ActualTests.Cisco.640-802.Exam.Q.and.A.08.15.08-DDU (1130589), страница 70
Текст из файла (страница 70)
On which interface and inwhat direction should the access list be applied?A. Certkiller 1 S0, out.B. Certkiller 1 E1, in.C. Certkiller 1 E1, out.D. Certkiller 2 S1, in.E. Certkiller 2 E0, out.F. Certkiller 2 E0, in.Answer: EExplanation:Since this is a standard access list it should be placed near the destination. Standardaccess lists only match against the source IP address, so placing this access list anywhereelse will prevent traffic from the Accounting department to other areas of the network.QUESTION 617:The Certkiller network is displayed below:Actualtests.com - The Power of Knowing640-802You want to apply an access list to the e0 interface on the Certkiller 1 router, with thegoal of halting HTTPS traffic from the Production Department from reaching theHR server via the Certkiller 2 router.
Which of the following access lists would youuse?A. Permit ip any anyDeny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 443B. Permit ip any anyDeny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 443C. Deny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 443Permit ip any anyD. Deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 443Permit ip any anyAnswer: DExplanation:This access problem is very simple; it tells you where to put the access list, all you haveto do is to select the right one. You have to deny all HTTP traffic (TCP port 80) fromcrossing router 1's e0 while, allowing everything else. This is accomplished by Deny tcp172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 443, Permit ip any any.Incorrect Answers:Either the order of the statements are reversed.
Since all traffic checked against an accesslist is performed in order from the top down, all traffic will match the first statement andbe permitted or the source addresses are incorrect.Actualtests.com - The Power of Knowing640-802QUESTION 618:Two Certkiller routers are connected together as shown below:The access list shown should deny all hosts located on network 172.16.1.0, excepthost 172.16.1.5, from accessing the 172.16.4.0 network. All other networks should beaccessible. Which command sequence will correctly apply this access list?A.
Certkiller 1(config)#interface fa0/0Certkiller 1(config-if)#ip access-group 10 inB. Certkiller 1(config)#interface s0/0Certkiller 1(config-if)#ip access-group 10 outC. Certkiller 2(config)#interface fa0/1Certkiller 2(config-if)#ip access-group 10 outD. Certkiller 2(config)#interface fa0/0Certkiller 2(config-if)#ip access-group 10 outE. Certkiller 2(config)#interface s0/1Certkiller 2(config-if)#ip access-group 10 outAnswer: DExplanation:In order to only deny access to the 172.16.4.0 network while permitting all other accessas specified in this question, we need to apply this access list to router Certkiller 2, and itmust be placed in the outbound direction of interface fa0/0. Applying this access list toany other interface or any other router would result in making other network unreachablefrom the 172.16.1.0 network, except of course for 172.16.1.5.QUESTION 619:A network administrator wants to add a line to an access list that will block onlyTelnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5.Actualtests.com - The Power of Knowing640-802What command should be issued to accomplish this task?A.
access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23access-list 101 permit ip any anyB. access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23access-list 1 permit ip any anyC. access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21access-list 1 permit ip any anyD. access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23access-list 101 permit ip any anyE. access-list 101 deny ip 192.168.1.128 0.0.0.240 192.158.1.5 0.0.0.0 eq 23access-list 101 permit ip any anyF.
access-list 101 deny ip 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23access-list 101 permit ip any anyAnswer: AExplanation:Only choice specifies the correct TCT port and wildcard mask, and uses a valid accesslist number.Incorrect Answers:B, C. Access list 1 is used for these choices, which is a standard access list. In thisexample, an extended access list is required. Choice C also specifies port 21, which isused by FTP not Telnet.D, E: These choices use an incorrect wildcard mask of 0.0.0.240. It should be 0.0.0.15 fora /28 subnet.F.
IP is specified as the protocol, when it should be TCP.QUESTION 620:You are the network administrator at Certkiller . You apply the following access liston the E0 outbound interface connected to the 192.168.1.8/29 LAN:access-list 21 deny tcp 192.168.1.8 0.0.0.7 eq 20 anyaccess-list 21 deny tcp 192.168.1.8 0.0.0.7 eq 21 anyWhat will the effect of this access list be?A.
