CCNA 4 Chapter 4 v6 Exam Answers

Two routers, R1 and R2, connect via a serial link. Both the R1 and R2 interfaces that connect to this network are labeled S0/0/0. Above the serial link are the words 10.0.56.252/30. R1 has two more connections: Gi0/0 and Gi0/1. The Gi0/0/ R1 interface connects to a switch. That switch connects to a server labeled FTP and web server 10.0.54.5/28. The R1 Gi0/1 interface connects to a switch. That switch connects to a host. Under the host are the words 10.0.55.23/24. The R2 router has another interface labeled Gi0/0. This interface connects to a switch. That switch connects to a host. Under the host are the words 10.0.70.23/25.Refer to the exhibit. The network administrator that has the IP address of 10.0.70.23/25 needs to have access to the corporate FTP server (10.0.54.5/28). The FTP server is also a web server that is accessible to all internal employees on networks within the 10.x.x.x address. No other traffic should be allowed to this server. Which extended ACL would be used to filter this traffic, and how would this ACL be applied? (Choose two.)

The first two lines of the ACL allow host 10.0.70.23 FTP access to the server that has the IP address of 10.0.54.5. The next line of the ACL allows HTTP access to the server from any host that has an IP address that starts with the number 10. The fourth line of the ACL denies any other type of traffic to the server from any source IP address. The last line of the ACL permits anything else in case there are other servers or devices added to the 10.0.54.0/28 network. Because traffic is being filtered from all other locations and for the 10.0.70.23 host device, the best place to put this ACL is closest to the server.

Which set of access control entries would allow all users on the 192.168.10.0/24 network to access a web server that is located at 172.17.80.1, but would not allow them to use Telnet?

For an extended ACL to meet these requirements the following need to be included in the access control entries:
identification number in the range 100-199 or 2000-2699
permit or deny parameter
protocol
source address and wildcard
destination address and wildcard
port number or name

In applying an ACL to a router interface, which traffic is designated as outbound?

Inbound and outbound are interpreted from the point of view of the router. Traffic that is designated in an inbound ACL will be denied or permitted when coming into that router interface from a source. Traffic that is designated in an outbound ACL will be denied or permitted when going out the interface to the destination.

Drag the descriptions of the packets on the left to the action that the router will perform on the right.

Which feature is unique to IPv6 ACLs when compared to those of IPv4 ACLs?

One of the major differences between IPv6 and IPv4 ACLs are two implicit permit ACEs at the end of any IPv6 ACL. These two permit ACEs allow neighbor discovery operations to function on the router interface.

Which two statements are correct about extended ACLs? (Choose two)

Extended ACLs can be used for precise traffic-filtering. Extended ACLs check for both source and destination addresses of packets. They also check the protocols and port numbers (or services), thus allowing for a greater range of criteria on which to base the ACL.

Which range represents all the IP addresses that are affected when network 10.120.160.0 with a wildcard mask of 0.0.7.255 is used in an ACE?

A wildcard mask of 0.0.7.255 means that the first 5 bits of the 3rd octet must remain the same but the last 3 bits can have values from 000 to 111. The last octet has a value of 255, which means the last octet can have values from all zeros to all 1s.

What two ACEs could be used to deny IP traffic from a single source host 10.1.1.1 to the 192.168.0.0/16 network? (Choose two.)

There are two ways to identify a single host in an access list entry. One, is to use the host keyword with the host IP address, the other is to use a wildcard mask of 0.0.0.0 with the host IP address. The source of the traffic to be inspected by the access list goes first in the syntax and the destination goes last.

A network administrator is designing an ACL. The networks 192.168.1.0/25, 192.168.0.0/25, 192.168.0.128/25, 192.168.1.128/26, and 192.168.1.192/26 are affected by the ACL. Which wildcard mask, if any, is the most efficient to use when specifying all of these networks in a single ACL permit entry?

A single ACL command and wildcard mask should not be used to specify these particular networks or other traffic will be permitted or denied and present a security risk. Write all of the network numbers in binary and determine the binary digits that are identical in consecutive bit positions from left to right. In this example, 23 bits match perfectly. The wildcard mask of 0.0.1.255 designates that 25 bits must match.

Fill in the blanks. Use dotted decimal format.
The wildcard mask that is associated with the network 192.168.12.0/24 is __

Advertisement

Which three values or sets of values are included when creating an extended access control list entry? (Choose three.)

