546 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

Chapter 12

“Do I Know This Already?” Quiz

1.Barney is a host with IP address 10.1.1.1 in subnet 10.1.1.0/24. Which of the following are things that a standard IP ACL could be configured to do?

Answer: A, C. Standard ACLs check the source IP address. Option B is not possible with a single command. You would need multiple commands to match that set of IP addresses.

2.Which of the following fields cannot be compared based on an extended IP ACL?

Answer: E, F. Named extended ACLs can look for the same fields.

3.Which of the following fields can be compared using a named IP ACL but not a numbered extended IP ACL?

Answer: H. Named extended IP ACLs can match the exact same set of fields, as can numbered extended IP ACLs.

4.Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.255.0?

Answer: D. 0.0.0.255 matches all packets that have the same first three octets. This is useful when you want to match a subnet in which the subnet part comprises the first three octets, as in this case.

5.Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.240.0?

Answer: E. 0.0.15.255 matches all packets with the same first 20 bits. This is useful when you want to match a subnet in which the subnet part comprises the first 20 bits, as in this case.

6.Which of the following access-list commands permit traffic that matches packets going to a web server from 10.1.1.1 for all web servers whose IP addresses begin with 172.16.5?

Answer: A, E. The correct range of ACL numbers for extended IP access lists is 100 to 199 and 2000 to 2699.

Chapter 12 547

7.Which of the following access-list commands permits traffic that matches packets going to a web client from all web servers whose IP addresses begin with 172.16.5?

Answer: E. Because the packet is going toward a web client, you need to check for the web server’s port number as a source port. The client IP address range is not specified in the question, but the servers are, so the source address beginning with 172.16.5 is the correct answer.

8.What general guideline should be followed when placing IP ACLs, at least according to the ICND course on which CCNA is based?

Answer: C. Cisco makes this suggestion mainly for extended IP ACLs.

Q&A

1.Configure a numbered IP access list that stops packets from subnet 134.141.7.0 255.255.255.0 from exiting serial 0 on a router. Allow all other packets.

access-list 4 deny 134.141.7.0 0.0.0.255 access-list 4 permit any

interface serial 0 ip access-group 4 out

Answer: The first access-list statement denies packets from that subnet. The other statement is needed because the default action to deny packets is not explicitly matched in an access-list statement.

2.Configure an IP access list that allows only packets from subnet 193.7.6.0 255.255.255.0, going to hosts in network 128.1.0.0 and using a web server in 128.1.0.0, to enter serial 0 on a router.

access-list 105 permit tcp 193.7.6.0 0.0.0.255 128.1.0.0 0.0.255.255 eq www

!

interface serial 0

ip access-group 105 in

Answer: A deny all is implied at the end of the list.

3.How would a user who does not have the enable password find out what access lists have been configured and where they are enabled?

Answer: The show access-list command lists all access lists. The show ip interfaces command identify interfaces on which the access lists are enabled.

548 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

4.Configure and enable an IP access list that stops packets from subnet 10.3.4.0/24 from exiting serial interface S0 and that stops packets from 134.141.5.4 from entering S0. Permit all other traffic.

access-list 1 deny 10.3.4.0 0.0.0.255 access-list 1 permit any

access-list 2 deny host 134.141.5.4 access-list 2 permit any

interface serial 0 ip access-group 1 out ip access-group 2 in

5.Configure and enable an IP access list that allows packets from subnet 10.3.4.0/24, to any web server, to exit serial interface S0. Also allow packets from 134.141.5.4 going to all TCP-based servers using a well-known port to enter serial 0. Deny all other traffic.

access-list 101 permit tcp 10.3.4.0 0.0.0.255 any eq www access-list 102 permit tcp host 134.141.5.4 any lt 1023 interface serial 0

ip access-group 101 out ip access-group 102 in

Answer: Two extended access lists are required. List 101 permits packets in the first of the two criteria, in which packets exiting S0 are examined. List 102 permits packets for the second criterion, in which packets entering S0 are examined.

6.Can standard IP access lists be used to check the source IP address when enabled with the ip access-group 1 in command, and can they check the destination IP addresses when using the ip access-group 1 out command?

Answer: No. Standard IP access lists check only the source IP address, regardless of whether the packets are checked when inbound or outbound.

7.True or false: If all IP access-list statements in a particular list define the deny action, the default action is to permit all other packets.

Answer: False. The default action at the end of any IP access list is to deny all other packets.

Chapter 12 549

8.How many IP access lists of either type can be active on an interface at the same time?

Answer: Only one IP access list per interface, per direction, can be active. In other words, one inbound and one outbound are allowed, but no more.

For questions 9 through 11, assume that all parts of the network shown in Figure A-3 are up and working. IGRP is the IP routing protocol in use. Answer the questions following Example A-1, which contains an additional configuration in the Mayberry router.

Figure A-3 Network Diagram for Questions 9 Through 11

Andy Opie

180.3.5.13180.3.5.14

Example A-1 Access List at Mayberry

access-list 44 permit 180.3.5.13 0.0.0.0

!

interface serial 0

ip access-group 44 out

550Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

9.Describe the types of packets that this filter discards, and specify at what point they are discarded.

