To define an extended IP access list, use the extended version of the access-list command in global configuration mode. To remove the access lists, use the no form of this command.
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard
Source Address will be of the Workstation A i.e. 172.16.161.150 and destination address will be of the Server 1 i.e. 172.16.162.163.
The access list will be placed on the FA0/0 of Router TK1.
QUESTION NO: 14
Which wild card mask will enable a network administrator to permit access to the Internet for only hosts that are assigned an address in the range 192.168.8.0 through 192.168.15.255?
A.0.0.0.0
B.0.0.0.255
C.0.0.255.255
D.0.0.7.255
E.0.0.3.255
F.None of the above
Answer: D Explanation:
Wildcard mask summarization example:
This list describes how to summarize a range of networks into a single network for ACL optimization. Consider these networks.
192.168.32.0/24
192.168.33.0/24
192.168.34.0/24
192.168.35.0/24
192.168.36.0/24
192.168.37.0/24
192.168.38.0/24
192.168.39.0/24
The first two octets and the last octet are the same for each network. This table is an explanation of how to summarize these into a single network.
Leading the way in IT testing and certification tools, www.testking.com
The third octet for the above networks can be written as seen in this table, according to the octet bit position and address value for each bit.
Since the first five bits match, the above eight networks can be summarized into one network (192.168.32.0/21 or 192.168.32.0 255.255.248.0). All eight possible combinations of the three low-order bits are relevant for the network ranges in question. This command defines an ACL that permits this network. If you subtract 255.255.248.0 (normal mask) from 255.255.255.255, it yields 0.0.7.255.
access-list acl_permit permit ip 192.168.32.0 0.0.7.255
Reference: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#top
QUESTION NO: 15
Two TestKing routers are connected as shown below:
Leading the way in IT testing and certification tools, www.testking.com
A network administrator in Miami has been instructed to prevent all traffic originating on the Chicago LAN from entering the Miami router. Which statement would accomplish this filtering?
A.access-list 101 deny ip 192.168.45.0 0.0.0.255 any
B.access-list 101 deny ip 192.168.45.0 0.0.0.0 any
C.access-list 101 deny ip 192.168.46.0 0.0.0.255 192.168.45.0 0.0.0.255
D.access-list 101 deny ip 192.168.46.0 0.0.0.255 any
Answer: A Explanation:
Using access-list we can allow or deny the packets from different hosts or networks. There are two types of access-list standard and extended access list.
Standard. Standard Access List can allow or deny the request only on the basis of source address. Extended Access list can allow or deny on the basis of source, destination, protocol, port etc.
Syntax of standard Access List:
access-list ACL number permit | deny protocol source address netmask service
QUESTION NO: 16
The TestKing network is shown in the following exhibit:
Leading the way in IT testing and certification tools, www.testking.com
Refer to the graphic. A named access list called records_block has been written to prevent student and Internet access to the records server. All other users within the enterprise should have access to this server. The list was applied to the e0 interface of the Ken router in the outbound direction. Which of the following conditions should the access list contain to meet these requirements? (Choose two.)
A.deny 172.16.64.252 0.0.0.0 172.16.62.0 0.0.0.255
B.deny 172.16.62.0 0.0.0.255 172.16.64.252 0.0.0.0
C.deny 172.16.64.252 0.0.0.0 any
D.permit 172.16.64.252 0.0.0.0 172.16.0.0 0.0.255.255
E.permit 172.16.0.0 0.0.255.255 172.16.64.252 0.0.0.0
F.permit any any
Answer: B, E
Explanation:
When you create the named access list, you can start your policy from permit or deny. As per the question, traffic from the internet access and student networks need to be blocked, with the student network lies on 172.16.62.0/24 network.
Leading the way in IT testing and certification tools, www.testking.com
The "deny 172.16.62.0 0.0.0.255 172.16.64.0 0.0.0.255" command will deny access from the student network accessing the Record Server. If you don't permit to any other network then at last explicit deny to all.
The "permit 172.16.0.0 0.0.255.255 172.16.64.252 0.0.0.0" allows all other hosts from the 172.16 network to access the Record Server. The implicit deny all will then block Internet users from accessing the records server.
