ActualTests.Cisco.640-802.Exam.Q.and.A.08.15.08-DDU (1130589), страница 68
Текст из файла (страница 68)
SwitchesAnswer: B, EQUESTION 601:Actualtests.com - The Power of Knowing640-802The Certkiller worldwide WAN is shown in the exhibit below:On the Hong Kong router an access list is needed that will accomplish the following:1. Allow a Telnet connection to the HR Server through the Internet2. Allow internet HTTP traffic to access the webserver3.
Block any other traffic from the internet to everything elseWhich of the following access list statements are capable of accomplishing thesethree goals? (Select all that apply)A. access-list 101 permit tcp any 172.17.18.252 0.0.0.0 eq 80B. access-list 1 permit tcp any 172.17.17.252 0.0.0.0 eq 23C. access-list 101 permit tcp 172.17.17.252 0.0.0.0 any eq 23D. access-list 101 deny tcp any 172.17.17.252 0.0.0.0 eq 23E. access-list 101 deny tcp any 172.17.18.252 0.0.0.0 eq 80F. access-list 101 permit tcp any 172.17.17.252 0.0.0.0 eq 23Answer: A, FExplanation:Because of the implicit deny rule at the end of every access list, only two choices need tobe made, as the final requirement is automatic.Actualtests.com - The Power of Knowing640-802A.
This is correct as we need to allow the access list to allow port 80 connections (port 80= HTTP) from anywhere, to the web server's IP address.F. This will fulfill the first requirement, as it allows port 23 (Telnet) traffic fromanywhere.Incorrect Answers:B. The answer asks you to create an access list, a single one. The answer choices requireyou to choose two answers. For two statements to be on the same list, you need them tohave the same number. So answer choice B can be ruled out by process of elimination. Inaddition to this, access list 1 is an illegal number, since we need an extended access list touse source and destination information, and extended access lists are in the 100-199range.C. This is incorrect as it allows telnet traffic from the HR server to the Internet, but weneed it to be the other way around.D, E: Because of the implicit deny any rule; we need to only be concerned with theaccess rules that permit traffic.QUESTION 602:The Certkiller WAN is displayed below:An access list needs to be implemented that will block users from the GraphicsActualtests.com - The Power of Knowing640-802Department from telnetting to the HR server; and this list is to be implemented onthe Ethernet 0 interface of the Westfield router for the inbound direction.
All otheroffice communications should be allowed. Which of the following answer choiceswould accomplish this?A. deny tcp 192.168.16.0 0.0.0.255 192.168.17.252 0.0.0.0 eq 23permit ip any anyB. permit ip any anydeny tcp 192.168.16.0 0.0.0.255 192.172.252 0.0.0.0 eq 23C. permit ip any anydeny tcp 192.168.17.252 0.0.0.0 192.168.0 0.0.0.255 eq 23D. deny tcp 192.168.18.262 0.0.0.0 192.168.16.0 0.0.0.255 eq 23permit ip any anyE. None of the aboveAnswer: AExplanation:The syntax for an access list is the source address first then the destination address.
Inthis case the source address is 192.168.16.0/24 and the destination address192.168.17.252. The "permit ip any any" statement is required because of the implicitdeny all at the end of every access list. Generally speaking, all access lists require at leastone permit statement, otherwise all traffic will be denied through the interface.QUESTION 603:The Certkiller WAN is shown below:Actualtests.com - The Power of Knowing640-802Your goal is to allow FTP access to the HR server, while blocking out all othertraffic. Which of the access list configurations below will fulfill your goal? (Selecttwo answer choices)A. Access-list 101 Permit tcp any 192.168.44.252 0.0.0.0 eq 21B. Access-list 101 Permit tcp any 192.168.44.252 0.0.0.0 eq 20C.
Access-list 101 Permit tcp 192.168.44.252 0.0.0.0 any eq 20D. Access-list 101 Permit tcp 192.168.44.252 0.0.0.0 any eq 21E. Access-list 101 Deny tcp any 192.168.44.255 0.0.0.0 gt 21F. Access-list 101 Permit tcp 192.168.44.255 0.0.0.0 any gt 21Answer: A, BExplanation:FTP uses two ports: TCP port 20 and TCP port 21. you want to allow all hosts (ANY) toaccess the HR server (192.168.44.252 0.0.0.0) through ftp (eq 20 & eq 21) and theimplicit deny any rule will block everything else.QUESTION 604:The Certkiller Network is displayed in the flowing diagram:Actualtests.com - The Power of Knowing640-802You need to place an access list on the Fa0 interface of the Home router; that willdeny access to all hosts that lie within the range 192.168.160.0-192.168.191.0.
