4.5.2 Module Quiz – ACL Concepts (Answers)

Explanation: Routers will drop any packets for which no routing table destination can be found. ACLs are not required on interfaces, but if one exists and the IP address of the source in the packet does not match that permitted in a standard ACL, the packet will be dropped. ACLs can contain multiple permit and deny ACEs, but generally should contain at least one permit ACE, because ACLs contain an implicit deny ACE at the end.

2. A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255. Which two IP addresses will match this ACL statement? (Choose two.)

• 172.16.16.12
• 172.16.31.24
• 172,16.65.21
• 172.16.0.255
• 172.16.15.36

Explanation: The wildcard mask indicates that any IP address within the range of 172.16.0.0 to 172.16.15.255 matches.

3. Which two statements describe appropriate general guidelines for configuring and applying ACLs? (Choose two.)

• Multiple ACLs per protocol and per direction can be applied to an interface.
• If a single ACL is to be applied to multiple interfaces, it must be configured with a unique number for each interface.
• The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs.
• If an ACL contains no permit statements, all traffic is denied by default.
• Standard ACLs are placed closest to the source, whereas extended ACLs are placed closest to the destination.

Explanation: An interface can only have one ACL per direction. Standard ACLs filter only on the source address, so they are normally placed closest to the destination. Extended ACLs filter on source and destination addresses and port numbers. They are commonly placed closest to the source to reduce traffic across the network or networks. A single ACL can be applied to multiple interfaces.

4. What single access list statement matches all of the following networks?

192.168.16.0
192.168.17.0
192.168.18.0
192.168.19.0

• access-list 10 permit 192.168.16.0 0.0.3.255
• access-list 10 permit 192.168.0.0 0.0.15.255
• access-list 10 permit 192.168.16.0 0.0.0.255
• access-list 10 permit 192.168.16.0 0.0.15.255

Explanation: The ACL statement access-list 10 permit 192.168.16.0 0.0.3.255 will match all four network prefixes. All four prefixes have the same 22 high order bits. These 22 high order bits are matched by the network prefix and wildcard mask of 192.168.16.0 0.0.3.255.

5. Which three statements describe ACL processing of packets? (Choose three.)

• A packet can either be rejected or forwarded as directed by the ACE that is matched.
• A packet that does not match the conditions of any ACE will be forwarded by default.
• Each statement is checked only until a match is detected or until the end of the ACE list.
• Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made.
• An implicit deny any rejects any packet that does not match any ACE.
• A packet that has been denied by one ACE can be permitted by a subsequent ACE.

Explanation: When a packet comes into a router that has an ACL configured on the interface, the router compares the condition of each ACE to determine if the defined criteria has been met. If met, the router takes the action defined in the ACE (allows the packet through or discards it). If the defined criteria has not been met, the router proceeds to the next ACE. An implicit deny any statement is at the end of every standard ACL.

6. A network administrator is configuring an ACL to restrict access to certain servers in the data center. The intent is to apply the ACL to the interface connected to the data center LAN. What happens if the ACL is incorrectly applied to an interface in the inbound direction instead of the outbound direction?

• All traffic is denied.
• All traffic is permitted.
• The ACL does not perform as designed.
• The ACL will analyze traffic after it is routed to the outbound interface.

Explanation: Always test an ACL to ensure that it performs as it was designed. Applying an ACL that is applied using the ip access-group in command instead of using the ip access-group out command is not going to work as designed.

7. Which scenario would cause an ACL misconfiguration and deny all traffic?

• Apply a standard ACL using the ip access-group outcommand.
• Apply a named ACL to a VTY line.
• Apply an ACL that has all deny ACE statements.
• Apply a standard ACL in the inbound direction.

Explanation: Having all ACEs with deny statements denies all traffic because there is an implicit deny any command at the end of every standard ACL.

8. In applying an ACL to a router interface, which traffic is designated as outbound?

• traffic that is leaving the router and going toward the destination host
• traffic that is coming from the source IP address into the router
• traffic for which the router can find no routing table entry
• traffic that is going from the destination IP address into the router

Explanation: Inbound and outbound are interpreted from the point of view of the router. Traffic that is designated in an inbound ACL will be denied or permitted when coming into that router interface from a source. Traffic that is designated in an outbound ACL will be denied or permitted when going out the interface to the destination.