Answer: Only packets coming from Andy exit Mayberry’s serial 0 interface. Packets originating inside the Mayberry router—such as a ping command issued from Mayberry—work because the Cisco IOS software does not filter packets originating in that router. Opie is still out of luck—he’ll never get (a packet) out of Mayberry!

10.Does the access list shown in Example A-1 stop packets from getting to web server Governor? Why or why not?

Answer: Packets from Andy can get to web server Governor. Packets from Mount Pilot can be delivered to Governor if the route points directly from Mount Pilot to Raleigh so that the packets do not pass through Mayberry. Therefore, the access list, as coded, stops only hosts other than Andy on the Mayberry Ethernet from reaching web server Governor.

11.Referring to Figure A-3, create and enable access lists so that access to web server Governor is allowed from hosts at any site and so that no other access to hosts in Raleigh is allowed.

! this access list is enabled on the Raleigh router

access-list 130 permit tcp 180.3.5.0 0.0.0.255 host 144.155.3.99 eq www access-list 130 permit tcp 180.3.7.0 0.0.0.255 host 144.155.3.99 eq www

!

interface serial 0

ip access-group 130 in

Answer: This access list performs the function and also filters IGRP updates. That is part of the danger of inbound access lists. With outbound lists, the router does not filter packets originating in that router. With inbound access lists, all packets entering the interface are examined and can be filtered. An IGRP protocol type is allowed in the extended access-list command; therefore, this problem can be easily solved by matching IGRP updates. The command access-list 130 permit igrp any any performs the needed matching of IGRP updates, permitting those packets. (This command needs to appear before any statements in list 130 that might match IGRP updates.)

12.Name all the items that a standard IP access list can examine to make a match.

Answer:

Source IP address

Subset of the entire source address (using a mask)

Chapter 12 551

13.Name all the items that an extended IP access list can examine to make a match.

Answer: Protocol type Source port Source IP address

Subset of the entire source address (using a mask) Destination port

Destination IP address

Subset of the entire destination address (using a mask)

14.True or false: When you use extended IP access lists to restrict vty access, the matching logic is a best match of the list rather than a first match in the list.

Answer: False. Access list logic is always a first match for any application of the list.

15.In a standard numbered IP access list with three statements, a no version of the first statement is issued in configuration mode. Immediately following, another access list configuration command is added for the same access list. How many statements are in the list now, and in what position is the newly added statement?

Answer: Only one statement remains in the list: the newly added statement. The no access-list x command deletes the entire access list, even if you enter all the parameters in an individual command when issuing the no version of the command.

16.In a standard named IP access list with three statements, a no version of the first statement is issued in configuration mode. Immediately following, another access list configuration command is added for the same access list. How many statements are in the list now, and in what position is the newly added statement?

Answer: Three statements remain in the list, with the newly added statement at the end of the list. The no deny | permit... command deletes only that single named access list subcommand in named lists. However, when the command is added again, it cannot be placed anywhere except at the end of the list.

17.Name all the items that a named standard IP access list can examine to make a match.

Answer:

Source IP address

Subset of the entire source address (using a mask)

Named standard IP access lists match the same items that numbered IP access lists match.

552 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

18.Configure a named IP access list that stops packets from subnet 134.141.7.0 255.255.255.0 from exiting serial 0 on a router. Allow all other packets.

ip access-list standard fred deny 134.141.7.0 0.0.0.255 permit any

!

interface serial 0

ip access-group fred out

Answer: The first access-list statement denies packets from that subnet. The other statement is needed because the default action to deny packets is not explicitly matched in an access-list statement.

19.Configure a named IP access list that allows only packets from subnet 193.7.6.0 255.255.255.0, going to hosts in network 128.1.0.0 and using a web server in 128.1.0.0, to enter serial 0 on a router.

ip access-list extended barney

permit tcp 193.7.6.0 0.0.0.255 128.1.0.0 0.0.255.255 eq www

!

interface serial 0

ip access-group barney in

Answer: A deny all is implied at the end of the list.

20.List the types of IP access lists (numbered standard, numbered extended, named standard, named extended) that can be enabled to prevent Telnet access into a router.

What commands would be used to enable this function, assuming that access-list 2 was already configured to match the right packets?

Answer: Any type of IP access list can be enabled to prevent vty access. The command line vty 0 4, followed by ip access-class 2 in, enables the feature using access list 2. Because ACLs used for preventing Telnet access into a router check only the source IP address, there is no need for an extended ACL in this case, anyway.

21.What command lists the IP extended access lists enabled on serial 1 without showing other interfaces?

Answer: The show ip interface serial 1 command lists the names and numbers of the IP access lists enabled on serial 1.

Chapter 12 553

22.Name all the items that a named extended IP access list can examine to make a match.

Answer: Protocol type Source port Source IP address

Subset of the entire source address (using a mask) Destination port

Destination IP address

Subset of the entire destination address (using a mask)

These are the same things that can be matched with a numbered extended IP access list.

556 Appendix B: Decimal to Binary Conversion Table

558 Appendix B: Decimal to Binary Conversion Table

Decimal to Binary Conversion Table 559