ActualTests.Cisco.640-802.Exam.Q.and.A.08.15.08-DDU (1130589), страница 69
Текст из файла (страница 69)
Allother hosts should be allowed to access. What commands should be entered on therouter to accomplish this task?A. Router(config)#access-list 101 deny tcp 192.168.23.64 0.0.0.63 192.168.23.1280.0.0.63 eq ftpRouter(config)#access-list 101 permit ip any anyRouter(config)#interface fa0/0Router(config-if)#ip access-group 101 inB. Router(config)#access-list 101 deny tcp 192.168.23.64 0.0.255 192.168.23.128 0.0.0.255 eq ftpActualtests.com - The Power of Knowing640-802Router(config)#access-list 101 permit ip any anyRouter(config)#interface fa0/0Router(config-if)#ip access-group 101 inC. Router(config)#access-list 101 deny tcp 192.168.23.64 0.0.0.63 192.168.23.1280.0.0.63 eq ftpRouter(config)#access-list 101 permit ip any anyRouter(config)#interface fa0/0Router(config-if)#access-list 101 outD.
Router(config)#access-list 101 deny tcp 192.168.23.64 0.0.0.255 192.168.23.1280.0.0.255 eq ftpRouter(config)#access-list 101 permit ip any anyRouter(config)#interface fa0/1Router(config-if)#ip access-group 101 inE. Router(config)#access-list 101 deny tcp 192.168.23.128 0.0.0.63 192.168.23.640.0.0.63 eq ftpRouter(config)#access-list 101 permit ip any anyRouter(config)#interface fa0/1Router(config-if)#ip access-group 101 inF. Router(config)#access-list 101 deny tcp 192.168.23.128 0.0.0.255 192.168.23.1280.0.0.255 eq ftpRouter(config)#access-list 101 permit ip any anyRouter(config)#interface fa0/1Router(config-if)#ip access-group 101 outAnswer: AExplanation:Only choice A specifies the correct wildcard mask and direction.
If we apply the accesslist to interface FA0/0, we need to specify incoming FTP traffic from the192.168.23.64/26 network to the 192.168.23.128/26 network.Incorrect Answers:B, D, F. The wildcard mask for a /26 network is 0.0.0.63, not 0.0.0.255.C. This access list statement is correct, but when it is applied to the FA0/0 interface itneeds to be in the incoming direction.E. This access list needs to be applied to interface FA0/0, not FA0/1. Alternatively, itcould have been applied to interface FA0/1, but in the outbound direction, not theinbound direction.QUESTION 610:The network topology for a Certkiller location is shown below:Actualtests.com - The Power of Knowing640-802Refer to the graphic.
It has been decided that Workstation 1 should be denied accessto Server1. Which of the following commands are required to prevent onlyWorkstation 1 from accessing Server1 while allowing all other traffic to flownormally? (Choose two)A. Router CK1 (config)# interface fa0/0Router CK1 (config-if)# ip access-group 101 outB. Router CK1 (config)# interface fa0/0Router CK1 (config-if)# ip access-group 101 inC.
Router CK1 (config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163Router CK1 (config)# access-list 101 permit ip any anyD. Router CK1 (config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.1630.0.0.0Router CK1 (config)# access-list 101 permit ip any anyAnswer: B, CExplanation:To block communication between Workstation A and Server 1, we have to configureExtended Access List.To define an extended IP access list, use the extended version of the access-list commandin global configuration mode. To remove the access lists, use the no form of thiscommand.access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |permit} protocol source source-wildcard destination destination-wildcardSource Address will be of the Workstation A i.e.
172.16.161.150 and destination addresswill be of the Server 1 i.e. 172.16.162.163.The access list will be placed on the FA0/0 of Router CK1 .QUESTION 611:Which wild card mask will enable a network administrator to permit access to theInternet for only hosts that are assigned an address in the range 192.168.8.0 through192.168.15.255?A. 0.0.0.0B. 0.0.0.255C. 0.0.255.255D. 0.0.7.255Actualtests.com - The Power of Knowing640-802E.
0.0.3.255F. None of the aboveAnswer: DExplanation:Wildcard mask summarization example:This list describes how to summarize a range of networks into a single network for ACLoptimization. Consider these networks.192.168.32.0/24192.168.33.0/24192.168.34.0/24192.168.35.0/24192.168.36.0/24192.168.37.0/24192.168.38.0/24192.168.39.0/24The first two octets and the last octet are the same for each network. This table is anexplanation of how to summarize these into a single network.The third octet for the above networks can be written as seen in this table, according tothe octet bit position and address value for each bit.Since the first five bits match, the above eight networks can be summarized into onenetwork (192.168.32.0/21 or 192.168.32.0 255.255.248.0).
