Testking_640-802_V13

Unauthorized users have used Telnet to gain access to TestKing router. The network administrator wants to configure and apply an access list to allow Telnet access to the router, but only from the network administrator's computer. Which group of commands would be the best choice to allow only the IP address 172.16.3.3 to have Telnet access to the router?

A.access-list 101 permit tcp any host 172.16.3.3 eq telnet access-list 101 permit ip any any

interface s0/0

ip access-group 101 in

B.access-list 3 permit host 172.16.3.3

line vty 0 4

ip access-group 3 in

C.access-list 101 permit tcp any host 172.16.3.3 eq telnet interface s0/0ip access-group 101 in

D.access-list 3 permit host 172.16.3.3

line vty 0 4 access-class 3 in

Answer: D Explanation:

To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list, use the access-class command in line configuration mode.

Example:

The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router:

access-list 12 permit 192.89.55.0 0.0.0.255 line 1 5

access-class 12 in

Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a008

Leading the way in IT testing and certification tools, www.testking.com

- 601 -

Section 4: Verify and monitor ACLs in a network environment (9 questions)

QUESTION NO: 1

An inbound access list has been configured on a TestKing router. This inbound access list has been applied to the serial interface to deny packet entry for TCP and UDP ports 21, 23 and 25. All other traffic types will be allowed. What types of packet will be permitted by this ACL? (Choose three)

A.HTTP

B.HTTPS

C.FTP

D.Telnet

E.DNS

F.SMTP

Answer: A, B, E

QUESTION NO: 2 DRAG DROP

Two TestKing offices are displayed below:

Leading the way in IT testing and certification tools, www.testking.com

- 602 -

You work as a network technician at TestKing.com. Study the exhibit carefully. TestKing.com has a main office in Los Angeles and a satellite office in Boston. The offices are connected through two Cisco routers. The Boston satellite office is connected through the TestKing2 Router s0 interface to the Los Angeles office TestKing1 router s1 interface. TestKing1 has two local area networks. Boston users receive Internet access through the TestKing1 router.

Answer:

Leading the way in IT testing and certification tools, www.testking.com

- 603 -

QUESTION NO: 3

Observe the following access list configuration:

Leading the way in IT testing and certification tools, www.testking.com

- 604 -

An access list was configured on TK1 with the four statements shown in the graphic above. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?

A.access-list 10 permit 172.29.16.0 0.0.0.255

B.access-list 10 permit 172.29.16.0 0.0.1.255

C.access-list 10 permit 172.29.16.0 0.0.3.255

D.access-list 10 permit 172.29.16.0 0.0.15.255

E.access-list 10 permit 172.29.0.0 0.0.255.255

F.None of the above

Answer: C Explanation:

172.29.16.0 0.0.3.255 is an aggregate address for those 4 networks. If you would write all these addresses in binary form and will mark the equal part, than you will see that it is 172.29.16.0 0.0.3.255 is the correct wildcard mask as it will aggregate these four contiguous ACL statements.

QUESTION NO: 4 DRAG DROP

You work as a network technician at TestKing.com. You are configuring the TestKing.com office. In particular the host TestKingC, with the IP address 192.168.125.34/27, needs to be configured so that it cannot access hosts outside its own subnet.

You decide to use the following command:

accesslist 100 deny *protocol* *address* *mask* any

You are required to fill in the *protocol*, *address*, and *mask* in this command using the choices below:

Leading the way in IT testing and certification tools, www.testking.com

- 605 -

Answer:

Explanation:

Leading the way in IT testing and certification tools, www.testking.com

- 606 -

QUESTION NO: 5

On your newly installed router, you apply the access list illustrated below to interface Ethernet 0 on a TestKing router. The interface is connected to the 192.168.1.8/29 LAN.

access-list 123 deny tcp 192.168.166.18 0.0.0.7 eq 20 any access-list 123 deny tcp 192.168.166.18 0.0.0.7 eq 21 any

How will the above access lists affect traffic?

Leading the way in IT testing and certification tools, www.testking.com

- 607 -

A.All traffic will be allowed to exit E0 except FTP traffic.

B.FTP traffic from 192.168.166.19 to any host will be denied.

C.FTP traffic from 192.168.166.22 to any host will be denied.

D.All traffic exiting E0 will be denied.

E.All FTP traffic to network 192.168.166.18/29 from any host will be denied.

F.None of the above

Answer: D Explanation:

By default every access list contains an implicit deny statement at the end. Because of this, only an access list that contains at least one permit statement will be useful. In this example there is no permit statement, so it will deny all traffic exiting E0 Interface.

Incorrect Answers:

A. It will deny everything, including FTP and telnet traffic.

B, C, E. It will deny all traffic in addition to the condition mentioned in these answers, because there is no permit statement at the end.

QUESTION NO: 6

On a newly installed TestKing router, the following access list is added to serial interface for incoming traffic:

Access-list 101 permit tcp any 10.18.10.0 0.0.0.255 eq 23

What is the effect of the "any" keyword in the above access list?

A.check any of the bits in the source address

B.permit any wildcard mask for the address

C.accept any source address

D.check any bit in the destination address

E.permit 255.255.255.255 0.0.0.0

F.accept any destination

G.None of the above

Answer: C

Explanation:

Leading the way in IT testing and certification tools, www.testking.com

- 608 -

The "any" in this list is the source address to filter. If it is set to any or "0.0.0.0 255.255.255.255", then any source address will be filtered. In the example above, the access list is stating that any TCP traffic from any source going to the 10.18.10.0/24 network will be allowed.

QUESTION NO: 7

Which one of the following commands will display the placement and direction of an IP access control list on the interfaces of a router?

A.show interface list

B.show ip route

C.show ip interface

D.show ip interface brief

E.show interface

F.None of the above

Answer: C Explanation:

The command "show ip interface" will include a reference to the access lists enabled on the interface.

QUESTION NO: 8

You are a technician at TestKing. Your assistant applied an IP access control list to Router TK1. You want to check the placement and direction of the access control list.

Which command should you use?

A.show access-list

B.show ip access-list

C.show ip interface

D.show interface

E.show interface list

F.None of the above

Answer: C

Leading the way in IT testing and certification tools, www.testking.com

- 609 -

Explanation:

The show ip interface [name] command can be used to see if the access-list is on the interface. Output will vary depending on how the access-list command was applied but can include:

*Outgoing access list is not set

*Inbound access list is 101

*Outgoing access list is not set

*Inbound access list is 101, default is not set

Incorrect Answers:

A, B. This would simply show you the contents of the ACL, as well as the counters assuming the "log" keyword was configured on the access list. Example:

Show access list 101 or show IP access list 101

*Extended IP access list 101

*deny tcp any any (1649 matches)

*deny udp any any (35 matches)

*deny icmp any any (36 matches)

D. This will display the statistics pertaining to the interface, but not any configured access lists that are applied.

QUESTION NO: 9

Which of the following statements regarding the use of multiple access lists are valid when configuring a single interface on a Cisco router?

A.Application of up to three access lists per protocol to a single interface.

B.No more than two access lists per interface.

C.One access list may be configured per direction for each Layer 3 protocol configured on an interface.

D.The maximum number allowed varies due to RAM availability in the router.

E.An infinite number of access lists that can be applied to an interface, from most specific to most general.

F.Cisco IOS allows only one access list to an interface.

G.None of the above

Answer: C

Explanation:

Leading the way in IT testing and certification tools, www.testking.com

- 610 -