Access list Questions
Here you will find answers to Access list Questions
If you are not sure about Access list, please read my Access List tutorial
Question 1
Which statement best describes the Turbo ACL feature? (Choose all that apply)
A. The Turbo ACL feature processes ACLs into lookup tables for greater efficiency.
B. The Turbo ACL feature leads to increased latency, because the time it takes to match the packet is variable.
C. The Turbo ACL feature leads to reduced latency, because the time it takes to match the packet is fixed and consistent.
D. Turbo ACLs increase the CPU load by matching the packet to a predetermined list.
Answer: A C
Question 2
Which statement best describes configuring access control lists to control Telnet traffic destined to the router itself
A. The ACL must be applied to each vty line individually.
B. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.
C. The ACL is applied to the Telnet port with the ip access-group command.
D. The ACL applied to the vty lines has no in or out option like ACL being applied to an interface.
Answer: B
Question 3
Which description is correct based on the exhibit and partial configuration?
A. All traffic from network 10.0.0.0 will be permitted.
B. This ACL will prevent any host on the Internet from spoofing the inside network address as the source address for packets coming into the router from the Internet.
C. Access-list 101 will prevent address spoofing from interface E0.
D. All traffic destined for network 172.16.150.0 will be denied due to the implicit deny all.
Answer: C
Question 4
Examine the following options, which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10
A. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www
B. access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www
C. access-list 101 permit tcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030
D. access-list 101 permit tcp any eq 3030
Answer: B
Question 5
Which three statements about applying access control lists to a Cisco router are true? (Choose three)
A. Place more specific ACL entries at the top of the ACL.
B. ACLs always search for the most specific entry before taking any filtering action.
C. Router-generated packets cannot be filtered by ACLs on the router.
D. Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce “noise” on the network.
E. If an access list is applied but is not configured, all traffic will pass.
Answer: A C E
Question 6
A standard access control list has been configured on a router and applied to interface Serial 0 in an outbound direction. No ACL is applied to Interface Serial 1 on the same router. What will happen when traffic being filtered by the access list does not match the configured ACL statements for Serial0?
A. The source IP address is checked, and, if a match is not found, traffic is routed out interface Serial 1.
B. The resulting action is determined by the destination IP address.
C. The resulting action is determined by the destination IP address and port number.
D. The traffic is dropped.
Answer: D
Question 7
Which location will be recommended for extended or extended named ACLs?
A. a location as close to the destination traffic as possible
B. an intermediate location to filter as much traffic as possible
C. when using the established keyword, a location close to the destination point to ensure that return traffic is allowed
D. a location as dose to the source traffic as possible
Answer: D
Question3
The answer is wrong, the acl will not prevent address spoofing. The addresses are being permitted and not denied by the acl. The nearest correct answer would be D, all traffic to 172.16.150.0 will be denied except from 10.20.20.0/24 because of the implicit deny at the end of the ACL.
I’m with Madhatter on this one – a spoofing acl would surely be applied on the S0 interface in an inbound direction
You’re wrong, both. The answer given is right, because of the implicit deny address spoofing is prevented, the ACL permit traffic only from 10.20.20.0/24. D is wrong because not all traffic is denied (from 10.20.20.0/24 is permited).
Manu is totally right. The answer is right.
The answer 3 c is the correct one.
Where in the curriculum is the Turbo ACL explained?
In 7th question option “d” is : a location as “CLOSE” to the source traffic as possible
Turbo ACL:
I read de curriculum and I didn’t know about them too, but in the CCNA Security Official Exam Certification Guide there is some information.
Can someone please explain why B is the answer for question 4?
U can find Turbo ACL in the CCNA Security Official Exam chapter 10 Firewall !!
Any dumps you guys suggest for ccna security? and where I can dl it. cheers
samiraa1982@gmail.com
Question 5
How could aswer E. If an access list is applied but is not configured, all traffic will pass. is also the answer here? It should have an explicit deny if ACL applied without any configuration,right?
No, I checked, when acl applied but not configured, traffic is passed without checking throught acl. So “all traffic will pass”
HAI
Can someone give new dumps
hi all,
plz post me new dumps on rayan.exuinox@gmail.com.
question 3:
C is definitely correct.
Because of implicit deny all any spoofed IP (generally private IPs) will be denied as only the subnet 10.20.20.0 is permitted. Therefore any spoofed addresses will be denied even legitamate address from the inside network will be denied if they are not in the specified subnet.
A is wrong all traffic is not denied, subnet 10.20.20.0 is permitted for (for certain protocols ofcourse)
B is wrong this ACL is applied to inbound traffic on E0 therefore inbound traffic on S0 will not be filtered by the ACL.
D is wrong traffic (for the specific protocols permitted) is permitted fro the subnet 10.20.20.0.
C is def correct. Cheers
Hi guys
Could any1 help me comprehend the q3 answer.
Why q3: access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www instead of 10.1.129.0
the question asks:
which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10
A. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www
^^^
If you look at the question its asks the originating port is 3030 this acl shows the originating port is 80 aka www. therefore it is incorrect. hope that helps? ask if it needs more explaining.
@RJH
You are wrong with this one. Host computers are using less known port number from 1024 – 65535 while servers are using well known port number from 1 – 1023.
Therefore http traffic from host computer 10.1.129.100 could be sent on port 3030 while server will only listen for http traffic on port 80.
