Access List

Question 1

What does the following access list, which is applied on the external interface FastEthernet 1/0 of the perimeter router, accomplish?

router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
router (config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
router (config)#access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
router (config)#access-list 101 permit ip any any
router (config)#interface FastEthernet 1/0
router (config-if)#ip access-group 101 in

A. It prevents incoming traffic from IP address ranges 10.0.0.0 – 10.0.0.255, 172.16.0.0 – 172.31.255.255, 192.168.0.0 – 192.168.255.255 and logs any intrusion attempts.
B. It prevents the internal network from being used in spoofed denial of service attacks and logs any exit to the Internet.
C. It filters incoming traffic from private addresses in order to prevent spoofing and logs any intrusion attempts.
D. It prevents private internal addresses to be accessed directly from outside.

Answer: C

The first answer is not correct because the 10.0.0.0 network range is not correct. It should be 10.0.0.0. to 10.255.255.255.

Question 2

Refer to the following access list.

access-list 100 permit ip any any log

After applying the access list on a Cisco router, the network engineer notices that the router CPU utilization has risen to 99 percent. What is the reason for this?

A. A packet that matches access-list with the “log” keyword is Cisco Express Forwarding switched.
B. A packet that matches access-list with the “log” keyword is fast switched.
C. A packet that matches access-list with the “log” keyword is process switched.
D. A large amount of IP traffic is being permitted on the router.

Answer: C

الـــــشــــــــــــــــــــــــرح

Logging-enabled access control lists (ACLs) provide insight into traffic as it traverses the network or is dropped by network devices. Unfortunately, ACL logging can be CPU intensive and can negatively affect other functions of the network device. There are two primary factors that contribute to the CPU load increase from ACL logging: process switching of packets that match log-enabled access control entries (ACEs) and the generation and transmission of log messages.

Process switching is the slowest switching methods (compared to fast switching and Cisco Express Forwarding) because it must find a destination in the routing table. Process switching must also construct a new Layer 2 frame header for every packet. With process switching, when a packet comes in, the scheduler calls a process that examines the routing table, determines which interface the packet should be switched to and then switches the packet. The problem is, this happens for the every packet.

Question 3

For troubleshooting purposes, which method can you use in combination with the “debug ip packet” command to limit the amount of output data?

A. You can disable the IP route cache globally.
B. You can use the KRON scheduler.
C. You can use an extended access list.
D. You can use an IOS parser.
E. You can use the RITE traffic exporter.

Answer: C

If you use the “debug ip packet” command on a production router, you can bring it down since it generates an output for every packet and the output can be extensive. The best way to limit the output of debug ip packet is to create an access-list that linked to the debug. Only packets that match the access-list criteria will be subject to debug ip packet. For example, this is how to monitor traffic from 1.1.1.1 to 2.2.2.2

access-list 100 permit ip 1.1.1.1 2.2.2.2
debug ip packet 100

Note: The “debug ip packet” command is used to monitor packets that are processed by the routers routing engine and are not fast switched.

Question 4

Which outbound access list, applied to the WAN interface of a router, permits all traffic except for http traffic sourced from the workstation with IP address 10.10.10.1?

A. ip access-list extended 200
deny tcp host 10.10.10.1 eq 80 any
permit ip any any

B. ip access-list extended 10
deny tcp host 10.10.10.1 any eq 80
permit ip any any

C. ip access-list extended NO_HTTP
deny tcp host 10.10.10.1 any eq 80

D. ip access-list extended 100
deny tcp host 10.10.10.1 any eq 80
permit ip any any

Answer: D

Question 5

A route map uses an ACL, if the required matching is based on which criteria?

A. addressing information
B. route types
C. AS paths
D. metrics

Answer: A

Question 6

Which configuration can you apply to a device so that it always blocks the outbound web traffic on Saturdays and Sunday between the hours of 1:00 AM and 11:59 PM?

A. time-range SATSUN absolute Saturday Sunday 1:00 to 23:59
access-list 102 permit tcp any any eq 80 time-range SATSUN
access-list 102 permit tcp any any eq 443 time-range SATSUN
interface Vlan 303
ip address 10.9.5.3 255.255.255.0
ip access-group 102 in

B. time-range SATSUN periodic Saturday Sunday 1:00 to 23:59
access-list 102 permit tcp any any eq 80 time-range SATSUN
access-list 102 permit tcp any any eq 443 time-range SATSUN
interface Vlan 303
ip address 10.9.5.3 255.255.255.0
ip access-group 102 in

C. time-range SATSUN periodic Saturday Sunday 1:00 to 11:59
access-list 102 permit tcp any any eq 80 time-range SATSUN
access-list 102 permit tcp any any eq 443 time-range SATSUN
interface Vlan 303
ip address 10.9.5.3 255.255.255.0
ip access-group 102 in

D. time-range SATSUN absolute Saturday Sunday 1:00 to 11:59
access-list 102 permit tcp any any eq 80 time-range SATSUN
access-list 102 permit tcp any any eq 443 time-range SATSUN
interface Vlan 303
ip address 10.9.5.3 255.255.255.0
ip access-group 102 in

Answer: B

+ The question asks to “always” block traffic (every week) so we must use keyword “periodic”.
+ Traffic should be blocked to 11:59 PM, which means 23:59

Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23 and the minutes range from 0 to 59

Only answer B satisfies these two requirements so it is the best answer. In fact, all the above answers are not correct as the access-list should deny web traffic, not allow them as shown in the answers.