QUESTION NO: 17
You are securing a network for TestKing and want to apply an ACL (access control list) to an interface of a router. Which one of the following commands would you use?
A.permit access-list 101 out
B.ip access-group 101 out
C.apply access-list 101 out
D.access-class 101 out
E.ip access-list e0 out
F.None of the above
Answer: B Explanation:
To enable an ACL on an interface and define the direction of packets to which the ACL is applied, the ip access-group command is used. In this example, the access list is applied to packets going out of the interface. Packets coming in on the interface are not checked against access list 101.
QUESTION NO: 18
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A.FTP traffic from 192.169.1.22 will be denied.
B.No traffic, except for FTP traffic will be allowed to exit E0.
Leading the way in IT testing and certification tools, www.testking.com
C.FTP traffic from 192.169.1.9 to any host will be denied.
D.All traffic exiting E0 will be denied.
E.All FTP traffic to network 192.169.1.9/29 will be denied.
Answer: D Explanation:
When an access list is created, an implicit deny all entry is created at the end. Therefore, each access list created needs to have at least one permit statement, otherwise it will have the effect of prohibiting all traffic. If the intent in this example was to block only certain hosts from being able to FTP, then the following line should have been included at the end of the access list:
Router(config)#access-list 135 permit ip any any
QUESTION NO: 19
Study the following network diagram displaying the Testking network:
Leading the way in IT testing and certification tools, www.testking.com
With the goal of preventing the accounting department from gaining access to the HR server, the following access list is created:
access-list 19 deny 192.168.16.128 0.0.0.31 access-list 19 permit any
All other traffic is to be permitted through the network. On which interface and in what direction should the access list be applied?
A.TestKing1 S0, out.
B.TestKing1 E1, in.
C.TestKing1 E1, out.
D.TestKing2 S1, in.
Leading the way in IT testing and certification tools, www.testking.com
E.TestKing2 E0, out.
F.TestKing2 E0, in.
Answer: E Explanation:
Since this is a standard access list it should be placed near the destination. Standard access lists only match against the source IP address, so placing this access list anywhere else will prevent traffic from the Accounting department to other areas of the network.
QUESTION NO: 20
The Testking network is displayed below:
Leading the way in IT testing and certification tools, www.testking.com
You want to apply an access list to the e0 interface on the TestKing1 router, with the goal of halting HTTPS traffic from the Production Department from reaching the HR server via the TestKing2 router. Which of the following access lists would you use?
A. Permit ip any any
Deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 443
B. Permit ip any any
Deny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 443
C.Deny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 443 Permit ip any any
D.Deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 443 Permit ip any any
Answer: D Explanation:
This access problem is very simple; it tells you where to put the access list, all you have to do is to select the right one. You have to deny all HTTP traffic (TCP port 80) from crossing router 1's e0 while, allowing everything else. This is accomplished by Deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 443, Permit ip any any.
Incorrect Answers:
Either the order of the statements are reversed. Since all traffic checked against an access list is performed in order from the top down, all traffic will match the first statement and be permitted or the source addresses are incorrect.
QUESTION NO: 21
Two TestKing routers are connected together as shown below:
Leading the way in IT testing and certification tools, www.testking.com
The access list shown should deny all hosts located on network 172.16.1.0, except host 172.16.1.5, from accessing the 172.16.4.0 network. All other networks should be accessible. Which command sequence will correctly apply this access list?
A.TestKing1(config)#interface fa0/0 TestKing1(config-if)#ip access-group 10 in
B.TestKing1(config)#interface s0/0 TestKing1(config-if)#ip access-group 10 out
C.TestKing2(config)#interface fa0/1 TestKing2(config-if)#ip access-group 10 out
D.TestKing2(config)#interface fa0/0 TestKing2(config-if)#ip access-group 10 out
E.TestKing2(config)#interface s0/1 TestKing2(config-if)#ip access-group 10 out
Answer: D
Explanation:
Leading the way in IT testing and certification tools, www.testking.com
