1 bits) that means I don’t care.

Therefore network 172.23.16.0 0.0.15.255 ranges from 172.23.16.0 to 172.23.31.255.

Now let’s consider the wildcard mask of 0.0.0.254 (four octet: 254 = 1111 1110) which means we only care the last bit. Therefore if the last bit of the IP address is a “1” (0000 0001) then only odd numbers are allowed. If the last bit of the IP address is a “0” (0000 0000) then only even numbers are allowed.

Note: In binary, odd numbers are always end with a “1” while even numbers are always end with a “0”.

Therefore in this question, only the statement “permit 10.0.0.1 0.0.0.254” will allow all odd-numbered hosts in the 10.0.0.0/24 subnet.

Question 2

Question 3

Explanation

The syntax of an extended ACL is shown below:

access-list access-list-number {permit | deny} protocol source {source-mask} [eq source-port] destination {destination-mask} [eq destination-port]

Access_list_Inbound.jpg

According to the request in this question, we must apply the ACL on the port connected to the Web Server and with inbound direction. So it can only filter traffic sent from the Web Server to the Client. Please notice that the Client communicate to the Web Server with destination port of 80 but with random source port. So the Web Server must answer the Client with this random port (as the destination port) -> Therefore the destination port in the required ACL must be ignored. Also the Web Server must use port 80 as its source port.

So the structure of the ACL should be: permit tcp host <IP-address-of-Web-Server> eq 80 host <IP-address-of-Client>

-> Answer C is correct.

Question 4

Explanation

Although the statement “permit tcp any any gt … lt …” seems to be correct but in fact it is not. Each ACL statement only supports either “gt” or “lt” but not both:

Access-list_gt_lt.jpg

But it is still the best choice here.

Answer C is only correct if the order of the statement is in reverse order. Answer D is only correct if the first statement is “Deny tcp any any eq 80″.

Question 5

Explanation

We can insert a line (statement) between entries into an existing ACL by a number in between.

access_list_add_one_statement.jpg

So what will happen if we just enter a statement without the number? Well, that statement would be added at the bottom of an ACL. But in this case we already had an explicit “deny ip any any” statement so we cannot put another line under it.

Comments
  1. anonymous
    April 6th, 2020

    Where can I get the questions for these answers?

  2. test
    April 21st, 2020

    shouldn’t question 4’s answer be D ?

  3. NedalSniper
    May 18th, 2020

    Why B, not D
    Question 3

    A client with IP address 209.165.201.25 must access a web server on port 80 at 209.165.200.225. To allow this traffic, an engineer must add a statement to an access control list that is applied in the inbound direction on the port connecting to the web server. Which statement allows this traffic?
    A. permit tcp host 209.165.200.225 eq 80 host 209.165.201.25
    B. permit tcp host 209.165.201.25 host 209.165.200.225 eq 80
    C. permit tcp host 209.165.200.225 eq 80 host 209.165.201.25
    D. permit tcp host 209.165.200.225 host 209.165.201.25 eq 80

    Answer: B

  4. ccdp
    May 23rd, 2020

    Question 3
    “in the inbound direction on the port connecting to the web server”
    this direction from “port where connect web-server” point of view is from webserver 209.165.200.225 port 80 to client 209.165.201.25
    answer should be A.

  5. whoamI
    May 30th, 2020

    @digitut. The question 3 is wrong. is the duplicated one. A or C. thxs

  6. Chromatica II / 911 Transition
    May 30th, 2020

    Q3 is either A or C because the questions states the ACL is applied in inbound direction in the port CONNECTED TO THE SERVER.

  7. digitaltut
    May 31st, 2020

    @whoamI, @Chromatica II: Thanks for your detection, we have just updated Q.3

  8. jlai
    May 31st, 2020

    @digitaltut can you update this also on the access-list-questions quiz? its not updated on the quiz. thanks

  9. jlai
    June 2nd, 2020

    @digitaltut – answer on the site and on the quiz (answer is letter B on the quiz) is different please update it. thanks a lot!

    Question 3
    A client with IP address 209.165.201.25 must access a web server on port 80 at 209.165.200.225. To allow this traffic, an engineer must add a statement to an access control list that is applied in the inbound direction on the port connecting to the web server. Which statement allows this traffic?

    A. permit tcp host 209.165.201.25 eq 80 host 209.165.200.225
    B. permit tcp host 209.165.201.25 host 209.165.200.225 eq 80
    C. permit tcp host 209.165.200.225 eq 80 host 209.165.201.25
    D. permit tcp host 209.165.200.225 host 209.165.201.25 eq 80

    Answer: C

  10. ccie ccie
    June 2nd, 2020

    A client with IP address 209.165.201.25 must access a web server on port 80 at 209.165.200.225. To allow this traffic, an engineer must add a statement to an access control list that is applied in the inbound direction on the port connecting to the web server. Which statement allows this traffic?

