1.Which of the following is an example of a standard IP access list? A.access-list 110 permit host 1.1.1.1 B.access-list 1 deny 172.16.10.

1 0.0.0.0 C.access-list 1 permit 172.16.10.1 255.255.0.0 D.access-list standard 1.1.1.1 1.B. Standard IP access lists use the numbers 199 and 13001999 and filter based on source IP address only. Option C is incorrect because the mask must be in wildcard format.

2.You need to create an access list that will prevent hosts in the network range of 192.168.160.0 to 192.168.191.0. Which of the following lists will you use? A.access-list 10 deny 192.168.160.0 255.255.224.0 B.access-list 10 deny 192.168.160.0 0.0.191.255 C.access-list 10 deny 192.168.160.0 0.0.31.255 D.access-list 10 deny 192.168.0.0 0.0.31.255 2.C. The range of 192.168.160.0 to 192.168.191.0 is a block size of 32. The network address is 192.168.160.0 and the mask would be 255.255.224.0, which for an access list must be a wildcard format of 0.0.31.255. The 31 is used for a block size of 32. The wildcard is always one less than the block size.

3.You have created a named access list called Blocksales. Which of the following is a valid command for applying this to packets trying to enter interface s0 of your router? A.(config)#ip access-group 110 in B.(config-if)#ip access-group 110 in C.(config-if)#ip access-group Blocksales in D.(config-if)#blocksales ip access-list in 3.C. Using a named access list just replaces the number used when applying the list to the routers interface. IP access-group Blocksales in is correct.

4.Which of the following are valid ways to refer only to host 172.16.30.55 in an IP access list? (Choose two.) A.172.16.30.55 0.0.0.255

B.172.16.30.55 0.0.0.0 C.any 172.16.30.55 D.host 172.16.30.55 E.0.0.0.0 172.16.30.55 F.ip any 172.16.30.55

5.Which of the following access lists will allow only HTTP traffic into network 196.15.7.0? A.access-list 100 permit tcp any 196.15.7.0 0.0.0.255 eq www B.access-list 10 deny tcp any 196.15.7.0 eq www C.access-list 100 permit 196.15.7.0 0.0.0.255 eq www D.access-list 110 permit ip any 196.15.7.0 0.0.0.255 E.access-list 110 permit www 196.15.7.0 0.0.0.255 6.What router command allows you to determine whether an IP access list is enabled on a particular interface? A.show ip port B.show access-lists C.show ip interface D.show access-lists interface

7.Which router command allows you to view the entire contents of all access lists? A.Router#show interface B.Router>show ip interface C.Router#show access-lists D.Router>show all access-lists

8.If you wanted to deny all Telnet connections to only network 192.168.10.0, which command could you use? A.access-list 100 deny tcp 192.168.10.0 255.255.255.0 eq telnet B.access-list 100 deny tcp 192.168.10.0 0.255.255.255 eq telnet C.access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23 D.access-list 100 deny 192.168.10.0 0.0.0.255 any eq 23

9.If you wanted to deny FTP access from network 200.200.10.0 to network 200.199.11.0, but allow everything else, which of the following command strings is valid? A.access-list 110 deny 200.200.10.0 to network 200.199.11.0 eq ftp

access-list 111 permit ip any 0.0.0.0 255.255.255.255 B.access-list 1 deny ftp 200.200.10.0 200.199.11.0 any any C.access-list 100 deny tcp 200.200.10.0 0.0.0.255 200.199.11.0 0.0.0.255 eq ftp D.access-list 198 deny tcp 200.200.10.0 0.0.0.255 200.199.11.0 0.0.0.255 eq ftp access-list 198 permit ip any 0.0.0.0 255.255.255.255

10.You want to create a standard access list that denies the subnet of the following host: 172.16.50.172/20. Which of the following would you start your list with? A.access-list 10 deny 172.16.48.0 255.255.240.0 B.access-list 10 deny 172.16.0.0 0.0.255.255 C.access-list 10 deny 172.16.64.0 0.0.31.255 D.access-list 10 deny 172.16.48.0 0.0.15.255

11.Which command would you use to apply an access list to a router interface? A.ip access-list 101 out B.access-list ip 101 in C.ip access-group 101 in D.access-group ip 101 in 12.You want to create a standard access list that denies the subnet of the following host: 172.16.198.94/19. Which of the following would you start your list with? A.access-list 10 deny 172.16.192.0 0.0.31.255 B.access-list 10 deny 172.16.0.0 0.0.255.255 C.access-list 10 deny 172.16.172.0 0.0.31.255 D.access-list 10 deny 172.16.188.0 0.0.15.255

13.You want to create a standard access list that denies the subnet of the following host: 172.16.144.17/21. Which of the following would you start your list with? A.access-list 10 deny 172.16.48.0 255.255.240.0 B.access-list 10 deny 172.16.144.0 0.0.7.255 C.access-list 10 deny 172.16.64.0 0.0.31.255 D.access-list 10 deny 172.16.136.0 0.0.15.255

14.Which of the following commands connect access list 110 inbound to interface ethernet0? A.Router(config)#ip access-group 110 in