@RJH
Then again you are right. Basically you have said same thing as I have .
guys do we need to configure acls on exam………..plz reply???
guys do we need to configure acls on exam………..plz reply???
“George” is correct.when u generating request your PC is using random port numbers,so it should be Ip address X to ip address Y eq www
Question 3
A,B and D are definitely wrong,therefor C is correct (Logically
inmate is noname still current? and any update on CCNA security dump
Hi everyone just completed the ccna, would like to take the security.
can any one please tell me the best book use.
thanks
Hi, I’ve my exam on 19th august 2011. Is P4S 4.38 still valid? Questions shown here are still valid? Has anyone given exam recently?
Which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to
host 192.168.1.10?
A. access-list 101permit tcp any eq 3030
B. access-list 101permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www
C. access-list 101permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www
D. access-list 101 permittcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030
E. access-list 101permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
F. access-list 101 permitip host 10.1.129.100 eq 3030 host 192.168.1.100 eq 80
Please tell me the right ans of this question , i m little confused
Hi sahib, this is the only right answer to the question.
A. access-list 101permit tcp any eq 3030
The command is incomplete… extended ACL ask for destination address
C. access-list 101permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www
The source port matched by this ACL is 80 and the question ask for 3030
D. access-list 101 permittcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030
Wrong source IP and port number
E. access-list 101permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
Wrong source IP and port number
F. access-list 101 permitip host 10.1.129.100 eq 3030 host 192.168.1.100 eq 80
Wrong destination IP address, it must be 192.168.1.10, not 192.168.1.100.
RIGHT ANSWER:
B. access-list 101permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www
It’s an uggly way to configure the ACL because matches a lot of IP adresses(10.1.128.0/24 and 10.1.129.0/24) but it will work.
hello frndzz..:) im givng my ccna security xmz in this week..if anyone has latest dumps…plz mail me 2 pkotnala@gmail.com….thnkz
hello i am gonna take ccna security exam on sept 27………I need latest dumps……..mail me on the following email………chalmulu@gmail.com
Question 5
Which three statements about applying access control lists to a Cisco router are true? (Choose three)
E. If an access list is applied but is not configured, all traffic will pass.
There is the “Explicit Invisible Denny All” at the end of the each ACL,
Then how all the Traffic can Pass ??
Please Explain
To Amna Shahba,
Question 5
Which three statements about applying access control lists to a Cisco router are true? (Choose three)
E. If an access list is applied but is not configured, all traffic will pass.
If you do not specify interesting traffic in the ACL it is effectively disabled. So the Explicit deny would not apply as the traffic has not parsed through the ACL.
@ Ninja: you are right about Q5 but I think it is a tricky exam question.It tested you.
@Tobeconfirmed: traffic has not parsed through the ACL can even be put simply as ‘how can you apply a rule which has not even been stated’
confused……..i have a lot of time but dont understand how to start ……frm wat to start……and within 15 day i want to certify the ccna security ….wat should i do …?
Hello All,
First of all my sincere thanks to 9tut.com aka securitytut.com for giving here excellent platform for discussion and explanations.. Recently I have rebuckled my CCNA which is expired 3 years back..
Regarding Quetion 3:
I could not really agree with the given answer, that could be one answer (but weird answer).. The best and solid correct answer from my views and explanations should be “A”..
A. All traffic from network 10.0.0.0 will be permitted. — Correct..
Reason: Please read the ACL line carefully, Source subnet 10.20.20.0 but subnet mask defined /8 that means logically it is allowed 10.x.x.x/8 subnet as source and destination any.
B. This ACL will prevent any host on the Internet from spoofing the inside network address as the source address for packets coming into the router from the Internet. — Wrong.
Reason: The given ACL configuration showing only outbound ACL, did not mentioned about inbound ACL. So “B” should be wrong answer.
C. Access-list 101 will prevent address spoofing from interface E0. — Could be correct..
Reason: Actually statement “C” is weird, because usually inside network for any design will be treated as Highly Secure and Outside Network is Semi-Secured. Here this statement going to say spoofing attacks originated from 10.x.x.x network to outside network 172.16.150.x.. Does it make any sense. If that is the requirement, fine this answer also agreed to correct.
D. All traffic destined for network 172.16.150.0 will be denied due to the implicit deny all. — Wrong..
Reason: Since total network of 10.x.x.x/8 allowed to any from ACL statements, that means already allowed to Outside Network from Inside Network.
Sorry Guyz!
Appoligies for question# 3 for wrong explanations.. I mis-read the subnet maks that is not /8.. I should have to read it as /24..
So Option: A should be wrong, as only part of the net10 allowed not entire /8 network..
By the explanation for D, should be read as 10.20.20.x/24 instead of 10.x.x.x/8 and still that is also wrong..
So unfortunately, the and only unpleasant best answer is “C”….
Sorry once again.. for confusion ..
Can anybody tell me where I can find more free sample questions on access list I have my CCNA exam coming up cheers
Boombastic: Check for Actual test, or testking.com for additional questions on ACL’s. Also, Cisco ICND books have lots of good material to understand ACL’s (yet, is a lot of reading!)
Good Luck!
hello frndzz..:) im givng my ccna security xmz in next week..if anyone has latest dumps…plz mail me 2 –vikramduddy@gmail.com
thanks in advance
и, Таким образом, происходят резкие колебания содержания сахара в крови, что ведёт к появлению усталости и раздражительностиПредставьте, еще не оправившись от голодания, организм получает питательных веществ в избытке