Security(Networking ) Questions and Answers

Question 1. Which of the following is true regarding access lists applied to an interface?
  1.    You can place as many access lists as you want on any interface until you run out of memory.
  2.    You can apply only one access list on any interface.
  3.    One access list may be configured, per direction, for each layer 3 protocol configured on an interface.
  4.    You can apply two access lists to any interface.
Explanation:-
Answer: Option C. -> One access list may be configured, per direction, for each layer 3 protocol configured on an interface.
A Cisco router has rules regarding the placement of access lists on a router interface. You can place one access list per direction for each layer 3 protocol configured on an interface.
Question 2. Which command would you use to apply an access list to a router interface?
  1.    ip access-list 101 out
  2.    access-list ip 101 in
  3.    ip access-group 101 in
  4.    access-group ip 101 in
Explanation:-
Answer: Option C. -> ip access-group 101 in
To apply an access list, the proper command is ip access-group 101 in.
Question 3. You are working on a router that has established privilege levels that restrict access to certain functions. You discover that you are not able to execute the command show running-configuration. How can you view and confirm the access lists that have been applied to the Ethernet 0 interface on your router?
  1.    show access-lists
  2.    show interface Ethernet 0
  3.    show ip access-lists
  4.    show ip interface Ethernet 0
Explanation:-
Answer: Option D. -> show ip interface Ethernet 0
The only command that shows which access lists have been applied to an interface is show ip interface Ethernet 0. The command show access-lists displays all configured access lists, and show ip access-lists displays all configured IP access lists, but neither command indicates whether the displayed access lists have been applied to an interface.
Question 4. You need to create an access list that will prevent hosts in the network range of 192.168.160.0 to 192.168.191.0. Which of the following lists will you use?
  1.    access-list 10 deny 192.168.160.0 255.255.224.0
  2.    access-list 10 deny 192.168.160.0 0.0.191.255
  3.    access-list 10 deny 192.168.160.0 0.0.31.255
  4.    access-list 10 deny 192.168.0.0 0.0.31.255
Explanation:-
Answer: Option C. -> access-list 10 deny 192.168.160.0 0.0.31.255
The range of 192.168.160.0 to 192.168.191.0 is a block size of 32. The network address is 192.168.160.0 and the mask would be 255.255.224.0, which for an access list must be a wildcard format of 0.0.31.255. The 31 is used for a block size of 32. The wildcard is always one less than the block size.
Question 5. Which of the following is an example of a standard IP access list?
  1.    access-list 110 permit host 1.1.1.1
  2.    access-list 1 deny 172.16.10.1 0.0.0.0
  3.    access-list 1 permit 172.16.10.1 255.255.0.0
  4.    access-list standard 1.1.1.1
Explanation:-
Answer: Option B. -> access-list 1 deny 172.16.10.1 0.0.0.0
Standard IP access lists use the numbers 1-99 and 1300-1999 and filter based on source IP address only. Option C is incorrect because the mask must be in wildcard format.
Question 6. You configure the following access list:
access-list 110 deny tcp 10.1.1.128 0.0.0.63 any eq smtp
access-list 110 deny tcp any eq 23
int ethernet 0
ip access-group 110 out
What will the result of this access list be?
  1.    Email and Telnet will be allowed out E0.
  2.    Email and Telnet will be allowed in E0.
  3.    Everything but email and Telnet will be allowed out E0.
  4.    No IP traffic will be allowed out E0.
Explanation:-
Answer: Option D. -> No IP traffic will be allowed out E0.
If you add an access list to an interface and you do not have at least one permit statement, then you will effectively shut down the interface because of the implicit deny any at the end of every list.
Question 7. Which router command allows you to view the entire contents of all access lists?
  1.    Router# show interface
  2.    Router> show ip interface
  3.    Router# show access-lists
  4.    Router> show all access-lists
Explanation:-
Answer: Option C. -> Router# show access-lists
The show access-lists command will allow you to view the entire contents of all access lists, but it will not show you the interfaces to which the access lists are applied.
Question 8. You want to create a standard access list that denies the subnet of the following host: 172.16.198.94/19. Which of the following would you start your list with?
  1.    access-list 10 deny 172.16.192.0 0.0.31.255
  2.    access-list 10 deny 172.16.0.0 0.0.255.255
  3.    access-list 10 deny 172.16.172.0 0.0.31.255
  4.    access-list 10 deny 172.16.188.0 0.0.15.255
Explanation:-
Answer: Option A. -> access-list 10 deny 172.16.192.0 0.0.31.255
First, you must know that a /19 is 255.255.224.0, which is a block size of 32 in the third octet. Counting by 32, this makes our subnet 192 in the third octet, and the wildcard for the third octet would be 31 since the wildcard is always one less than the block size.
Question 9. If you wanted to deny all Telnet connections to only network 192.168.10.0, which command could you use?
  1.    access-list 100 deny tcp 192.168.10.0 255.255.255.0 eq telnet
  2.    access-list 100 deny tcp 192.168.10.0 0.255.255.255 eq telnet
  3.    access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23
  4.    access-list 100 deny 192.168.10.0 0.0.0.255 any eq 23
Explanation:-
Answer: Option C. -> access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23
The extended access list ranges are 100-199 and 2000-2699, so the access-list number of 100 is valid. Telnet uses TCP, so the protocol TCP is valid. Now you just need to look for the source and destination address. Only the third option has the correct sequence of parameters. Answer B may work, but the question specifically states "only" to network 192.168.10.0, and the wildcard in answer B is too broad.
Question 10. Which of the following access lists will allow only HTTP traffic into network 196.15.7.0?
  1.    access-list 100 permit tcp any 196.15.7.0 0.0.0.255 eq www
  2.    access-list 10 deny tcp any 196.15.7.0 eq www
  3.    access-list 100 permit 196.15.7.0 0.0.0.255 eq www
  4.    access-list 110 permit ip any 196.15.7.0 0.0.0.255
Explanation:-
Answer: Option A. -> access-list 100 permit tcp any 196.15.7.0 0.0.0.255 eq www
The first thing to check in a question like this is the access-list number. Right away, you can see that the second option is wrong because it is using a standard IP access-list number. The second thing to check is the protocol. If you are filtering by upper-layer protocol, then you must be using either UDP or TCP; this eliminates the fourth option. The third and last answers have the wrong syntax.
© Lakshya_Education.com, All Right Reserved.
Contact Us services