| A1: | Answer: D. Access lists stop traffic going through the router not traffic originating from the router, as in this scenario. Therefore, the administrator's Telnet session is able to connect. A is incorrect because Telnet uses TCP. B is incorrect. Telnet does use TCP traffic, but this is not the most likely cause of the problem. C is incorrect. Telnet connects to remote port 23 by default; however, the issue here is that the session initiated from the router, and access lists filter only traffic going through the router. |
| A2: | Answers: A, B, and C. Access lists can be used with QoS in implementing priority and custom queuing. Access lists can filter routing protocol updates. Access lists can also specify interesting traffic to trigger dial-on-demand routing. D is incorrect because access lists aren't used for console port security. |
| A3: | Answers: A, B, and E. Standard access lists check the packet's source address. Extended access lists check both source and destination packet addresses and other parts of the packets. Named access lists allow the use of a friendly name for the access list. C is incorrect because there are no restricted access lists. D is incorrect because there are no static access lists. F is incorrect, as there are no unnamed access lists. |
| A4: | Answers: B and E. Extended access lists can use source and destination information, including the source port, and named access lists can be either extended or standard, so they have the capability to filter based on the source port. A is incorrect because standard access lists can filter on source address information, but not source port. C is incorrect, as there are no restricted access lists. D is incorrect because there are no static access lists. F is incorrect because there are no unnamed access lists. |
| A5: | Answer: A. Standard access lists can filter based only on the source address, subnet, or source host IP address of a packet. B is incorrect because extended access lists can use source and destination information, including the source port. C is incorrect, as there are no dynamic access lists. D is incorrect because there are no static access lists. E is incorrect; if the named access list is an extended access list, this does not hold true. F is incorrect because there are no unnamed access lists. |
| A6: | Answers: A and D. Standard access lists can range from 1 99 and IP Standard Expanded ranges from 1300 1999. B is incorrect because this value is in the range for extended access lists. C is incorrect, as this is not a valid identifier for access lists. |
| A7: | Answers: B and C. Extended access lists can range from 100 199 and IP Extended Expanded ranges from 2000 2699. A is incorrect, as this is a standard access list identifier. D is incorrect, as this is outside the range of standard and extended access lists. |
| A8: | Answer: C. Named access lists allow the deletion of individual lines anywhere in the access list. The newer IOS versions support a named access list that can even add lines in between other lines. A is incorrect because standard access lists do not allow the deletion of specific lines. B is incorrect because extended access lists do not allow the deletion of specific lines. D is incorrect, as there are no unnamed access lists. |
| A9: | Answer: A. FTP uses TCP and ports 20 and 21. B is incorrect, as FTP uses TCP. C is incorrect because port 20 is required as well. D is incorrect, as UDP is not necessary. |
| A10: | Answer: A. TCP and UDP traffic need to be allowed on port 53. TCP is used typically by zone transfers, whereas UDP is used for queries. B is incorrect because port 69 is used by finger. C is incorrect, as port 67 is used by DHCP. D is incorrect because DNS queries use UDP and port 53. |
| A11: | Answer: C. A packet that does not meet any filters is dropped. A is incorrect because the packet is discarded instead of being routed. B is incorrect, as there is no mechanism to flag the packet. D is incorrect; although it is conceivable that an administrator could be notified, by default the packet is simply dropped. |
| A12: | Answers: A and D. No access list can filter packets originating from the router, and outbound access lists, if they are extended, can drop packets based on protocol numbers. B is incorrect because the filtering takes place after a routing decision has been made. C is incorrect because as the routing decision has been made, the router has already dropped packets that are not routable. |
| A13: | Answers: A, B, and D. No access lists can filter packets originating from a router; a routing decision has not been made until after the access list is processed; and extended access lists can be used as inbound access lists and can therefore filter packets based on protocol number. C is incorrect because the routeability of packets has not yet been determined, and access lists do not make routing judgments. |
