Добавил:
Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Cisco Press CCNA ICND 2004 - Cisco Press.pdf
Скачиваний:
122
Добавлен:
24.05.2014
Размер:
13.19 Mб
Скачать

546 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

Chapter 12

“Do I Know This Already?” Quiz

1.Barney is a host with IP address 10.1.1.1 in subnet 10.1.1.0/24. Which of the following are things that a standard IP ACL could be configured to do?

Answer: A, C. Standard ACLs check the source IP address. Option B is not possible with a single command. You would need multiple commands to match that set of IP addresses.

2.Which of the following fields cannot be compared based on an extended IP ACL?

Answer: E, F. Named extended ACLs can look for the same fields.

3.Which of the following fields can be compared using a named IP ACL but not a numbered extended IP ACL?

Answer: H. Named extended IP ACLs can match the exact same set of fields, as can numbered extended IP ACLs.

4.Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.255.0?

Answer: D. 0.0.0.255 matches all packets that have the same first three octets. This is useful when you want to match a subnet in which the subnet part comprises the first three octets, as in this case.

5.Which of the following wildcard masks is most useful for matching all IP packets in subnet 10.1.128.0, mask 255.255.240.0?

Answer: E. 0.0.15.255 matches all packets with the same first 20 bits. This is useful when you want to match a subnet in which the subnet part comprises the first 20 bits, as in this case.

6.Which of the following access-list commands permit traffic that matches packets going to a web server from 10.1.1.1 for all web servers whose IP addresses begin with 172.16.5?

Answer: A, E. The correct range of ACL numbers for extended IP access lists is 100 to 199 and 2000 to 2699.

Chapter 12 547

7.Which of the following access-list commands permits traffic that matches packets going to a web client from all web servers whose IP addresses begin with 172.16.5?

Answer: E. Because the packet is going toward a web client, you need to check for the web server’s port number as a source port. The client IP address range is not specified in the question, but the servers are, so the source address beginning with 172.16.5 is the correct answer.

8.What general guideline should be followed when placing IP ACLs, at least according to the ICND course on which CCNA is based?

Answer: C. Cisco makes this suggestion mainly for extended IP ACLs.

Q&A

1.Configure a numbered IP access list that stops packets from subnet 134.141.7.0 255.255.255.0 from exiting serial 0 on a router. Allow all other packets.

access-list 4 deny 134.141.7.0 0.0.0.255 access-list 4 permit any

interface serial 0 ip access-group 4 out

Answer: The first access-list statement denies packets from that subnet. The other statement is needed because the default action to deny packets is not explicitly matched in an access-list statement.

2.Configure an IP access list that allows only packets from subnet 193.7.6.0 255.255.255.0, going to hosts in network 128.1.0.0 and using a web server in 128.1.0.0, to enter serial 0 on a router.

access-list 105 permit tcp 193.7.6.0 0.0.0.255 128.1.0.0 0.0.255.255 eq www

!

interface serial 0

ip access-group 105 in

Answer: A deny all is implied at the end of the list.

3.How would a user who does not have the enable password find out what access lists have been configured and where they are enabled?

Answer: The show access-list command lists all access lists. The show ip interfaces command identify interfaces on which the access lists are enabled.

548 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

4.Configure and enable an IP access list that stops packets from subnet 10.3.4.0/24 from exiting serial interface S0 and that stops packets from 134.141.5.4 from entering S0. Permit all other traffic.

access-list 1 deny 10.3.4.0 0.0.0.255 access-list 1 permit any

access-list 2 deny host 134.141.5.4 access-list 2 permit any

interface serial 0 ip access-group 1 out ip access-group 2 in

5.Configure and enable an IP access list that allows packets from subnet 10.3.4.0/24, to any web server, to exit serial interface S0. Also allow packets from 134.141.5.4 going to all TCP-based servers using a well-known port to enter serial 0. Deny all other traffic.

access-list 101 permit tcp 10.3.4.0 0.0.0.255 any eq www access-list 102 permit tcp host 134.141.5.4 any lt 1023 interface serial 0

ip access-group 101 out ip access-group 102 in

Answer: Two extended access lists are required. List 101 permits packets in the first of the two criteria, in which packets exiting S0 are examined. List 102 permits packets for the second criterion, in which packets entering S0 are examined.

