Vous êtes sur la page 1sur 12

ICND2 Module 11 Review Questions

ICND2 - Module 11 Review Questions: Access Control List


QUESTION 1 Which command shows if an access list is assigned to an interface? A. B. C. D. show ip interface [interface] access-lists show ip access-lists interface [interface] show ip interface [interface] show ip access-lists [interface]

QUESTION 2 Refer to the exhibit:

What will happen to HTTP traffic coming from the Internet that is destined for 172.16.12.10 if the traffic is processed by this ACL? A. B. C. D. Traffic will be dropped per line 30 of the ACL. Traffic will be accepted per line 40 of the ACL. Traffic will be dropped, because of the implicit deny all at the end of the ACL. Traffic will be accepted, because the source address is not covered by the ACL.

QUESTION 3 Refer to the exhibit:

Which statement describes the effect that the Router1 configuration has on devices in the 172.16.16.0 subnet when they try to connect to SVR-A using Telnet or SSH?

MSc. Ngo Minh Duc VDC Training

Page 1

ICND2 Module 11 Review Questions


A. B. C. D. Devices will not be able to use Telnet or SSH. Devices will be able to use SSH, but not Telnet. Devices will be able to use Telnet, but not SSH. Devices will be able to use Telnet and SSH.

QUESTION 4 Refer to the exhibit:

The FMJ manufacturing company is concerned about unauthorized access to the Payroll Server. The Accounting1, CEO, Mgr1, and Mgr2 workstations should be the only computers with access to the Payroll Server. What two technologies should be implemented to help prevent unauthorized access to the server? (Choose two.) A. B. C. D. E. F. access lists encrypted router passwords STP VLANs VTP wireless LANs

QUESTION 5 Which two statements apply to dynamic access lists? (Choose two) A. B. C. D. E. F. they offer simpler management in large internetworks. you can control logging messages. they allow packets to be filtered based on upper-layer session information. you can set a time-based security policy. they provide a level of security against spoofing. they are used to authenticate individual users.

QUESTION 6 A network engineer wants to allow a temporary entry for a remote user with a specific usename and password so that the user can access the entire network over the internet.which ACL can be used? A. B. C. D. reflexive extended standard dynamic

MSc. Ngo Minh Duc VDC Training

Page 2

ICND2 Module 11 Review Questions


QUESTION 7 Refer to the exhibit:

Which three variables(router,protocol port,and router ACL direction)apply to an extended ACL that will prevent student 01 from securely browsing the internet? (Choose three) A. B. C. D. E. OUT Router 3 HTTPS IN Router 1

QUESTION 8 Which statement about access lists that are applied to an interface is true? A. B. C. D. you can apply only one access list on any interface you can configure one access list, per direction, per layer 3 protocol you can place as many access lists as you want on any interface you can configure one access list, per direction, per layer 2 protocol

QUESTION 9 Which item represents the standard IP ACL? A. B. C. D. access-list 50 deny 192.168.1.1 0.0.0.255 access-list 110 permit ip any any access-list 2500 deny tcp any host 192.168.1.1 eq 22 access-list 101 deny tcp any host 192.168.1.1

QUESTION 10 Which parameter standard access list takes into consideration for traffic filtering decisions? A. B. C. D. Source MAC address Destination IP address Destination MAC address Source IP address Page 3

MSc. Ngo Minh Duc VDC Training

ICND2 Module 11 Review Questions

QUESTION 11 Refer to the graphic:

It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two) A. Router(config)# interface fa0/0 Router(config-if)# ip access-group 101 out B. Router(config)# interface fa0/0 Router(config-if)# ip access-group 101 in C. Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163 Router(config)# access-list 101 permit ip any any D. Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0 Router(config)# access-list 101 permit ip any any QUESTION 12 An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?

A. B. C. D. E.

access-list 10 permit 172.29.16.0 0.0.0.255 access-list 10 permit 172.29.16.0 0.0.1.255 access-list 10 permit 172.29.16.0 0.0.3.255 access-list 10 permit 172.29.16.0 0.0.15.255 access-list 10 permit 172.29.0.0 0.0.255.255

QUESTION 13 Refer to the graphic. Assuming the following goals: 1) allow Telnet from the Internet to the HR server 2) allow HTTP access from the Internet to the web server 3) all other traffic from the Internet should be blocked

MSc. Ngo Minh Duc VDC Training

Page 4

ICND2 Module 11 Review Questions

Which of the following access list statements are necessary to accomplish these goals? (Choose two.) A. B. C. D. access-list 101 permit tcp any 172.17.17.252 0.0.0.0 eq 23 access-list 101 permit tcp any 172.17.18.252 0.0.0.0 eq 80 access-list 101 deny tcp any 172.17.18.252 0.0.0.0 eq 80 access-list 1 permit tcp any 172.17.17.252 0.0.0.0 eq 23

QUESTION 14 You are securing a network and want to apply an ACL (access control list) to an interface of a router. Which one of the following commands would you use? A. B. C. D. apply access-list 101 out ip access-group 101 out access-class 101 out permit access-list 101 out

QUESTION 15 As the network administrator, you have been instructed to prevent all traffic originating on the Router 1 LAN from entering the router2. Which the following command would implement the access list on the interface of router2?