Question 7

Allowing website access between certain times

Answer: Filters using Time-Based ACLs

Question 8

Which two different configuration can you apply to a device to block incoming SSH access? (Choose two)

A. ipv6 access-list VTY-ACCESS-IN
sequence 10 deny tcp any any eq 22
sequence 20 permit ipv6 any any
line vty 0 15
  ipv6 access-list VTY-ACCESS-IN out

B. ipv6 access-list VTY-ACCESS-IN
sequence 10 deny tcp any any eq 22
sequence 20 permit ipv6 any any
line vty 0 15
  ipv6 access-class VTY-ACCESS-IN out

C. ipv6 access-list VTY-ACCESS-IN
sequence 10 deny tcp any any eq 22
sequence 20 permit ipv6 any any
line vty 0 15
  ipv6 access-class VTY-ACCESS-IN in

D. ipv6 access-list VTY-ACCESS-IN
sequence 10 deny tcp any any eq 22
sequence 20 permit ipv6 any any
interface Ethernet0/0
  ipv6 traffic-filter VTY-ACCESS-IN in

E. ipv6 access-list VTY-ACCESS-IN
sequence 10 deny tcp any any eq 22
sequence 20 permit ipv6 any any
interface Ethernet0/0
  ipv6 traffic-filter VTY-ACCESS-IN out

Answer: C D

The “ipv6 traffic-filter” command is used to filter IPv6 traffic flowing through an interface while the “ipv6 access-class” command is used to filter IPv6 traffic destined to the router (via logical interfaces).

Question 9

Which access list entry checks for an ACK within a packet header?

A. access-list 49 permit ip any any eq 21 tcp-ack
B. access-list 49 permit tcp any any eq 21 tcp-ack
C. access-list 149 permit tcp any any eq 21 established
D. access-list 49 permit tcp any any eq 21 established

Answer: C

The established keyword is only applicable to TCP access list entries to match TCP segments that have the ACK and/or RST control bit set (regardless of the source and destination ports), which assumes that a TCP connection has already been established in one direction only. Let’s see an example below:

access-list_established.jpg

Suppose you only want to allow the hosts inside your company to telnet to an outside server but not vice versa, you can simply use an “established” access-list like this:

access-list 100 permit tcp any any established
access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 100 in
ip access-group 101 out

Note:

Suppose host A wants to start communicating with host B using TCP. Before they can send real data, a three-way handshake must be established first. Let’s see how this process takes place:

1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is short for SYNchronize) to indicate it wants to setup a connection with host B. This message includes a sequence (SEQ) number for tracking purpose. This sequence number can be any 32-bit number (range from 0 to 232) so we use “x” to represent it.

2. After receiving SYN message from host A, host B replies with SYN-ACK message (some books may call it “SYN/ACK” or “SYN, ACK” message. ACK is short for ACKnowledge). This message includes a SYN sequence number and an ACK number:
+ SYN sequence number (let’s called it “y”) is a random number and does not have any relationship with Host A’s SYN SEQ number.
+ ACK number is the next number of Host A’s SYN sequence number it received, so we represent it with “x+1”. It means “I received your part. Now send me the next part (x + 1)”.

The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if host A still wants to talk to it as well (via SYN part).

3. After Host A received the SYN-ACK message from host B, it sends an ACK message with ACK number “y+1” to host B. This confirms host A still wants to talk to host B.

Question 10

Which type of access list allows granular session filtering for upper-level protocols?

A. content-based access lists
B. context-based access lists
C. reflexive access lists
D. extended access lists

Answer: C

Reflexive access lists provide filtering on upper-layer IP protocol sessions. They contain temporary entries that are automatically created when a new IP session begins. They are nested within extended, named IP access lists that are applied to an interface. Reflexive access lists are typically configured on border routers, which pass traffic between an internal and external network. These are often firewall routers. Reflexive access lists do not end with an implicit deny statement because they are nested within an access list and the subsequent statements need to be examined.

Question 11

What is the command to enable IPv6 access list?

A. ipv6 traffic-filter access-list-name {in | out}
B. ipv6 access-list [access-list-name]
C. access-list ipv6 [access-list-name]
D. ipv6 access-group [access-list-name] {in | out}

Answer: A

The command “ipv6 traffic-filter access-list-name { in | out }” applies the access list to incoming or outgoing traffic on the interface.

Question 12

Which two statements about IP access-lists are true? (Choose two)

A. IP access-lists without at least one deny statement permit all traffic by default.
B. Extended access-lists must include port numbers.
C. They support wildcard masks to limit the address bits to which entries are applies.
D. Entries are applied to traffic in the order in which they appear.
E. They end with an implicit permit.

Answer: C D

Question 13

Which option is the minimum logging level that displays a log message when an ACL drops an incoming packet?

A. Level 6
B. Level 5
C. Level 7
D. Level 3

Answer: A

When the ACL logging feature is configured, the system monitors ACL flows and logs dropped packets and statistics for each flow that matches the deny conditions of the ACL entry.

The log and log-input options apply to an individual ACE and cause packets that match the ACE to be logged. The sample below illustrates the initial message and periodic updates sent by an IOS device with a default configuration using the log ACE option.

*May 1 22:12:13.243: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 1 packet

From the example above we can see when an ACL drops a packet, it generates a level 6 Syslog (%SEC-6-)