What two functions describe uses of an access control list? (Choose two.)

Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table?

For the purpose of applying an access list to a particular interface, the ipv6 traffic-filter IPv6 command is equivalent to the access-group IPv4 command. The direction in which the traffic is examined (in or out) is also required.

Which two packet filters could a network administrator use on an IPv4 extended ACL? (Choose two.)

Extended access lists commonly filter on source and destination IPv4 addresses and TCP or UDP port numbers. Additional filtering can be provided for protocol types.

Match each statement with the example subnet and wildcard that it describes. (Not all options are used.)

Which two statements describe the effect of the access control list wildcard mask 0.0.0.15? (Choose two.)

A wildcard mask uses 0s to indicate that bits must match. 0s in the first three octets represent 24 bits and four more zeros in the last octet, represent a total of 28 bits that must match. The four 1s represented by the decimal value of 15 represents the four bits to ignore.

The exhibit shows router R2 connected through int fa0/0 to a switch which in turn is connected to host with an IP address 192.168.1.1 /24. R2 is connected to another switch through interface fa0/1 and the switch is connected to a server with the IP address 192.168.2.1 /24.Refer to the exhibit. A network administrator wants to permit only host 192.168.1.1 /24 to be able to access the server 192.168.2.1 /24. Which three commands will achieve this using best ACL placement practices? (Choose three.)

An extended ACL is placed as close to the source of the traffic as possible. In this case.it is placed in an inbound direction on interface fa0/0 on R2 for traffic entering the router from host with the IP address192.168.1.1 bound for the server with the IP address192.168.2.1.

Refer to the exhibit. This ACL is applied on traffic outbound from the router on the interface that directly connects to the 10.0.70.5 server. A request for information from a secure web page is sent from host 10.0.55.23 and is destined for the 10.0.70.5 server. Which line of the access list will cause the router to take action (forward the packet onward or drop the packet)?

The first two lines of the ACL allow traffic from a particular application from the IP address 10.0.55.23 destined for 10.0.70.55. Because neither of these lines meets the criterion of request for information from a secure web page (port 443 is HTTPS) from 10.0.55.23 to the web server located at 10.0.70.5, no action is taken by the router. The third line is a match and because the “permission” is to deny the packet, the packet is dropped. No further examination is done by the router.

Refer to the exhibit. The IPv6 access list LIMITED_ACCESS is applied on the S0/0/0 interface of R1 in the inbound direction. Which IPv6 packets from the ISP will be dropped by the ACL on R1?

The access list LIMITED_ACCESS will block ICMPv6 packets from the ISP. Both port 80, HTTP traffic, and port 443, HTTPS traffic, are explicitly permitted by the ACL. The neighbor advertisements from the ISP router are implicitly permitted by the implicit permit icmp any any nd-na statement at the end of all IPv6 ACLs.

Which IPv6 ACL command entry will permit traffic from any host to an SMTP server on network 2001:DB8:10:10::/64?

The IPv6 access list statement, permit tcp any host 2001:DB8:10:10::100 eq 25, will allow IPv6 packets from any host to the SMTP server at 2001:DB8:10:10::100. The source of the packet is listed first in the ACL, which in this case is any source, and the destination is listed second, in this case the IPv6 address of the SMTP server. The port number is last in the statement, port 25, which is the well-known port for SMTP.

Advertisement

Which two ACE commands will block traffic that is destined for a web server which is listening to default ports? (Choose two.)

Traffic that is destined for a web server will use port 80 or 443. The keyword eq represents equal, gt represents greater than, and lt less than.

Refer to the exhibit. A network administrator is configuring an ACL to limit the connection to R1 vty lines to only the IT group workstations in the network 192.168.22.0/28. The administrator verifies the successful Telnet connections from a workstation with IP 192.168.22.5 to R1 before the ACL is applied. However, after the ACL is applied to the interface Fa0/0, Telnet connections are denied. What is the cause of the connection failure?

The source IP range in the deny ACE is 192.168.20.0 0.0.3.255, which covers IP addresses from 192.168.20.0 to 192.168.23.255. The IT group network 192.168.22.0/28 is included in the 192.168.20/22 network. Therefore, the connection is denied. To fix it, the order of the deny and permit ACE should be switched.