A. B. C. D.

access-list 101 out ip access-group 101 out access-list 101 in ip access-group 101 in

QUESTION 16 What three pieces of information can be used in an extended access list to filter traffic? (Choose three.) MSc. Ngo Minh Duc VDC Training Page 5

ICND2 Module 11 Review Questions

A. B. C. D. E. F.

VLAN number TCP or UDP port numbers source switch port number source IP address and destination IP address protocol source MAC address and destination MAC address

QUESTION 17 What is the effect of the following access list condition?

A. B. C. D. E.

permit all packets matching the host bits in the source address to all destinations permit all packets from the third subnet of the network address to all destinations permit all packets matching the last octet of the destination address and accept all source addresses permit all packets to destinations matching the first three octets in the destination address permit all packets matching the first three octets of the source address to all destinations

QUESTION 18 The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:

How will the above access lists affect traffic? A. B. C. D. E. FTP traffic from 192.169.1.9 to any host will be denied. All traffic exiting E0 will be denied. All FTP traffic to network 192.169.1.9/29 will be denied No traffic, except for FTP traffic will be allowed to exit E0. FTP traffic from 192.169.1.22 will be denied.

QUESTION 19 A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task? A. access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23 access-list 1 permit ip any any B. access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23 access-list 101 permit ip any any C. access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21 access-list 1 permit ip any any D. access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23 access-list 101 permit ip any any QUESTION 20 On your newly installed router, you apply the access list illustrated below to interface Ethernet0 on a router. The interface is connected to the 192.168.1.8/29 LAN.

MSc. Ngo Minh Duc VDC Training

Page 6

ICND2 Module 11 Review Questions

How will the above access lists affect traffic? A. B. C. D. All traffic will be allowed to exit E0 except FTP traffic. FTP traffic from 192.168.166.19 to any host will be denied. All traffic exiting E0 will be denied. All FTP traffic to network 192.168.166.18/29 from any host will be denied.

QUESTION 21 Recently, unauthorized users have used Telnet to gain access to the company router. As the network administrator, you want to configure and apply an access list to allow Telnet access to the router, but only from your computer. Please consider the problem carefully, which group of commands would be the best choice to allow only the IP address 172.16.3.3 to have Telnet access to the router? A. access-list 101 permit tcp any host 172.16.3.3 eq telnet interface s0/0 ip access-group 101 in B. access-list 3 permit host 172.16.3.3 line vty 0 4 ip access-group 3 in C. access-list 3 permit host 172.16.3.3 line vty 0 4 access-class 3 in D. access-list 101 permit tcp any host 172.16.3.3 eq telnet access-list 101 permit ip any any interface s0/0 ip access-group 101 in QUESTION 22 Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)

access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet access-list 101 permit ip any any A. source ip address: 192.168.15.5; destination port: 21 MSc. Ngo Minh Duc VDC Training Page 7

ICND2 Module 11 Review Questions


B. C. D. E. F. source ip address: 192.168.15.37 destination port: 21 source ip address: 192.168.15.41 destination port: 21 source ip address: 192.168.15.36 destination port: 23 source ip address: 192.168.15.46; destination port: 23 source ip address: 192.168.15.49 destination port: 23

QUESTION 23 Refer to the exhibit:

Why would the network administrator configure RA in this manner? A. B. C. D. E. F. to give students access to the Internet to prevent students from accessing the command prompt of RA to prevent administrators from accessing the console of RA to give administrators access to the Internet to prevent students from accessing the Internet to prevent students from accessing the Admin network

QUESTION 24 The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)

A. from host PC1 to host 5.1.1.10 MSc. Ngo Minh Duc VDC Training Page 8

ICND2 Module 11 Review Questions


B. from host PC1 to host 5.1.3.10 C. from host PC2 to host 5.1.2.10 D. from host PC2 to host 5.1.3.8 QUESTION 25 The exhibit shows a company network. The network administrator would like to permit only hosts on the 172.30.16.0/24 network to access the Internet. Which wild card mask and address combination will only match addresses on this network?

A. B. C. D. E.

172.30.0.0 0.0.0.0 172.30.16.0 0.0.0.255 172.30.0.0 0.0.15.255 172.30.16.0 0.0.31.255 172.30.16.0 0.0.255.255

QUESTION 26 An access list has been designed to prevent HTTP traffic from the Accounting Department from reaching the HR server attached to the Holyoke router. Which of the following access lists will accomplish this task when grouped with the e0 interface on the Chicopee router?

A. permit ip any any deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80 B. permit ip any any deny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 80 C. deny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 80 permit ip any any D. deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80 permit ip any any MSc. Ngo Minh Duc VDC Training Page 9

ICND2 Module 11 Review Questions

QUESTION 27 The access list shown in the graphic should deny all hosts located on network 172.16.1.0, except host 172.16.1.5, from accessing the 172.16.4.0 network. All other networks should be accessible. Which command sequence will correctly apply this access list?

A. routerA(config)# interface fa0/0 routerA(config-if)# ip access-group 10 in B. routerA(config)# interface s0/0 routerA(config-if)# ip access-group 10 out C. routerB(config)# interface fa0/1 routerB(config-if)# ip access-group 10 out D. routerB(config)# interface fa0/0 routerB(config-if)# ip access-group 10 out E. routerB(config)# interface s0/1 routerB(config-if)# ip access-group 10 out QUESTION 28

MSc. Ngo Minh Duc VDC Training

Page 10

ICND2 Module 11 Review Questions


QUESTION 29

QUESTION 30

MSc. Ngo Minh Duc VDC Training

Page 11

ICND2 Module 11 Review Questions


QUESTION 31

MSc. Ngo Minh Duc VDC Training

Page 12