6.Can standard IP access lists be used to check the source IP address when enabled with the ip access-group 1 in command, and can they check the destination IP addresses when using the ip access-group 1 out command?

Answer: No. Standard IP access lists check only the source IP address, regardless of whether the packets are checked when inbound or outbound.

7.True or false: If all IP access-list statements in a particular list define the deny action, the default action is to permit all other packets.

Answer: False. The default action at the end of any IP access list is to deny all other packets.

Chapter 12 549

8.How many IP access lists of either type can be active on an interface at the same time?

Answer: Only one IP access list per interface, per direction, can be active. In other words, one inbound and one outbound are allowed, but no more.

For questions 9 through 11, assume that all parts of the network shown in Figure A-3 are up and working. IGRP is the IP routing protocol in use. Answer the questions following Example A-1, which contains an additional configuration in the Mayberry router.

Figure A-3 Network Diagram for Questions 9 Through 11

Andy Opie

180.3.5.13180.3.5.14

 

Subnet 180.3.5.0/24

 

Mayberry

s0

 

 

Frame Relay

 

Full Mesh

Subnet 180.3.6.0/24

s0

s0

Mount Pilot

Raleigh

Subnet 180.3.7.0/24

Subnet 144.155.3.0/24

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Beatrice

 

Floyd

Barney

 

Governor

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

144.155.3.99

Example A-1 Access List at Mayberry

access-list 44 permit 180.3.5.13 0.0.0.0

!

interface serial 0

ip access-group 44 out

550Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

9.Describe the types of packets that this filter discards, and specify at what point they are discarded.

Answer: Only packets coming from Andy exit Mayberry’s serial 0 interface. Packets originating inside the Mayberry router—such as a ping command issued from Mayberry—work because the Cisco IOS software does not filter packets originating in that router. Opie is still out of luck—he’ll never get (a packet) out of Mayberry!

10.Does the access list shown in Example A-1 stop packets from getting to web server Governor? Why or why not?

Answer: Packets from Andy can get to web server Governor. Packets from Mount Pilot can be delivered to Governor if the route points directly from Mount Pilot to Raleigh so that the packets do not pass through Mayberry. Therefore, the access list, as coded, stops only hosts other than Andy on the Mayberry Ethernet from reaching web server Governor.

11.Referring to Figure A-3, create and enable access lists so that access to web server Governor is allowed from hosts at any site and so that no other access to hosts in Raleigh is allowed.

! this access list is enabled on the Raleigh router

access-list 130 permit tcp 180.3.5.0 0.0.0.255 host 144.155.3.99 eq www access-list 130 permit tcp 180.3.7.0 0.0.0.255 host 144.155.3.99 eq www

!

interface serial 0

ip access-group 130 in

Answer: This access list performs the function and also filters IGRP updates. That is part of the danger of inbound access lists. With outbound lists, the router does not filter packets originating in that router. With inbound access lists, all packets entering the interface are examined and can be filtered. An IGRP protocol type is allowed in the extended access-list command; therefore, this problem can be easily solved by matching IGRP updates. The command access-list 130 permit igrp any any performs the needed matching of IGRP updates, permitting those packets. (This command needs to appear before any statements in list 130 that might match IGRP updates.)

12.Name all the items that a standard IP access list can examine to make a match.

Answer:

Source IP address

Subset of the entire source address (using a mask)

Chapter 12 551

13.Name all the items that an extended IP access list can examine to make a match.

Answer: Protocol type Source port Source IP address

Subset of the entire source address (using a mask) Destination port

Destination IP address

Subset of the entire destination address (using a mask)

14.True or false: When you use extended IP access lists to restrict vty access, the matching logic is a best match of the list rather than a first match in the list.