9. When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device?​

Explanation: In order to document the purpose of an ACL and identify its function more easily, the remark keyword is used when building the ACL. The established keyword is used to allow connections that were initially sourced from the current device. The eq operator is used to specify a port number for denying or permitting traffic. The description keyword is used when configuring and documenting interfaces.

10. Which location is recommended for extended numbered or extended named ACLs?

• a location as close to the destination of traffic as possible
• a location as close to the source of traffic as possible
• a location centered between traffic destinations and sources to filter as much traffic as possible
• if using the established keyword, a location close to the destination to ensure that return traffic is allowed

Explanation: Extended ACLs are normally placed as close to the source as possible. Standard ACLs are placed as close to the destination as possible because a standard ACL only has the source IP address listed as part of the ACE.

11. Which range represents all the IP addresses that are affected when network 10.120.160.0 with a wildcard mask of 0.0.7.255 is used in an ACE?

• 10.120.160.0 to 10.120.167.255
• 10.120.160.0 to 10.127.255.255
• 10.120.160.0 to 10.120.191.255
• 10.120.160.0 to 10.120.168.0

Explanation: A wildcard mask of 0.0.7.255 means that the first 5 bits of the 3rd octet must remain the same but the last 3 bits can have values from 000 to 111. The last octet has a value of 255, which means the last octet can have values from all zeros to all 1s.

12. A college student is studying for the Cisco CCENT certification and is visualizing extended access lists. Which three keywords could immediately follow the keywords permit or deny as part of an extended access list? (Choose three.)

Explanation: Four commonly used keywords that could follow the keywords permit or deny in an IPv4 extended access list are ip, tcp, udp, and icmp. If the keyword ip is used, then the entire TCP/IP suite is affected (all TCP/IP protocols).

13. If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?

• permit tcp 172.16.0.0 0.0.3.255 any established
• deny tcp any any eq telnet
• deny udp any host 172.16.1.5 eq snmptrap
• permit udp any any range 10000 20000
• permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
• permit ip any any

Explanation: A best practice for configuring an extended ACL is to ensure that the most specific ACE is placed higher in the ACL. Consider the two permit UDP statements. If both of these were in an ACL, the SNMP ACE is more specific than the UDP statement that permits a range of 10,001 UDP port numbers. The SNMP ACE would be entered before the other UDP ACE. The ACEs from most specific to least specific are as follows:
– permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
– deny udp any host 172.16.1.5 eq snmptrap
– permit tcp 172.16.0.0 0.0.3.255 any established
– deny tcp any any eq telnet
– permit udp any any range 10000 20000
– permit ip any any

14. Which operator is used in an ACL statement to match packets of a specific application?

Explanation: An example of an ACL that filters for FTP is as follows:
access-list 105 permit tcp any host 10.0.54.5 eq 20
access-list 105 permit tcp any host 10.0.54.5 eq 21
The operator (eq) toward the end of the ACL lines is used to match a specific port/service that is specified immediately following the eq operator.

15. What two functions describe uses of access control lists? (Choose two.)

• ACLs assist a router in determining the best path to a destination.
• ACLs can control which areas a host can access on a network.
• ACLs provide a basic level of security for network access.
• Standard ACLs can filter traffic based on source and destination network addresses.
• Standard ACLs can restrict access to specific applications and ports.

Explanation: An ACL can be configured as a simple firewall that provides security using basic traffic filtering capabilities. ACLs are used to filter host traffic by allowing or blocking matching packets to networks.

16. Which three statements describe how an ACL processes packets? (Choose three.)

• A packet is compared with all ACEs in the ACL before a forwarding decision is made.
• A packet that has been denied by one ACE can be permitted by a subsequent ACE.
• An implicit deny at the end of an ACL rejects any packet that does not match an ACE.
• Each ACE is checked only until a match is detected or until the end of the ACL.
• If an ACE is matched, the packet is either rejected or forwarded, as directed by the ACE.
• If an ACE is not matched, the packet is forwarded by default.

Explanation: If the information in a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as specified by the matched statement. If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached. At the end of every ACL is an implicit “deny any” statement that is applied to all packets for which conditions did not test true and results in a “deny” action.

