Access list Questions
Here you will find answers to Access list Questions
Question 1
What is the purpose of an explicit “deny any” statement at the end of an ACL?
A. none, since it is implicit
B. to enable Cisco IOS IPS to work properly; however, it is the deny all traffic entry that is actually required
C. to enable Cisco IOS Firewall to work properly; however, it is the deny all traffic entry that is actually required
D. to allow the log option to be used to log any matches
E. to prevent sync flood attacks
F. to prevent half-opened TCP connections
Answer: D
Explanation
As we know, there is always a “deny all” line at the end of each access-list to drop all other traffic that doesn’t match any “permit” lines. You can enter your own explicit deny with the “log” keyword to see what are actually blocked , like this:
Router(config)# access-list 1 permit 192.168.30.0 0.0.0.255
Router(config)# access-list 1 deny any log
Note: The log keyword can be used to provide additional detail about source and destinations for a given protocol. Although this keyword provides valuable insight into the details of ACL hits, excessive hits to an ACL entry that uses the log keyword increase CPU utilization. The performance impact associated with logging varies by platform. Also, using the log keyword disables Cisco Express Forwarding (CEF) switching for packets that match the access-list statement. Those packets are fast switched instead.
Question 2
A request arrived on your MPLS-vpn-bgp group. Due to a security breach, your customer is experiencing DoS attacks coming from specific subnets (200.0.10.0/24, 200.0.12.0/24). You have checked all MPLS- EBGP routes being advertised to BHK from other VPN sites and found four subnets listed:
200.0.10.0/24, 200.0.11.0/24, 200.0.12.0/24, 200.0.13.0/24. You immediately apply an outbound ACL filter using the appropriate MPLS-EBGP tool:
access-list 1 deny 0.0.0.0 255.255.254.255
access-list 1 permit any
What happens when you apply this ACL on the MPLS-EBGP connection to BHK?
A. It blocks all routes.
B. It blocks the routes 200.0.12.0/24, 200.0.10.0/24 only.
C. It blocks the routes 200.0.12.0/24, 200.0.13.0/24 only.
D. It blocks the routes 200.0.10.0/24, 200.0.13.0/24 only.
E. Nothing happens, no routes are blocked.
Answer: B
Explanation
Remember, for the wild card mask, 1’s are I DON’T CARE, and 0’s are I CARE.
In the access-list we put an 0.0.0.0 255.255.254.255 network; of course 255 means “1111 1111”. This means we don’t care about any of the bits in the first, second & 4th octets. In fact, the number 0 (in 0.0.0.0) is just smallest numbers we can throw there and it is easy to type but we can use any number, it wouldn’t matter, since I DON’T CARE about them except the third octet as the wild card mask is not all “255”.
Now let’s extract the 0 in the third octet in binary form (so easy, right?)
0 = 0000 0000
With the 254 in the wildcard mask, we only care about the last bit of the third octet because 254 is “1111 1110”. That means, if the third octet is in the form of xxxx xxx0 then it will match my access-list (x can be 0 or 1 because I DON’T CARE).
Now let’s write the third octet of 4 above subnets in binary form:
10 = 0000.1010
11 = 0000.1011
12 = 0000.1100
13 = 0000.1101
So, only 10 & 12 satisfy my access list -> I will only block the routes to 200.0.12.0/24, 200.0.10.0/24 -> B is correct.
Question 3
Your company wants to install Cisco IOS Firewall to ensure network availability and the security of your company’s resources. Refer to the following descriptions about its configuration, which three are correct? (Select three)
A. An IP inspection rule can be applied in the inbound direction on a secured interfaces
B. An IP inspection rule can be applied in the outbound direction on an unsecured interfaces
C. An ACL that is applied in the outbound direction on an unsecured interface must be an extended ACL
D. An ACL that is applied in the inbound direction on an unsecured interface must be an extended ACL
Answer: A B D
Question 4
What keywords do you need to the access-list to provide to the logging message like source address and source mac address?
A. Log
B. Log-input
C. Log-output
D. Logging
Answer: B
Explanation
The log-input option enables logging of the ingress interface and source MAC address in addition to the packet’s source and destination IP addresses and ports. Below is an example of the “log-input” option.
| *May 1 22:33:38.799: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1025) (Ethernet0/0 000e.9b5a.9839) -> 192.168.2.1(22), 1 packet *May 1 22:39:15.075: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1025) (Ethernet0/0 000e.9b5a.9839) -> 192.168.2.1(22), 9 packets |
(Reference: http://www.cisco.com/web/about/security/intelligence/acl-logging.html)
I’m rlealy into it, thanks for this great stuff!
How can 10 and 12 be the only to be block?
Q2 – That question seems off to me too. I would think only 10 and 11 would match with a .254 address. With the .10/.254 the whole string needs to match down to the last bit. So I would expect .10 and .11. Obviously that’s not an answer, so I must be missing something.
Hell ASAMaster, you are absolutely right.
network portion : 0000 0000 . 0000 0000 . 0000 0000 . 0000 0000
subnet mask : 1111 1111 . 1111 1111 . 1111 1110 . 1111 1111
subnet mask (0=exact match,1=don’t care)
blocked networks : XXXX XXXX . XXXX XXXX . XXXX XXX0 . XXXX XXXX
^
200.0.10.0 : 1100 1000 . 0000 0000 . 0000 1010 . 0000 0000 (blocked)
^
200.0.11.0 : 1100 1000 . 0000 0000 . 0000 1011 . 0000 0000
200.0.12.0 : 1100 1000 . 0000 0000 . 0000 1100 . 0000 0000 (blocked)
^
200.0.13.0 : 1100 1000 . 0000 0000 . 0000 1101 . 0000 0000
Answer B is correct.
could you filter based on the MAC:Well-Known MAC AddressesISH patkces are sent out to all IS-IS-enabled interfaces. On LANs they are sent out periodically, destined to a special multicast address. Routers will become neighbors when they see themselves in their neighbor’s hello patkces and link authentication information matches.On LANs, IS-IS PDUs are forwarded to the following well-known MAC addresses:15AllL1ISs 01-80-C2-00-00-1417The multidestination address All Level 1 Intermediate Systems 15AllL2ISs 01-80-C2-00-00-1517The multidestination address All Level 2 Intermediate Systems 15AllIntermediateSystems 09-00-2B-00-00-0517The multidestination address All Intermediate Systems used by ISO 954215AllEndSystems 09-00-2B-00-00-0417The multidestination address All End Systems used by ISO 9542
Q2 answer is B, but the important fact to keep in mind is that this access-list will permit only prefixes who have an even number on the third octet. Which mean it will deny everything from XXX.XXX.ODD.XXX
This is really a tricky question! I labbed it in GNS3 because i knew it would block a huge number of prefixes. But in the case of this question, B is still the good answer.
latest dumps available at freenfastsoft.weeblycom
hdr
hi
This’s a nice post!
cheap oakley sunglasses for men Shop Online http://piekarskiwil.over-blog.com/2014/07/cheap-oakley-sunglasses-for-men-shop-online.html
Q2 is tricky,
Usually when we do wildcards that deny subnets like 192.168.0.0 0.0.1.255, it filters 192.168.0.0 & 192.168.1.0.
1’s are don’t care
0’s are exact match
Answer B is correct.
This is really a great post. These are frequently ask question and you have provided very well answer to it. The post is doubt clearing i must say.
http://www.nettechindia.com/networking/certifications/MPLS-&-BGP.php