Answer: False. Access list logic is always a first match for any application of the list.

15.In a standard numbered IP access list with three statements, a no version of the first statement is issued in configuration mode. Immediately following, another access list configuration command is added for the same access list. How many statements are in the list now, and in what position is the newly added statement?

Answer: Only one statement remains in the list: the newly added statement. The no access-list x command deletes the entire access list, even if you enter all the parameters in an individual command when issuing the no version of the command.

16.In a standard named IP access list with three statements, a no version of the first statement is issued in configuration mode. Immediately following, another access list configuration command is added for the same access list. How many statements are in the list now, and in what position is the newly added statement?

Answer: Three statements remain in the list, with the newly added statement at the end of the list. The no deny | permit... command deletes only that single named access list subcommand in named lists. However, when the command is added again, it cannot be placed anywhere except at the end of the list.

17.Name all the items that a named standard IP access list can examine to make a match.

Answer:

Source IP address

Subset of the entire source address (using a mask)

Named standard IP access lists match the same items that numbered IP access lists match.

552 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

18.Configure a named IP access list that stops packets from subnet 134.141.7.0 255.255.255.0 from exiting serial 0 on a router. Allow all other packets.

ip access-list standard fred deny 134.141.7.0 0.0.0.255 permit any

!

interface serial 0

ip access-group fred out

Answer: The first access-list statement denies packets from that subnet. The other statement is needed because the default action to deny packets is not explicitly matched in an access-list statement.

19.Configure a named IP access list that allows only packets from subnet 193.7.6.0 255.255.255.0, going to hosts in network 128.1.0.0 and using a web server in 128.1.0.0, to enter serial 0 on a router.

ip access-list extended barney

permit tcp 193.7.6.0 0.0.0.255 128.1.0.0 0.0.255.255 eq www

!

interface serial 0

ip access-group barney in

Answer: A deny all is implied at the end of the list.

20.List the types of IP access lists (numbered standard, numbered extended, named standard, named extended) that can be enabled to prevent Telnet access into a router.

What commands would be used to enable this function, assuming that access-list 2 was already configured to match the right packets?

Answer: Any type of IP access list can be enabled to prevent vty access. The command line vty 0 4, followed by ip access-class 2 in, enables the feature using access list 2. Because ACLs used for preventing Telnet access into a router check only the source IP address, there is no need for an extended ACL in this case, anyway.

21.What command lists the IP extended access lists enabled on serial 1 without showing other interfaces?

Answer: The show ip interface serial 1 command lists the names and numbers of the IP access lists enabled on serial 1.

Chapter 12 553

22.Name all the items that a named extended IP access list can examine to make a match.

Answer: Protocol type Source port Source IP address

Subset of the entire source address (using a mask) Destination port

Destination IP address

Subset of the entire destination address (using a mask)

These are the same things that can be matched with a numbered extended IP access list.

A P P E N D I X B

Decimal to Binary

Conversion Table

Decimal Value

Binary Value

Decimal Value

Binary Value

 

 

 

 

0

0000 0000

23

0001 0111

 

 

 

 

1

0000 0001

24

0001 1000

 

 

 

 

2

0000 0010

25

0001 1001

 

 

 

 

3

0000 0011

26

0001 1010

 

 

 

 

4

0000 0100

27

0001 1011

 

 

 

 

5

0000 0101

28

0001 1100

 

 

 

 

6

0000 0110

29

0001 1101

 

 

 

 

7

0000 0111

30

0001 1110

 

 

 

 

8

0000 1000

31

0001 1111

 

 

 

 

9

0000 1001

32

0010 0000

 

 

 

 

10

0000 1010

33

0010 0001

 

 

 

 

11

0000 1011

34

0010 0010

 

 

 

 

12

0000 1100

35

0010 0011

 

 

 

 

13

0000 1101

36

0010 0100

 

 

 

 

14

0000 1110

37

0010 0101

 

 

 

 

15

0000 1111

38

0010 0110

 