All traffic will be allowed to out of E0 except FTP traffic.B. FTP traffic from 192.168.1.22 to any host will be blocked.C. FTP traffic from 192.168.1.9 to any host will be blocked.D. All traffic will be prevented from leaving E0.E. All FTP traffic to network 192.168.1.9/29 from any host will be blocked.Answer: DExplanation:Actualtests.com - The Power of Knowing640-802By default access lists contain an implicit deny statement at the end. In this examplethere is no permit statement, so it will deny all traffic exiting E0 Interface. Any usefulaccess list must contain at least one permit statement, or everything will be denied.QUESTION 621:You want to configure an ACL to block only TCP traffic using port 5190 on routerCK1 .
Which access list statement will block all traffic on this router with adestination TCP port number of 5190 while not affecting other traffic?A. access-list 180 deny ip any eq 5190 anyB. access-list 180 deny tcp any any eq 5190C. access-list 180 deny tcp any eq 5190D.
access-list 180 deny tcp any eq 5190 anyE. access-list 180 deny telnet any any 5190F. None of the aboveAnswer: BExplanation:Creating an extended ACL:These lists are created and applied to an interface as either inbound or outbound packetfilters. They are implemented in this format:Access-list [list number] [permit | deny] [protocol] [source address] [source-mask][destination address] [destination-mask] [operator] [port] [log]1. List Number-A number between 100 and 199 (Think of it as the name of the list.)2. Permit | Deny-Whether to permit or deny this packet of information if conditionsmatch3. Protocol-Type of protocol for this packet (i.e., IP, ICMP, UDP, TCP, or protocolnumber)4.
Source Address-Number of the network or host that the packet is from (Use thedotted-decimal format 192.168.1.12 or use the keyword ANY as an abbreviation for anaddress of 0.0.0.0 255.255.255.255 or use HOST and the dotted-decimal address.)5. Source Mask-The network mask to use with the source address (Cisco masks are alittle different, 0 = octet must match exactly; 255 = octet is not significant or doesn'tmatter.)6. Destination Address-The address that the packet is going to, or ANY7. Destination Mask-The network mask to use with the destination address (if youspecify one)8. Operator (optional entry)-This applies to TCP or UDP ports onlyeq=equallt=less thangt=greater thanneq=not equalrange=a range of ports; you must specify two different port numbersActualtests.com - The Power of Knowing640-802est=established connections9.
Port (optional entry)-TCP/UDP destination port number or service10. Log-Whether to log (if logging is enabled) this entry to the consoleA sample inbound ACL would be:access-list 100 deny ip 10.0.0.0 0.255.255.255 any logaccess-list 100 deny ip 172.16.0.0 0.15.255.255 any logaccess-list 100 deny ip 192.168.0.0 0.0.255.255 any logaccess-list 100 deny ip any host 127.0.0.1 logaccess-list 100 permit ip any [your network IP address] [your network mask] estaccess-list 100 deny ip [your network IP address] [your network mask] any logaccess-list 100 deny tcp any any eq 22222access-list 100 deny tcp any any range 60000 60020 logaccess-list 100 deny udp any any eq snmp logaccess-list 100 permit ip any anyReference: http://articles.techrepublic.com.com/5100-1035_11-1058307.htmlQUESTION 622:The Certkiller network topology exhibit is shown below:Configuration exhibit:Actualtests.com - The Power of Knowing640-802Based on the information shown above, why would the Certkiller networkadministrator configure Router Certkiller 1 as shown above?A.
To prevent students connected to Certkiller 2 from accessing the command prompt ofRouter Certkiller 1B. To give administrators access to the internetC. To prevent students from accessing the admin networkD. To prevent students from accessing the internetE. To give students access to the internetF. To prevent administrators from accessing the console of Router Certkiller 1G. None of the aboveAnswer: AQUESTION 623:Part of the Certkiller network is shown below:In this Certkiller network segment, the following ACL was configured on the S0/0interface of router Certkiller 2 in the outbound direction:Access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnetAccess-list 101 permit ip any anyBased on this information which two packets, if routed to the interface, will bedenied? (Choose two)A.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