B.Router(config)#ip access-list 110 in C.Router(config-if)#ip access-group 110 in D.Router(config-if)#ip access-list 110 in

15.What command will permit SMTP mail to only host 1.1.1.1? A.access-list 10 permit smtp host 1.1.1.1 B.access-list 110 permit ip smtp host 1.1.1.1 C.access-list 10 permit tcp any host 1.1.1.1 eq smtp D.access-list 110 permit tcp any host 1.1.1.1 eq smtp

16.If you configure the following access list: access-list 110 deny tcp 10.1.1.128 0.0.0.63 any eq smtp access-list 110 deny tcp any eq 23 int ethernet 0 ip access-group 110 out What will the result of this access list be? A.E-mail and Telnet will be allowed out E0. B.E-mail and Telnet will be allowed in E0. C.Everything but e-mail and Telnet will be allowed out E0. D.No IP traffic will be allowed out E0. 17.Which of the following series of commands will restrict Telnet access to the router? A.Lab_A(config)#access-list 10 permit 172.16.1.1 Lab_A(config)#line con 0 Lab_A(config-line)#ip access-group 10 in B.Lab_A(config)#access-list 10 permit 172.16.1.1 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 10 out C.Lab_A(config)#access-list 10 permit 172.16.1.1 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 10 in D.Lab_A(config)#access-list 10 permit 172.16.1.1 Lab_A(config)#line vty 0 4 Lab_A(config-line)#ip access-group 10 in

18.Which of the following is true regarding access lists applied to an interface? A.You can place as many access lists as you want on any interface until you run out of memory. B.You can apply only one access list on any interface. C.One access list may be configured, per direction, for each layer 3

protocol configured on an interface. D.You can apply two access lists to any interface.

19.You are working on a router that has established privilege levels that restrict access to certain functions. You discover that you are not able to execute the command show runningconfiguration. How can you view and confirm the access lists that have been applied to the Ethernet 0 interface on your router? A.show access-lists B.show interface Ethernet 0 C.show ip access-lists D.show ip interface Ethernet 0 4.B, D. The wildcard 0.0.0.0 tells the router to match all four octets. This wildcard format alone can be replaced with the host command.

5.A. The first thing to check in a question like this is the access-list number. Right away, you can see that the second option is wrong because it is using a standard IP access-list number. The second thing to check is the protocol. If you are filtering by upper-layer protocol, then you must be using either UDP or TCP; this eliminates the fourth option. The third and last answers have the wrong syntax.

6.C. Only the show ip interface command will tell you which interfaces have access lists applied. show access-lists will not show you which interfaces have an access list applied.

7.C. The show access-lists command will allow you to view the entire contents of all access lists, but will not show you to which interfaces the access lists are applied.

8.C. The extended access list ranges are 100199 and 20002699, so the access-list

number of 100 is valid. Telnet uses TCP, so the protocol TCP is valid. Now you just need to look for the source and destination address. Only the third option has the correct sequence of parameters. Answer B may work, but the question specifically states only to network 192.168.10.0, and the wildcard in answer B is too broad.

9.D. Extended IP access lists use numbers from 100199 and 20002699 and filter based on source and destination IP address, protocol number, and port number. The last option is correct because of the second line that specifies permit ip any any (I used 0.0.0.0 255.255.255.255, which is the same as the any option). The third option does not have this, so it would deny access, but not allow everything else.

10.D. First, you must know that a /20 is 255.255.240.0, which is a block size of 16 in the third octet. Counting by sixteens, this makes our subnet 48 in the third octet, and the wildcard for the third octet would be 15, since the wildcard is always one less than the block size.

11.C. To apply an access list, the proper command is: ip access-group 101 in.

12.A. First, you must know that a /19 is 255.255.224.0, which is a block size of 32 in the third octet. Counting by 32, this makes our subnet 192 in the third octet, and the wildcard for the third octet would be 31, since the wildcard is always one less than the block size. 13.B. First, you must know that a /21 is 255.255.248.0, which is a block size of 8 in the third octet. Counting by eight, this makes our subnet 144 in the third octet, and the wildcard for the third octet would be 7, since the wildcard is always one less than the block size.

14.C. To place an access list on an interface, use the ip access-group command in interface configuration mode.

15.D. When trying to find the best answer to an access-list question, always check the access-list number and then the protocol. When filtering to an upper-layer protocol, you must use an extended list, numbers 100199 and 20002699. Also, when you filter to an upperlayer protocol, you must use either tcp or udp in the protocol field. If it says ip in the protocol field, you cannot filter to an upper-layer protocol. SMTP uses TCP.

16.D. If you add an access list to an interface and you do not have at least one permit statement, then you will effectively shut down the interface because of the implicit deny any at the end of every list.

17.C. Telnet access to the router is restricted by using either a standard or extended IP access list inbound on the VTY lines of the router. The command access-class is used to apply the access list to the VTY lines.

18.C. A Cisco router has rules regarding the placement of access lists on a router interface. You can place one access list per direction for each layer 3 protocol configured on an interface.