    A. permit tcp host 209.165.201.25 eq 80 host 209.165.200.225
    B. permit tcp host 209.165.201.25 host 209.165.200.225 eq 80
    C. permit tcp host 209.165.200.225 eq 80 host 209.165.201.25
    D. permit tcp host 209.165.200.225 host 209.165.201.25 eq 80

    Ans should be B … Because in inbound direction towards server , source IP would be client IP not server IP .. When server replies i.e outbound direction , source IP would be server.

    So , inbound traffic to server would be as follows :

    Source IP : 209.165.201.25 , Destination IP:Port : 209.165.200.225:80

  11. Anonymous
    June 17th, 2020

    Question 4

    Which access controls list allows only TCP traffic with a destination port range of 22-443, excluding port 80?
    A. Deny tcp any any eq 80
    Permit tcp any any gt 21 lt 444

    B. Permit tcp any any neq 80

    C. Permit tcp any any range 22 443
    Deny tcp any any eq 80

    D. Deny tcp any any neq 80
    Permit tcp any any range 22 443

    Answer should be B

  12. DMX
    June 29th, 2020

    Question 3 is B

  13. schustah
    July 8th, 2020

    Question 2

    Refer to the exhibit. An engineer must block all traffic from a router to its directly connected subnet 209.165.200.0/24. The engineer applies access control list EGRESS in the outbound direction on the GigabitEthemet0/0 interface of the router. However, the router can still ping hosts on the 209.165.200.0/24 subnet. Which explanation of this behavior is true?
    Extended IP access list EGRESS
    10 permit ip 10.0.0.0 0.0.0.255 any
    !
    —output omitted—
    !
    interface GigabitEthernet0/0
    ip address 209.165.200.255/24 <– Broadcast ??

    ip access-group EGRESS out
    duplex auto
    speed auto
    media-type rj45
    !

  14. Innocent
    July 14th, 2020

    Question 4

    Which access controls list allows only TCP traffic with a destination port range of 22-443, excluding port 80?
    A. Deny tcp any any eq 80
    Permit tcp any any gt 21 lt 444

    B. Permit tcp any any neq 80

    C. Permit tcp any any range 22 443
    Deny tcp any any eq 80

    D. Deny tcp any any neq 80
    Permit tcp any any range 22 443

    the first command should be *Deny tcp any any eq 80* this command cant be in 2nd line

  15. Innocent
    July 14th, 2020

    I THINK D will be correct

  16. Innocent
    July 14th, 2020

    Sorry i missed “neq” D is also wrong of it was “eq 80” then D would be correct

  17. Mark
    July 27th, 2020

    Question 4

    Which access controls list allows only TCP traffic with a destination port range of 22-443, excluding port 80?
    A. Deny tcp any any eq 80
    Permit tcp any any gt 21 lt 444

    B. Permit tcp any any neq 80

    C. Permit tcp any any range 22 443
    Deny tcp any any eq 80

    D. Deny tcp any any neq 80
    Permit tcp any any range 22 443

    B is correct. The question indicates ONLY TCP, then it’s reffered to protocol only, and not to port range. Therefore B exclude port 80 and permit all port, only TCP

  18. As
    September 10th, 2020

    Question 4
    Which access controls list allows only TCP traffic with a destination port range of 22-443, excluding port 80?
    A. Deny tcp any any eq 80 Permit tcp any any gt 21 lt 444
    B. Permit tcp any any neq 80
    C. Permit tcp any any range 22 443 Deny tcp any any eq 80
    D. Deny tcp any any neq 80 Permit tcp any any range 22 443
    answer A 100%

  19. Paswd
    October 19th, 2020

    @digitaltut Q4: We are saying option it the best choiced. But on the premium member test link that same answer is marked as wrong not sure if it is an error.

  20. Paswd
    October 19th, 2020

    Option A

  21. digitaltutq
    October 20th, 2020

    @Paswd: Thanks for your detection, we have just updated Q.4.

  22. hello
    December 15th, 2020

    Q3 based on explanation under the question answer should be D

    The syntax of an extended ACL is shown below:

    access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]

    Please correct me if I am wrong

  23. digitaltut
    December 15th, 2020

    @hello: That explanation was missing [eq source-port] part. Thanks for your detection, we have just updated it but the answer is still correct.

  1. No trackbacks yet.