Access-list Questions
Note: If you are not sure about Access list, please read our Access List Tutorial.
Question 1
Explanation
The “deny tcp any host 10.30.0.100 eq 80” command means “block all (any) traffic from accessing web server at 10.30.0.100 on port 80”. And since it is applied to VLAN 20 interface so only computers on VLAN 20 are affected.
In summary, just notice that 10.30.0.100 here is the destination IP address, not source address.
Note: The traffic flow from hosts in VLAN 20 to the Web Server is: host in VLAN 20 -> Interface VLAN 20 -> Interface VLAN 30 -> Web Server. If we place the ACL: host in VLAN 20 -> (ACL Inbound) Interface VLAN 20 -> Interface VLAN 30 -> Web Server. Therefore the ACL can block traffic from VLAN 20.
Question 2
Question 3
Explanation
If we have a matching permit statement too high in the access list then it will be matched first before we can deny i -> Answer B is correct.
The statement that an ACL always has an implicit deny any at the bottom has one exception. And that exception is when the ACL is empty. If you use ip access-group to apply an ACL and that ACL has no statements then all traffic is permitted -> Answer D is correct.
Reference: https://community.cisco.com/t5/routing/apply-empty-acl-what-happens/td-p/740473
Note: Answer C seems to be correct too but we only have two choices in this question and this answer is not in the best answers. If a matching permit statement is too broadly defined (for example if we only want to permit TCP traffic then we should not permit “ip” traffic, which includes both TCP and UDP).
Question 4
Explanation
To deny SSH, we must block TCP port 22 and we need to apply the ACL to Gi0/0 interface (which connects to PC-1).
Note: TCP port 23 is used for Telnet.
Question 5
Explanation
By placing the ACL closest to the source, we can reduce unnecessary traffic passing between two routers and the processing time of the router.
Question 6
Question 7
Explanation
The operations team resides on 10.20.1.0/25 network which is a part of 10.20.1.0/24 network so we need to remove the “deny” statement of the 10.20.1.0/25 network to allow SSH.
Hello
very good
very good , thank you
Hi Team
Question one has 10.30.0.0 as the host should it not be 10.20.0.0?
Thanks
Hi @9tut, for question 7, isnt choice D more appropriate ?
I meant choice B sorry, isnt B more correct ?
@9tut, In Q6, the option D is : R1(config)# access-list 5 permit 10.0.70.0 0.0.0.127
should not the subnet mask be 0.0.0.128 instead of 127 ?
@Garry yeah you are right…it should be 0.0.0.128 instead of 127…@9tut
@9tut Q4 isn’t C the right answer ? Because it denies SSH access from any interface. If you configure the ACL just on ethernet interface, we are not restricting access from he loopback interfaces.
Hello
i can’t see the questions or the answers ?! only the explanation ,
anyone can see the Q and A or just me ?!
@9tut
I think Q4 ,D is correct.
Please explain.
@Shiva: To deny SSH, we must block TCP port 22 and we need to apply the ACL to Gi0/0 interface (which connects to PC-1).
Note: TCP port 23 is used for Telnet.
Thank for your help
@9tut, Q1. The answer mentioned is B:
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
permit ip any any
int vlan 20
ip access-group wwwblock in
Should it not be deny tcp 10.20.0.0 0.0.0.255 host 10.30.0.100 eq 80 ?
Good questions. Thank you guys.
on Q7 why we can’t just permit the /25 ? is it the rule since it’s a subnetwork?