19.D. The only command that shows which access lists have been applied to an interface is show ip interface Ethernet 0. The command show access-lists displays all configured access lists, and show ip access-lists displays all configured IP access lists, but neither command indicates whether the displayed access lists have been applied to an interface.

1. At a client location, you issue a show ip interface command and find an access list numbered 910. What type of access list is this? IP Standard IP Extended IPX Standard IPX Extended 2. 2. Which of the following could take the place of the wildcard mask 0.0.0.0 in an access list? any deny host all 3. 3. Which wildcard mask would be used to include any host from the 170.16.0.0 network? 255.255.0.0 0.255.255.255 0.0.0.255 0.0.255.255 4. 4. At the end of every access list is an implied "permit any" statement. True False 5. 6. Which of the following commands is not a valid command to view applied access lists on a Cisco router? show ip interface show acl show access-list show running-config

6. Which of the following sample commands uses the proper syntax to deny telnet access from IP address 10.1.1.54 into 10.1.1.50? access-list 90 deny tcp 10.1.1.54 0.0.0.0 10.1.1.50 0.0.0.0 eq 21 access-list 99 deny telnet 10.1.1.54 0.0.0.0 10.1.1.50 0.0.0.0 access-list 101 deny ip 10.1.1.54 0.0.0.0 10.1.1.50 0.0.0.0 telnet access-list 101 deny tcp 10.1.1.54 0.0.0.0 10.1.1.50 0.0.0.0 eq 23 7. 7. Extended ACL lists should be placed? As close to the packet's destination as possible As close to the default gateway as possible As close to the source of the packet as possible As close to a border gateway router as possible 8. 8. What wildcard mask would best match any host from the network 10.0.2.0 /21? 0.0.248.255 0.0.0.0 255.255.7.0 0.0.7.255 9. 10. In order to block telnet access to any host from network 172.12.10.0 you configure an access list that contains, among others, the line: access-list 100 deny tcp 172.12.10.0 0.0.0.255 eq 23. How do you apply this access list inbound to s0? Router(config)#interface s0 Router(config-if)#ip access-group 100 in Router(config)#interface s0 Router(config-if)#ip access-list 100 in Router(config)#interface s0 Router(config-if)#ip access group 100 in None of the above 10.A router interface with the IP address of 192.168.1.0 has the following access list, applied inbound:

ip access-list 100 permit tcp any any eq 23 What would happen if a host from the network 172.16.0.0, attempted to SSH to the interface? SSH traffic would be permitted SSH traffic would be denied 11.12. Standard access lists should be placed? As close to the default gateway as possible As close to the source of the packet as possible As close to the packet's destination as possible As close to a border gateway router as possible 12.. To filter any IP traffic between the network range 10.0.0.0 and 10.32.0.0, what wildcard mask would best meet your needs? 255.255.31.0 0.0.64.255 0.64.255.255 0.31.255.255 13.14. Which of the following would correctly configure an access list, numbered 10, outbound on a VTY line? access group 10 out ip access-group 10 out ip access-class 10 out access-list 10 out 14.15. To represent all hosts from network 172.16.3.0 /22, which wildcard mask would be most appropriate? 0.0.3.255. 0.0.15.255 0.0.16.255 0.0.4.255

15.Review the following extended access list command: access-list 191 deny udp 10.0.0.0 0.255.255.255 lt 1023 any What does the any mean in this access list? Any udp traffic from the 10.0.0.0 network with a port less than 1023 and with any source IP address, will be blocked Any udp traffic from the 10.0.0.0 network with a port less than 1023 and with any destination IP address, will be blocked The command will block any udp, regardless of source or destination None of the above 16.Which of the following commands uses the proper syntax to block all traffic into network 192.168.3.0 except for SSH traffic? ip access-list 89 permit any tcp 192.168.3.0 0.0.0.255 eq 23 ip access-list 99 permit tcp any 192.168.3.0 0.0.0.255 eq 23 ip access-list 100 permit tcp any 192.168.3.0 0.0.0.255 eq 23 any ip access-list 101 permit tcp any 192.168.3.0 0.0.0.255 eq 22 17.At a client location, you issue a show ip interface command and find an access list numbered 212. What type of access list is this? 48-bit MAC address? Protocol type-code IPX SAP None of the above 18.Which of the following access lists use the proper syntax to allow all telnet traffic to host 192.168.1.3, from network 192.168.10.0, and apply the list inbound on s0? router(config):access-list 110 permit ip 192.168.10.0 0.0.0.255 host 192.168.1.3 eq 23 router(config):int e0 router(config-if):ip access-group 110 in

router(config)>access-list 105 permit tcp 192.168.10.0 0.0.0.255 host 192.168.1.3 eq 25 router(config)>int s0 router(config-if)>ip access-group 105 in router(config)#access-list 101 permit 23 192.168.10.0 0.0.0.255 host 192.168.1.3 eq telnet router(config)#int s0 router(config-if)#ip access-group 100 in router(config)#access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 192.168.1.3 eq 23 router(config)#int s0 router(config-if)#ip access-group 100 in