 

 

 

16

0001 0000

39

0010 0111

 

 

 

 

17

0001 0001

40

0010 1000

 

 

 

 

18

0001 0010

41

0010 1001

 

 

 

 

19

0001 0011

42

0010 1010

 

 

 

 

20

0001 0100

43

0010 1011

 

 

 

 

21

0001 0101

44

0010 1100

 

 

 

 

22

0001 0110

45

0010 1101

 

 

 

 

continues

556 Appendix B: Decimal to Binary Conversion Table

Decimal Value

Binary Value

Decimal Value

Binary Value

 

 

 

 

46

0010 1110

76

0100 1100

 

 

 

 

47

0010 1111

77

0100 1101

 

 

 

 

48

0011 0000

78

0100 1110

 

 

 

 

49

0011 0001

79

0100 1111

 

 

 

 

50

0011 0010

80

0101 0000

 

 

 

 

51

0011 0011

81

0101 0001

 

 

 

 

52

0011 0100

82

0101 0010

 

 

 

 

53

0011 0101

83

0101 0011

 

 

 

 

54

0011 0110

84

0101 0100

 

 

 

 

55

0011 0111

85

0101 0101

 

 

 

 

56

0011 1000

86

0101 0110

 

 

 

 

57

0011 1001

87

0101 0111

 

 

 

 

58

0011 1010

88

0101 1000

 

 

 

 

59

0011 1011

89

0101 1001

 

 

 

 

60

0011 1100

90

0101 1010

 

 

 

 

61

0011 1101

91

0101 1011

 

 

 

 

62

0011 1110

92

0101 1100

 

 

 

 

63

0011 1111

93

0101 1101

 

 

 

 

64

0100 0000

94

0101 1110

 

 

 

 

65

0100 0001

95

0101 1111

 

 

 

 

66

0100 0010

96

0110 0000

 

 

 

 

67

0100 0011

97

0110 0001

 

 

 

 

68

0100 0100

98

0110 0010

 

 

 

 

69

0100 0101

99

0110 0011

 

 

 

 

70

0100 0110

100

0110 0100

 

 

 

 

71

0100 0111

101

0110 0101

 

 

 

 

72

0100 1000

102

0110 0110

 

 

 

 

73

0100 1001

103

0110 0111

 

 

 

 

74

0100 1010

104

0110 1000

 

 

 

 

75

0100 1011

105

0110 1001

 

 

 

 

Decimal to Binary Conversion Table 557

Decimal Value

Binary Value

Decimal Value

Binary Value

 

 

 

 

106

0110 1010

136

1000 1000

 

 

 

 

107

0110 1011

137

1000 1001

 

 

 

 

108

0110 1100

138

1000 1010

 

 

 

 

109

0110 1101

139

1000 1011

 

 

 

 

110

0110 1110

140

1000 1100

 

 

 

 

111

0110 1111

141

1000 1101

 

 

 

 

112

0111 0000

142

1000 1110

 

 

 

 

113

0111 0001

143

1000 1111

 

 

 

 

114

0111 0010

144

1001 0000

 

 

 

 

115

0111 0011

145

1001 0001

 

 

 

 

116

0111 0100

146

1001 0010

 

 

 

 

117

0111 0101

147

1001 0011

 

 

 

 

118

0111 0110

148

1001 0100

 

 

 

 

119

0111 0111

149

1001 0101

 

 

 

 

120

0111 1000

150

1001 0110

 

 

 

 

121

0111 1001

151

1001 0111

 

 

 

 

122

0111 1010

152

1001 1000

 

 

 

 

123

0111 1011

153

1001 1001

 

 

 

 

124

0111 1100

154

1001 1010

 

 

 

 

125

0111 1101

155

1001 1011

 

 

 

 

126

0111 1110

156

1001 1100

 

 

 

 

127

0111 1111

157

1001 1101

 

 

 

 

128

1000 0000

158

1001 1110

 

 

 

 

129

1000 0001

159

1001 1111

 