Hostsin the 192.168.195.0 network should be granted full access. Which one of thefollowing answer choices fulfills your needs?A. access-list 1 deny 192.168.163.0 0.0.0.255B. access-list 1 deny 192.168.128.0 0.0.127.255C. access-list 1 deny 192.168.160.0 0.0.255.255D. access-list 1 deny 192.168.160.0 0.0.31.255E. None of the aboveAnswer: DExplanation:This question is really more of an inverse subnet masking questions than a securityquestion. Your goal is to block access to the host range 192.168.160.0- 192.168.191.0while allowing everything else (including hosts from 192.168.195.0) full access.
Answerchoice D is correct because the address and mask are numbered correctly.QUESTION 605:Which of the following access list statements would deny traffic from a specifichost?A. Router(config)# access-list 1 deny 172.31.212.74 anyB. Router(config)# access-list 1 deny 10.6.111.48 hostC. Router(config)# access-list 1 deny 172.16.4.13 0.0.0.0D. Router(config)# access-list 1 deny 192.168.14.132 255.255.255.0Actualtests.com - The Power of Knowing640-802E. Router(config)# access-list 1 deny 192.168.166.127 255.255.255.255Answer: CExplanation:Only choice C is the correct syntax for a specific host.
The access list is denying alltraffic from the host with IP address 172.16.4.13. It is important to note that in an accesslist, the subnet mask is the inverse. Normally, a host subnet mask is 255.255.255.255, butin an access list it is 0.0.0.0.Incorrect Answers:A. The syntax is incorrect here, as there is no subnet mask at all specified.B. This would be an acceptable choice, if the "host" keyword were placed in front of theIP address, not after.D. The subnet mask here includes the entire class C network here, not an individual host.E. In an access list, the subnet mask is an inverse mask. The mask specified here wouldbe equivalent to all 0's in a subnet mask, meaning that the don't care bits apply to theentire address.QUESTION 606:Which IP address and wildcard mask would you use in your ACL to block all thehosts in the subnet 192.168.16.43/28?A.
192.168.16.32 0.0.0.16B. 192.168.16.43 0.0.0.212C. 192.168.16.0 0.0.0.15D. 192.168.16.32 0.0.0.15E. 192.168.16.0 0.0.0.31F. 192.168.16.16 0.0.0.31Answer: DExplanation:Since there are 28 bits in the subnet mask, we can find the inverse mask by reversing the1's and 0's./28 = 11111111.11111111.11111111.11110000/28 Inverse = 00000000.00000000.00000000.00001111 = 192.168.16.32/15The address 192.168.16.32 and the wildcard mask 0.0.0.15 is the correct answer asshown. This will match all addresses in the 192.168.16.32-192.168.16.47 range.QUESTION 607:Two Certkiller routers are connected together as shown below:Actualtests.com - The Power of Knowing640-802In order to control access on the Certkiller network, the following access list iscreated:access-list 101 permit tcp 192.168.1.16 0.0.0.15 192.168.2 160.0.0.15 eq 23What would happen if you applied the following ACL to any one of the Certkillerrouters in the above exhibit? On what interface and what direction should youapply it? Once applied, what will this access list accomplish? (Select all valid answerchoices)A.
Telnet traffic from 192.168.1.16 0.0.0.15 to 168.2.16 0.0.0.15 is allowed.B. SMTP traffic from 192.168.1.16 0.0.0.15 to 168.2.16 0.0.0.15 is allowed.C. The ACL is configured to allow traffic from one specific host to another.D. The ACL should be applied inbound to the e0 interface of Router Certkiller 1.E. The ACL should be applied outbound to the e0 interface of Router Certkiller 1.Answer: A, DExplanation:This is a two part question. The first part is the type of traffic that will match this specificaccess list entry. Since telnet uses TCP port 23, choice A is correct.Next, to determine which interface and which direction to apply the access list, we seethat the source of the traffic is the 192.168.1.16/28 network, while the destination is the192.168.2.16/28 network.
Therefore, only choice D makes sense.Incorrect Answers:B. SMTP uses TCP port 25.C. There is a /15 network mask for both the source and destination in this access list,which translates to a /28 network.E. This would not be useful if applied to the outbound, as no traffic would match then.Note that if this answer had stated that the access list be placed on the outbound serial(WAN) interface, then this would have been an acceptable choice.Actualtests.com - The Power of Knowing640-802QUESTION 608:The Certkiller network is subnetted using 29 bits for the subnet mask.
Which wildcard mask should be used to configure an extended access list to permit or denyaccess to an entire subnetwork?A. 255.255.255.224B. 255.255.255.248C. 0.0.0.224D. 0.0.0.8E. 0.0.0.7F. 0.0.0.3G. None of the aboveAnswer: EExplanation:Class C wild card masks start with 0.0.0.x. The subnet used in this example is 29 bits, orsubnet mask 255.255.255.248. Therefore, we are left with 7 hosts in the final octet(255-248) so the answer is 0.0.0.7.QUESTION 609:Part of the Certkiller network is shown below:The Certkiller network administrator wants to prevent computers on the192.168.23.64/26 subnet from accessing the 192.168.23.128/26 subnet via FTP.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
