Exercise: Security
Questions for: Security
Which of the following commands connect access list 110 inbound to interface ethernet0?
A:
Router(config)# ip access-group 110 in
B:
Router(config)# ip access-list 110 in
C:
Router(config-if)# ip access-group 110 in
D:
Router(config-if)# ip access-list 110 in
Answer: C
To place an access list on an interface, use the ip access-group command in interface configuration mode.
Which of the following series of commands will restrict Telnet access to the router?
A:
Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line con 0
Lab_A(config-line)#ip access-group 10 in
Lab_A(config)#line con 0
Lab_A(config-line)#ip access-group 10 in
B:
Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 10 out
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 10 out
C:
Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 10 in
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 10 in
D:
Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#ip access-group 10 in
Lab_A(config)#line vty 0 4
Lab_A(config-line)#ip access-group 10 in
Answer: C
Telnet access to the router is restricted by using either a standard or extended IP access list inbound on the VTY lines of the router. The command access-class is used to apply the access list to the VTY lines.
Discuss About this Question.
If you wanted to deny FTP access from network 200.200.10.0 to network 200.199.11.0 but allow everything else, which of the following command strings is valid?
A:
access-list 110 deny 200.200.10.0 to network 200.199.11.0 eq ftp
access-list 111 permit ip any 0.0.0.0 255.255.255.255
access-list 111 permit ip any 0.0.0.0 255.255.255.255
B:
access-list 1 deny ftp 200.200.10.0 200.199.11.0 any any
C:
access-list 100 deny tcp 200.200.10.0 0.0.0.255 200.199.11.0 0.0.0.255 eq ftp
D:
access-list 198 deny tcp 200.200.10.0 0.0.0.255 200.199.11.0 0.0.0.255 eq ftp
access-list 198 permit ip any 0.0.0.0 255.255.255.255
access-list 198 permit ip any 0.0.0.0 255.255.255.255
Answer: D
Extended IP access lists use numbers 100-199 and 2000-2699 and filter based on source and destination IP address, protocol number, and port number. The last option is correct because of the second line that specifies permit ip any any. (I used 0.0.0.0 255.255.255.255, which is the same as the any option.) The third option does not have this, so it would deny access but not allow everything else.
Discuss About this Question.
Which of the following are valid ways to refer only to host 172.16.30.55 in an IP access list?
- 172.16.30.55 0.0.0.255
- 172.16.30.55 0.0.0.0
- any 172.16.30.55
- host 172.16.30.55
- 0.0.0.0 172.16.30.55
- ip any 172.16.30.55
A:
1 and 4
B:
2 and 4
C:
1, 4 and 6
D:
3 and 5
Answer: B
The wildcard 0.0.0.0 tells the router to match all four octets. This wildcard format alone can be replaced with the host command.
Discuss About this Question.
Which of the following access lists will allow only HTTP traffic into network 196.15.7.0?
A:
access-list 100 permit tcp any 196.15.7.0 0.0.0.255 eq www
B:
access-list 10 deny tcp any 196.15.7.0 eq www
C:
access-list 100 permit 196.15.7.0 0.0.0.255 eq www
D:
access-list 110 permit ip any 196.15.7.0 0.0.0.255
Answer: A
The first thing to check in a question like this is the access-list number. Right away, you can see that the second option is wrong because it is using a standard IP access-list number. The second thing to check is the protocol. If you are filtering by upper-layer protocol, then you must be using either UDP or TCP; this eliminates the fourth option. The third and last answers have the wrong syntax.
Discuss About this Question.
Ad Slot (Above Pagination)
Discuss About this Question.