 

 

 

130

1000 0010

160

1010 0000

 

 

 

 

131

1000 0011

161

1010 0001

 

 

 

 

132

1000 0100

162

1010 0010

 

 

 

 

133

1000 0101

163

1010 0011

 

 

 

 

134

1000 0110

164

1010 0100

 

 

 

 

135

1000 0111

165

1010 0101

 

 

 

 

continues

558 Appendix B: Decimal to Binary Conversion Table

Decimal Value

Binary Value

Decimal Value

Binary Value

 

 

 

 

166

1010 0110

196

1100 0100

 

 

 

 

167

1010 0111

197

1100 0101

 

 

 

 

168

1010 1000

198

1100 0110

 

 

 

 

169

1010 1001

199

1100 0111

 

 

 

 

170

1010 1010

200

1100 1000

 

 

 

 

171

1010 1011

201

1100 1001

 

 

 

 

172

1010 1100

202

1100 1010

 

 

 

 

173

1010 1101

203

1100 1011

 

 

 

 

174

1010 1110

204

1100 1100

 

 

 

 

175

1010 1111

205

1100 1101

 

 

 

 

176

1011 0000

206

1100 1110

 

 

 

 

177

1011 0001

207

1100 1111

 

 

 

 

178

1011 0010

208

1101 0000

 

 

 

 

179

1011 0011

209

1101 0001

 

 

 

 

180

1011 0100

210

1101 0010

 

 

 

 

181

1011 0101

211

1101 0011

 

 

 

 

182

1011 0110

212

1101 0100

 

 

 

 

183

1011 0111

213

1101 0101

 

 

 

 

184

1011 1000

214

1101 0110

 

 

 

 

185

1011 1001

215

1101 0111

 

 

 

 

186

1011 1010

216

1101 1000

 

 

 

 

187

1011 1011

217

1101 1001

 

 

 

 

188

1011 1100

218

1101 1010

 

 

 

 

189

1011 1101

219

1101 1011

 

 

 

 

190

1011 1110

220

1101 1100

 

 

 

 

191

1011 1111

221

1101 1101

 

 

 

 

192

1100 0000

222

1101 1110

 

 

 

 

193

1100 0001

223

1101 1111

 

 

 

 

194

1100 0010

224

1110 0000

 

 

 

 

195

1100 0011

225

1110 0001

 

 

 

 

Decimal to Binary Conversion Table 559

Decimal Value

Binary Value

Decimal Value

Binary Value

 

 

 

 

226

1110 0010

 

 

 

 

 

 

227

1110 0011

 

 

 

 

 

 

228

1110 0100

 

 

 

 

 

 

229

1110 0101

 

 

 

 

 

 

230

1110 0110

 

 

 

 

 

 

231

1110 0111

 

 

 

 

 

 

232

1110 1000

 

 

 

 

 

 

233

1110 1001

 

 

 

 

 

 

234

1110 1010

 

 

 

 

 

 

235

1110 1011

 

 

 

 

 

 

236

1110 1100

 

 

 

 

 

 

237

1110 1101

 

 

 

 

 

 

238

1110 1110

 

 

 

 

 

 

239

1110 1111

 

 

 

 

 

 

240

1111 0000

 

 

 

 

 

 

241

1111 0001

 

 

 

 

 

 

242

1111 0010

 

 

 

 

 

 

243

1111 0011

 

 

 

 

 

 

244

1111 0100

 

 

 

 

 

 

245

1111 0101

 

 

 

 

 

 

246

1111 0110

 

 

 

 

 

 

247

1111 0111

 

 

 

 

 

 

248

1111 1000

 

 

 

 

 

 

249

1111 1001

 

 

 

 

 

 

250

1111 1010

 

 

 

 

 

 

251

1111 1011

 

 

 

 

 

 

252

1111 1100

 

 

 

 

 

 

253

1111 1101

 

 

 

 

 

 

254

1111 1110

 

 

 

 

 

 

255

1111 1111