Beruflich Dokumente
Kultur Dokumente
com/access-list
Access List
August 6th, 2017 in ROUTE 300-101 Go to comments
Premium Member: You can test your knowledge with these questions first via this link.
Question 1
What does the following access list, which is applied on the external interface FastEthernet 1/0 of the perimeter router, accomplish?
A. It prevents incoming traffic from IP address ranges 10.0.0.0 – 10.0.0.255, 172.16.0.0 – 172.31.255.255, 192.168.0.0 – 192.168.255.255 and logs any
intrusion attempts.
B. It prevents the internal network from being used in spoofed denial of service attacks and logs any exit to the Internet.
C. It filters incoming traffic from private addresses in order to prevent spoofing and logs any intrusion attempts.
D. It prevents private internal addresses to be accessed directly from outside.
Answer: C
Explanation
1 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
The first answer is not correct because the 10.0.0.0 network range is not correct. It should be 10.0.0.0. to 10.255.255.255.
Question 2
After applying the access list on a Cisco router, the network engineer notices that the router CPU utilization has risen to 99 percent. What is the reason for
this?
A. A packet that matches access-list with the “log” keyword is Cisco Express Forwarding switched.
B. A packet that matches access-list with the “log” keyword is fast switched.
C. A packet that matches access-list with the “log” keyword is process switched.
D. A large amount of IP traffic is being permitted on the router.
Answer: C
Explanation
Logging-enabled access control lists (ACLs) provide insight into traffic as it traverses the network or is dropped by network devices. Unfortunately, ACL
logging can be CPU intensive and can negatively affect other functions of the network device. There are two primary factors that contribute to the CPU load
increase from ACL logging: process switching of packets that match log-enabled access control entries (ACEs) and the generation and transmission of
log messages.
Process switching is the slowest switching methods (compared to fast switching and Cisco Express Forwarding) because it must find a destination in the
routing table. Process switching must also construct a new Layer 2 frame header for every packet. With process switching, when a packet comes in, the
scheduler calls a process that examines the routing table, determines which interface the packet should be switched to and then switches the packet. The
problem is, this happens for the every packet.
Reference: http://www.cisco.com/web/about/security/intelligence/acl-logging.html
Question 3
For troubleshooting purposes, which method can you use in combination with the “debug ip packet” command to limit the amount of output data?
2 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
Answer: C
Explanation
If you use the “debug ip packet” command on a production router, you can bring it down since it generates an output for every packet and the output can be
extensive. The best way to limit the output of debug ip packet is to create an access-list that linked to the debug. Only packets that match the access-list
criteria will be subject to debug ip packet. For example, this is how to monitor traffic from 1.1.1.1 to 2.2.2.2
Note: The “debug ip packet” command is used to monitor packets that are processed by the routers routing engine and are not fast switched.
Question 4
Which outbound access list, applied to the WAN interface of a router, permits all traffic except for http traffic sourced from the workstation with IP address
10.10.10.1?
B. ip access-list extended 10
deny tcp host 10.10.10.1 any eq 80
permit ip any any
3 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
Answer: D
Question 5
A route map uses an ACL, if the required matching is based on which criteria?
A. addressing information
B. route types
C. AS paths
D. metrics
Answer: A
Question 6
Which configuration can you apply to a device so that it always blocks the outbound web traffic on Saturdays and Sunday between the hours of 1:00 AM and
11:59 PM?
4 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
Answer: B
Explanation
+ The question asks to “always” block traffic (every week) so we must use keyword “periodic”.
+ Traffic should be blocked to 11:59 PM, which means 23:59
Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23 and the minutes range from 0 to 59
Only answer B satisfies these two requirements so it is the best answer. In fact, all the above answers are not correct as the access-list should deny web
traffic, not allow them as shown in the answers.
Question 7
Question 8
Which two different configuration can you apply to a device to block incoming SSH access? (Choose two)
5 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
Answer: C D
Explanation
The “ipv6 traffic-filter” command is used to filter IPv6 traffic flowing through an interface while the “ipv6 access-class” command is used to filter IPv6
traffic destined to the router (via logical interfaces).
6 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
Question 9
Which access list entry checks for an ACK within a packet header?