| A14: | Answer: B. Because there is no permit statement and access lists end with an implicit deny all, no traffic is permitted. A is incorrect; this statement is true, but all traffic is denied, not just FTP traffic. C is incorrect because no traffic is permitted. D is incorrect, as all traffic is denied because of the lack of any permit statements. |
| A15: | Answers: A and D. The indicated mask affects the 172.16.0.0 network, so 172.16.99.1 and 172.16.1.1 are affected. B and C are incorrect, as 192.168.0.0 and 172.30 don't match the bits that matter those set to 0 in the mask. |
| A16: | Answers: B and C. The significant bits are the last 16, indicated by the wildcard mask of 255.255.0.0. The IP addresses 192.168.20.5 and 172.30.20.5 match the last two octets, or 16 bits, of the 10.0.20.5 IP address. A and D are incorrect; although the first portions of the IP address match, it is the last two octets that are significant. |
| A17: | Answer: B. To abbreviate the all-0 wildcard mask, use the keyword host to specify a single host. A and D are incorrect, as this is invalid syntax. C is incorrect because this syntax results in an error message. |
| A18: | Answer: C. You can replace 255.255.255.255 with the keyword any. A, B, and D are all invalid syntax options. |
| A19: | Answer: B. The wildcard mask 0.0.15.255 affects the 172.16.16.0 255.255.240.0 network. In the third octet, the first four bits are checked in binary, resulting in 00000000.00000000.00001111.11111111. A is incorrect, as this does not match the given problem, checking too many bits (five) in the last octet. C is incorrect because this mask checks only three bits in the third octet. D is incorrect because this mask checks only two bits in the third octet. |
| A20: | Answer: C. The subnet mask, in the third octet as binary, is 1110 0000. This indicates that the first three bits are significant in the wildcard mask, and the last five bits of the third octet are not checked. This gives 00011111 in the third octet, which is 31 in decimal notation. A is incorrect, as this wildcard mask checks too many bits (five) in the third octet. B is incorrect because this choice checks four bits in the IP, which are too few. D is incorrect because this choice considers only two bits significant in the third octet, which are too few for the example. |
| A21: | Answer: A. You may create only one access list per protocol, per direction, per interface. B is incorrect because you can have multiple access lists for a single port number and only one per direction. C is incorrect, as you may have only one access list per protocol, not per port number. D is incorrect because you may not have more than one access list per interface, which is not listed. |
| A22: | Answer: D. Access lists are processed from the top down, so ordering is very important. A is incorrect, as named access list lines can be deleted from anywhere, but insertions are at the end. B is incorrect; ordering is important, because after a rule is matched, processing ends. C is incorrect. More general rules should be placed at the end; otherwise, traffic might be unintentionally affected by the filter, whereas specific rules might not be applied because they are never processed. |
| A23: | Answer: B. The ip nat syntax can be quite cryptic because the Cisco router gives you plenty of flexibility with the form and directions of NAT translation. In this case, you are looking to create a static NAT translation to allow TCP port 80 (HTTP) to pass through the Cisco router to the internal web server. There are two ways to accomplish this: You can create a static NAT translation from the inside perspective or from the outside perspective. In this question, the only correct answer is the translation performed from the inside: ip nat inside source static tcp 172.16.55.10 80 interface fastEthernet 0/1 80. If you were to perform the static NAT translation from the outside perspective, you would not be given the option to choose to translate from an interface (fastEthernet 0/1, in this case). All other answers result in an invalid syntax message. |
| A24: | Answer: C. This is a fairly complex NAT configuration that combines both static NAT and NAT Overload features into a single configuration. First, all interfaces on the router are marked as either inside or outside NAT interfaces. Second, a standard access list needs to be created that shows the router what addresses should be translated. Third, the NAT Overload configuration is applied as coming from the addresses in access-list 50 going to the fastEthernet 2/0 interface. Finally, the static NAT translation is defined for port 21 (FTP) from the internal host (192.168.254.32) to the fastEthernet 2/0 interface. Answer A is incorrect because it is missing the static NAT translation. It also uses invalid syntax on the NAT Overload configuration. The Cisco router cannot translate from one interface to another; it always needs an access list defining the internal range. Answer B is incorrect because it is missing the protocol (TCP) and port number (21) for the static NAT translation and also uses the same invalid NAT Overload configuration as answer A. Answer D is incorrect because the static NAT translation goes between interfaces rather than to an internal IP address. The overload keyword is also missing from the NAT Overload syntax. This means only one IP address at a time can access the Internet. |