All eight possiblecombinations of the three low-order bits are relevant for the network ranges in question.This command defines an ACL that permits this network. If you subtract 255.255.248.0(normal mask) from 255.255.255.255, it yields 0.0.7.255.access-list acl_permit permit ip 192.168.32.0 0.0.7.255Reference:http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#topic2Actualtests.com - The Power of Knowing640-802QUESTION 612:Two Certkiller routers are connected as shown below:A network administrator in Miami has been instructed to prevent all trafficoriginating on the Chicago LAN from entering the Miami router.
Which statementwould accomplish this filtering?A. access-list 101 deny ip 192.168.45.0 0.0.0.255 anyB. access-list 101 deny ip 192.168.45.0 0.0.0.0 anyC. access-list 101 deny ip 192.168.46.0 0.0.0.255 192.168.45.0 0.0.0.255D. access-list 101 deny ip 192.168.46.0 0.0.0.255 anyAnswer: AExplanation:Using access-list we can allow or deny the packets from different hosts or networks.There are two types of access-list standard and extended access list.Standard. Standard Access List can allow or deny the request only on the basis of sourceaddress. Extended Access list can allow or deny on the basis of source, destination,protocol, port etc.Syntax of standard Access List:access-list ACL number permit | deny protocol source address netmask serviceQUESTION 613:The Certkiller network is shown in the following exhibit:Actualtests.com - The Power of Knowing640-802Refer to the graphic. A named access list called records_block has been written toprevent student and Internet access to the records server.
All other users within theenterprise should have access to this server. The list was applied to the e0 interfaceof the Ken router in the outbound direction. Which of the following conditionsshould the access list contain to meet these requirements? (Choose two.)A. deny 172.16.64.252 0.0.0.0 172.16.62.0 0.0.0.255B. deny 172.16.62.0 0.0.0.255 172.16.64.252 0.0.0.0C. deny 172.16.64.252 0.0.0.0 anyD. permit 172.16.64.252 0.0.0.0 172.16.0.0 0.0.255.255E. permit 172.16.0.0 0.0.255.255 172.16.64.252 0.0.0.0F. permit any anyAnswer: B, EExplanation:When you create the named access list, you can start your policy from permit or deny.
Asper the question, traffic from the internet access and student networks need to be blocked,with the student network lies on 172.16.62.0/24 network.The "deny 172.16.62.0 0.0.0.255 172.16.64.0 0.0.0.255" command will deny access fromthe student network accessing the Record Server. If you don't permit to any othernetwork then at last explicit deny to all.The "permit 172.16.0.0 0.0.255.255 172.16.64.252 0.0.0.0" allows all other hosts fromthe 172.16 network to access the Record Server.
The implicit deny all will then blockInternet users from accessing the records server.QUESTION 614:You are securing a network for Certkiller and want to apply an ACL (access controlActualtests.com - The Power of Knowing640-802list) to an interface of a router. Which one of the following commands would youuse?A. permit access-list 101 outB. ip access-group 101 outC. apply access-list 101 outD.
access-class 101 outE. ip access-list e0 outF. None of the aboveAnswer: BExplanation:To enable an ACL on an interface and define the direction of packets to which the ACLis applied, the ip access-group command is used. In this example, the access list isapplied to packets going out of the interface. Packets coming in on the interface are notchecked against access list 101.QUESTION 615:The following access list below was applied outbound on the E0 interface connectedto the 192.169.1.8/29 LAN:access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 anyaccess-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 anyHow will the above access lists affect traffic?A. FTP traffic from 192.169.1.22 will be denied.B. No traffic, except for FTP traffic will be allowed to exit E0.C.
FTP traffic from 192.169.1.9 to any host will be denied.D. All traffic exiting E0 will be denied.E. All FTP traffic to network 192.169.1.9/29 will be denied.Answer: DExplanation:When an access list is created, an implicit deny all entry is created at the end. Therefore,each access list created needs to have at least one permit statement, otherwise it will havethe effect of prohibiting all traffic. If the intent in this example was to block only certainhosts from being able to FTP, then the following line should have been included at theend of the access list:Router(config)#access-list 135 permit ip any anyQUESTION 616:Actualtests.com - The Power of Knowing640-802Study the following network diagram displaying the Certkiller network:With the goal of preventing the accounting department from gaining access to theHR server, the following access list is created:access-list 19 deny 192.168.16.128 0.0.0.31access-list 19 permit anyAll other traffic is to be permitted through the network.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