Answer: C
Explanation
The established keyword is only applicable to TCP access list entries to match TCP segments that have the ACK and/or RST control bit set (regardless of the
source and destination ports), which assumes that a TCP connection has already been established in one direction only. Let’s see an example below:
Suppose you only want to allow the hosts inside your company to telnet to an outside server but
not vice versa, you can simply use an “established” access-list like this:
Note:
Suppose host A wants to start communicating with host B using TCP. Before they can send real data, a three-way handshake must be established first. Let’s
see how this process takes place:
7 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is short for SYNchronize) to indicate it wants to setup a connection
with host B. This message includes a sequence (SEQ) number for tracking purpose. This sequence number can be any 32-bit number (range from 0 to 232) so
we use “x” to represent it.
2. After receiving SYN message from host A, host B replies with SYN-ACK message (some books may call it “SYN/ACK” or “SYN, ACK” message. ACK
is short for ACKnowledge). This message includes a SYN sequence number and an ACK number:
+ SYN sequence number (let’s called it “y”) is a random number and does not have any relationship with Host A’s SYN SEQ number.
+ ACK number is the next number of Host A’s SYN sequence number it received, so we represent it with “x+1”. It means “I received your part. Now send
me the next part (x + 1)”.
The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if host A still wants to talk to it as well (via SYN part).
3. After Host A received the SYN-ACK message from host B, it sends an ACK message with ACK number “y+1” to host B. This confirms host A still
wants to talk to host B.
Question 10
Which type of access list allows granular session filtering for upper-level protocols?
8 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
Answer: C
Explanation
Reflexive access lists provide filtering on upper-layer IP protocol sessions. They contain temporary entries that are automatically created when a new IP
session begins. They are nested within extended, named IP access lists that are applied to an interface. Reflexive access lists are typically configured on
border routers, which pass traffic between an internal and external network. These are often firewall routers. Reflexive access lists do not end with an
implicit deny statement because they are nested within an access list and the subsequent statements need to be examined.
Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-1s/sec-access-list-ov.html
Question 11
Answer: A
Explanation
The command “ipv6 traffic-filter access-list-name { in | out }” applies the access list to incoming or outgoing traffic on the interface.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swv6acl.html
Question 12
A. IP access-lists without at least one deny statement permit all traffic by default.
B. Extended access-lists must include port numbers.
C. They support wildcard masks to limit the address bits to which entries are applies.
D. Entries are applied to traffic in the order in which they appear.
E. They end with an implicit permit.
9 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
Answer: C D
Question 13
Which option is the minimum logging level that displays a log message when an ACL drops an incoming packet?
A. Level 6
B. Level 5
C. Level 7
D. Level 3
Answer: A
Explanation
When the ACL logging feature is configured, the system monitors ACL flows and logs dropped packets and statistics for each flow that matches the deny
conditions of the ACL entry.
The log and log-input options apply to an individual ACE and cause packets that match the ACE to be logged. The sample below illustrates the initial
message and periodic updates sent by an IOS device with a default configuration using the log ACE option.
*May 1 22:12:13.243: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 1 packet
Reference: https://www.cisco.com/c/en/us/about/security-center/access-control-list-logging.html
From the example above we can see when an ACL drops a packet, it generates a level 6 Syslog (%SEC-6-)
Comments
Comment pages
« Previous 1 2 3 1058
1. Anonymous
August 30th, 2018
I have booked the 300-101 exam next week. I have purchased the information here. I hope that I can pass the exam next week. h tt p:// 6.gg/dA kbs
10 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
2. champ
August 30th, 2018
3. agamemnon
September 10th, 2018
h tt
(The dump here is real and effective, and the pass rate is over 90%.)
p:/ /kks.me/aK2La
4. rachets
September 19th, 2018
5. Andy
September 22nd, 2018
11 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
7. studi
September 26th, 2018
W ww.cci
edumps.xyz?utm_source=bbs&utm_medium=bbs
I just passed the CCIE exam last week. I bought the topic here. The topic is true and effective. I have practiced most of the exam questions, but you
have to remember the answer. You can’t just remember it. The options, I have encountered several questions in it, the options for the correct answer
have been changed.
8. rtyjhj
October 15th, 2018
h ttp :
//j.mp/2Pxd7Ht
The latest question bank, the most complete information, or the teacher of online guidance.
9. Anonymous
December 2nd, 2018
10. GuaranteePass
December 3rd, 2018
CCNA R&S
200-125 CCNA = 565 Q&As DUMPs + LABs
100-105 ICND1 = 347 Q&As DUMPs + LABs
200-105 ICND2 = 268 Q&As DUMPs + LABs
CCNP R&S
ROUTE = 768 Q&As DUMPS + LABs
SWITCH = 287 Q&As DUMPs + LABs
TSHOOT = 180 Q&As DUMPs + Tickets
CCIE R&S
400-101 WRITTEN = 114 Q&As DUMPS
12 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
11. Nuts
December 14th, 2018
I have the latest Dump I require the latest VCE. Who has the VCE but not the Dump?