| A25: | Answer: B. If an empty access list is applied to an interface, all traffic is permitted through the interface. C is incorrect because traffic is allowed through the interface, not blocked. A and D are incorrect because you do not receive an error message. |
| A26: | Answers: A, D, and E. RFC 1918 defines a private address range for each of the three classes of usable addresses: Class A: 10.0.0.0/8, Class B: 172.16.0.0/16 172.31.255.255/16, and Class C: 192.168.0.0/24 192.168.255.255/24. Answer B is incorrect because it defines only one of the Class B ranges that are considered private; any address from the range 172.16.0.0/16 172.31.255.255/16 is considered a private address. Answer C is incorrect because this range represents addresses that are automatically assigned to a computer when it cannot obtain a valid address through DHCP (these are called local link addresses). They are not defined in RFC 1918 as a private address. Answer F is incorrect because this is the first range of Class D addresses, which are used for multicast. |
| A27: | Answer: B. The NAT configuration is missing the ip nat inside command under the fastethernet 0 interface. Without this command, the router does not know the interface it should use when translating internal, source addresses. Answer A is incorrect because static routes can be pointed to an exit interface or a next-hop address. Answer C is incorrect because Static NAT is commonly combined with NAT Overload features to accomplish required objectives. Answer D is incorrect because…well, this should be pretty obvious. |
| A28: | Answer: A. This answer has the correct syntax of the access-list command followed by the list number, permit/deny, and IP address, and a wildcard mask. B and D are incorrect because they indicate an extended access list. C is incorrect because the wildcard mask has been reversed. |
| A29: | Answer: B. This command uses the host keyword to specify a single host. A is incorrect, as deny follows the access list number. C is incorrect because the wildcard mask should be all zeros. D is incorrect because the access list number represents an extended access list. |
| A30: | Answer: C. An extended access list is required, and 101 fits. Additionally, this answer shows deny properly preceding tcp in the syntax. A is incorrect because deny should precede tcp. B and D are incorrect because the access list numbers are for a standard access list. |
| A31: | Answer: D. Use the any keyword to specify all destinations. A is incorrect because no destination is specified. B is incorrect, as this specifies a standard access list. C is incorrect because all is not the proper keyword. |
| A32: | Answer: D. Dynamic NAT allows you to configure multiple pools of IP addresses and translate between them. The router dynamically matches each IP address to one another as a request is made. Answer A is incorrect because Port Address Translation (PAT) is just another name for NAT Overload. Answer B is incorrect. Although Static NAT could perform this task, it would take quite a bit of configuration to manually map IP addresses in large pools. Answer C is incorrect because NAT Overload takes a group of IP addresses and translates them to a single (overloaded) IP address. |
| A33: | Answers: C and D. The generic Static NAT syntax for TCP translations is ip nat inside source static tcp <inside_ip> <inside_port> <outside_ ip/outside_interface> <outside_port>. In this case, only answers C and D match this syntax. Answers A and E flip the IP address and port numbers in the wrong location, which produce a syntax error. Answer B uses port 20, which is used by FTP; however, only port 21 is used to initiate an FTP session. After a client initiates the incoming FTP session on port 21, the FTP server establishes an outgoing FTP data connection using port 20. Because of this, no incoming NAT translation is necessary for TCP port 20. |
| A34: | Answer: D. The access-class 1 in command is used to apply access-list 1 inbound to the vty interface. A is incorrect because the access-group command is used on physical interfaces. B is incorrect because the vty keyword is invalid. C is incorrect because the access-list command is used to create access list entries. |
| A35: | Answers: A and D. Extended access lists should go near the source of the traffic, and standard access lists should go close to the destination. B is incorrect because extended access lists close to the destination cause routers to process more packets than necessary. C is incorrect because standard access lists close to the source may drop too much traffic and prohibit network communications. |