17. Which three statements are best practices related to placement of ACLs? (Choose three.)

• Filter unwanted traffic before it travels onto a low-bandwidth link.
• For every inbound ACL placed on an interface, ensure that there is a matching outbound ACL.
• Place extended ACLs close to the destination IP address of the traffic.
• Place extended ACLs close to the source IP address of the traffic.
• Place standard ACLs close to the destination IP address of the traffic.
• Place standard ACLs close to the source IP address of the traffic.

Explanation: Extended ACLs should be placed as close as possible to the source IP address so that traffic that needs to be filtered does not cross the network and use network resources. Because standard ACLs do not specify a destination address, they should be placed as close to the destination as possible. Placing a standard ACL close to the source may have the effect of filtering all traffic and limiting services to other hosts. Filtering unwanted traffic before it enters low-bandwidth links preserves bandwidth and supports network functionality. Decisions on placing ACLs inbound or outbound are dependent on the requirements to be met.

18. Which two characteristics are shared by standard and extended ACLs? (Choose two.)

• Both filter packets for a specific destination host IP address.
• Both include an implicit deny as a final entry.
• Both permit or deny specific services by port number.
• They both filter based on protocol type.
• They can be created by using either descriptive names or numbers.

Explanation: Standard ACLs filter traffic based solely on a specified source IP address. Extended ACLs can filter by source or destination, protocol, or port. Both standard and extended ACLs contain an implicit deny as a final ACE. Standard and extended ACLs can be identified by either names or numbers.

19. Which two statement describes a difference between the operation of inbound and outbound ACLs? (Choose two.)

• Inbound ACLs are processed before the packets are routed.
• Inbound ACLs can be used in both routers and switches.
• Multiple inbound ACLs can be applied to an interface.
• Multiple outbound ACLs can be applied to an interface.
• Outbound ACLs are processed after the routing is completed.
• Outbound ACLs can be used only on routers.
• Unlike outbound ACLs, inbound ACLs can be used to filter packets with multiple criteria.

Explanation: With an inbound ACL, incoming packets are processed before they are routed. With an outbound ACL, packets are first routed to the outbound interface, and then they are processed. Thus, processing inbound is more efficient from the router’s perspective. The structure, filtering methods, and limitations (that is, only one inbound and one outbound ACL can be configured on an interface) are the same for both types of ACLs.

20. In which configuration would an outbound ACL placement be preferred over an inbound ACL placement?

• When a router has more than one ACL
• When an interface is filtered by an outbound ACL and the network attached to the interface is the source network being filtered within the ACL
• When an outbound ACL is closer to the source of the traffic flow
• When the ACL is applied to an outbound interface to filter packets coming from multiple inbound interfaces before the packets exit the interface

Explanation: An outbound ACL should be used when the same ACL filtering rules will be applied to packets coming from more than one inbound interface before exiting a single outbound interface. The outbound ACL will be applied on the single outbound interface.

21. What wildcard mask will match networks 10.16.0.0 through 10.19.0.0?

• 0.252.255.255
• 0.0.255.255
• 0.0.3.255
• 0.3.255.255

Explanation: The subnets 10.16.0.0 through 10.19.0.0 all share the same 14 high-level bits. A wildcard mask in binary that matches 14 high-order bits is 00000000.00000011.11111111.11111111. In dotted decimal, this wildcard mask is 0.3.255.255.

22. What type of ACL offers increased flexibility and control over network traffic?

• Extended
• Extensive
• Named standard
• Numbered standard

Explanation: The two types of ACLs are standard and extended. Both types can be named or numbered, but extended ACLs offer greater flexibility. Extended ACLs provide the most options and therefore the most filtering control.

23. Which statement describes a characteristic of standard IPv4 ACLs?

• They can be configured to filter traffic based on both source IP addresses and source ports.
• They can be created with a number but not with a name.
• They filter traffic based on destination IP addresses only.
• They filter traffic based on source IP addresses only.

Explanation: A standard IPv4 ACL can filter traffic based on source IP addresses only. Unlike an extended ACL, it cannot filter traffic based on Layer 4 ports. However, both standard and extended ACLs can be identified with either numbers or names, and both are configured in global configuration mode.

24. What wildcard mask will match network 10.10.100.64/26?

• 0.0.0.15
• 0.0.0.31
• 0.0.0.63
• 0.0.0.127

Explanation: A /26 is 255.255.255.192. Therefore, 255.255.255.255 – 255.255.255.192 = 0.0.0.63.