Sommerseller at Gmail dot com
12. Anonymous
January 8th, 2019
13. Anonymous
January 8th, 2019
14. Anonymous
February 20th, 2019
15. ravi
March 20th, 2019
Hi,
I am new for 9tut ccnp.What can I do for get the questions?
16. CCNP
March 28th, 2019
Hi gus.
Today i pass CCNP Router(300-101) Exam with 900+ Marks.
I have a valid dumps. If any one required email ” ccnpvaliddumps @ hotmail dot com
320 Q only.
13 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
17. SPOTO
April 1st, 2019
Any Cisco Certification could be achieved if you have proper training. I would recommend you to join SPOTO and have their advanced training
sessions.
18. john
April 9th, 2019
i pass yesterday ,anything you want, you can find me theodosits @ hotmail .com without the blanks
19. Dude
May 14th, 2019
Hi,
20. Dotcom
May 28th, 2019
Hi Guys
those who passed their exam, can you please share your study material??
21. boyapati
June 7th, 2019
22. Daniel
June 20th, 2019
you guys can text me for sharing dumps: ballking242@ gmail . com
23. mimi
July 1st, 2019
14 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
Can someone email me the latest ccnp route dumps. my email is {email not allowed}
24. mimi
July 1st, 2019
Can someone email me the latest ccnp route dumps. my email is doncasta8@ yahoo .com
25. Anonymous
July 8th, 2019
hi guys,
Can anyone please send the latest dumps on {email not allowed}
Thanks in advance
26. Anonymous
July 25th, 2019
hi guys,
can anyone please send me the latest dumps for ICDN2 on {email not allowed}
27. Lucky
August 11th, 2019
28. Guest3434
August 20th, 2019
Hi guys,
Can anyone tell me if 9tut dumps are still good or they are outdated?
29. Anonymous
August 21st, 2019
15 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
30. Paxy
September 6th, 2019
Guys please share route dumps on payal . sharma86 (at) gmail . com
31. Astrak
September 9th, 2019
Can someone email me the latest ccnp route dumps? My email is renee.help (at) gmail dot com
32. Ip HELPER
October 15th, 2019
who needs updated dump for ROUTE can contact me: cisco4career @ gmail . com
Good luck to all!
33. cal
October 16th, 2019
hi all good day, I’m chasing the CCNP route exam. I hope to get it before the migration. Please share with me the latest dumps for this exam in the
email below. I really appreciate if you will include the VCE file for this thank you.
cj clds_cj @ yah00.c0m
Comment pages
« Previous 1 2 3 1058
1. No trackbacks yet.
Add a Comment
16 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
Logout
ROUTE 300-101
17 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
Lab Sim
Router Questions
Access List
Point-to-Point Protocol
PPPoE Questions
CEF & Fast Switching
Frame Relay Questions
GRE Tunnel
DMVPN Questions
TCP UDP Questions
TCP UDP Questions 2
RIP Questions
OSPF Questions
OSPF Questions 2
OSPF Questions 3
EIGRP Questions
EIGRP Questions 2
Distribute List
Policy Based Routing
BGP Questions
Redistribution Questions
DHCP & DHCPv6 Questions
EVN & VRF Questions
EVN & VRF Questions 2
IPv6 Questions
IPv6 Questions 2
IPv6 Questions 3
IPv6 Questions 4
RIPng Questions
Security Questions
Unicast Reverse Path Forwarding
IP Services Questions
SNMP Questions
Syslog Questions
NTP Questions
NAT Questions
IP SLA Questions
18 de 19 24/10/2019 16:25
ROUTE 300-101 Training » Access List https://www.digitaltut.com/access-list
IP SLA Questions 2
NetFlow Questions
Troubleshooting Questions
Miscellaneous Questions
Drag and Drop
Drag and Drop 2
ROUTE FAQs & Tips
Share your ROUTE v2.0 Experience
ROUTE Self-Study
Basic Labs
ROUTE Knowledge
Network Resources
CCNA Website
ROUTE Website
SWITCH Website
TSHOOT Website
Top
19 de 19 24/10/2019 16:25