| A36: | Answer: C. The correct syntax is show ip interface serial 0/1, which displays detailed information about the interface, including the applied access lists. A is incorrect, as this is invalid syntax and results in an error. B and D are invalid commands. |
| A37: | Answer: C. The show access-lists command is correct and displays each access list defined on the device, as well as its entries. A is incorrect because the keyword ip is used only if you want to see the IP standard and extended access lists. It does not show you any MAC address, IPX, or AppleTalk access lists, and the question specifically states you would like to see all access lists. B and D are incorrect because the keyword all is invalid. |
| A38: | Answer: B. To apply the access list to an interface, enter Interface Configuration mode and use the ip access-group command, specifying the list and direction. A is incorrect, as the interface is not specified in the command, but by entering Interface Configuration mode. C is incorrect, as access-group is the correct command, and the direction is not specified. D is incorrect because the command is access-group, not access-list. |
| A39: | Answer: A. SSH uses port 22. B is incorrect, as port 23 is used by Telnet. C is incorrect, as port 69 is used by finger. D is incorrect because port 443 is used by HTTPS. |
| A40: | Answer: C. POP3 uses TCP port 110. A is incorrect, as SMTP uses port 25. B is incorrect, as IMAP uses port 143. D is incorrect because port 443 is used by HTTPS. |
| A41: | Answer: D. You need to apply the access list to a vty line in Line Configuration mode for it to be effective. A is incorrect because even though you are in Privileged EXEC mode, this answer is too general. B is incorrect, as the access list is created in Global Configuration mode. C is incorrect because vty access is controlled by Line Configuration mode, not Interface Configuration mode. |
| A42: | Answer: C. You need to restrict Telnet traffic through the appropriate interfaces. A is incorrect because Privileged EXEC mode is not specific. B is incorrect because Global Configuration mode is used to create the access list. D is incorrect because Line Configuration mode can be used to control Telnet access to the router, but not through it. |
| A43: | Answer: D. You cannot choose which line you connect to when telnetting from an outside location, so it is typically best to apply the same rules for each line. A is incorrect because although you do want to keep intruders out, this is not the best reason. B is not correct, as this is effectively what you are doing, but it is not a compelling reason to do so. C is incorrect because you do not have to apply the same list to each line. |
| A44: | Answer: C. You must delete the list and re-create it entirely. The remaining responses are incorrect because you cannot selectively delete lines. |
| A45: | Answer: D. You can selectively delete lines in named access lists, and only in named access lists. C is incorrect because although you could re-create the entire list, it is much more work than is necessary. A and B are incorrect because you cannot selectively delete lines. |
| A46: | Answer: D. NAT can accomplish some pretty amazing feats; however, sharing an IP address for two servers that use the same port number is not one of them. In this case, you need two public Internet addresses to allow both internal web servers to be accessed on TCP port 80. The other servers can use port 21 (FTP) and port 25 (SMTP) on either of the public Internet IP addresses. Answer A could be used to solve this problem, but it is not the best solution because it is more costly to deploy than answer D. B is incorrect because NAT Overload allows the servers to share only a single IP address when accessing the Internet, not when the requests originate from the Internet. Answer C is incorrect because you can map only TCP port 80 on the single IP address to one of the internal web servers. The other cannot be accessed from the Internet. |
| A47: | Answer: B. Access list entries are created and defined in Global Configuration mode. A is incorrect because Privileged EXEC mode is too general. C is incorrect, as vty lines are configured in Line Configuration mode, but access list entries are created in Global Configuration mode. D is incorrect because Line Configuration mode is for applying the access list. |
| A48: | Answer: B. The log option sends a message to the console. A, C, and D are all invalid keywords. |
| A49: | Answer: C. The no access-class 1 command removes the access list from the vty line. A and B are incorrect, as they are not valid commands on the vty line. D is incorrect, as there is no delete switch in the syntax. |
| A50: | Answer: A. A 0 indicates the bit is checked or significant. B is incorrect because the first four bits are ignored. C is incorrect because the first two bits are ignored. D is incorrect because the first six bits are checked. |
