Modules 8-10 Flashcards by Jaspreet Matharu

When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device?

a) remark

b) description

c) established

d) eq

Answer:
a) remark

Explanation:
Use remark inside ACLs to document purpose/notes. established is for TCP return traffic; eq specifies ports; description is for interfaces.

How well did you know this?

Not at all

Perfectly

Which two pieces of information are required when creating a standard access control list? (Choose two.)

a) access list number between 1 and 99

b) source address and wildcard mask

c) destination address and wildcard mask

d) subnet mask and wildcard mask

e) access list number between 100 and 199

Answer:
a) access list number between 1 and 99; b) source address and wildcard mask

Explanation:
Standard ACLs (1–99, 1300–1999) filter only source IPs, using a wildcard mask.

How well did you know this?

Not at all

Perfectly

What two steps provide the quickest way to completely remove an ACL from a router? (Choose two.)

a) Removal of the ACEs is the only step required.

b) Modify the number of the ACL so that it doesn’t match the ACL associated with the interface.

c) Copy the ACL into a text editor, add no before each ACE, then copy the ACL back into the router.

d) Remove the inbound/outbound reference to the ACL from the interface.

e) Use the no access-list command to remove the entire ACL.

f) Use the no keyword and the sequence number of every ACE within the named ACL to be removed.

Answer:
d) Remove the inbound/outbound reference to the ACL from the interface.; e) Use the no access-list command to remove the entire ACL.

Explanation:
First unapply the ACL from interfaces, then delete it (no access-list …).

How well did you know this?

Not at all

Perfectly

Which two types of addresses should be denied inbound on a router interface that attaches to the Internet? (Choose two.)

a) private IP addresses

b) any IP address that starts with the number 127

c) any IP address that starts with the number 1

d) NAT translated IP addresses

e) public IP addresses

Answer:
a) private IP addresses; b) any IP address that starts with the number 127

Explanation:
Block RFC1918 and 127.0.0.0/8 inbound to mitigate spoofing; also block broadcasts/multicast as appropriate.

How well did you know this?

Not at all

Perfectly

In the creation of an IPv6 ACL, what is the purpose of the implicit final command entries, permit icmp any any nd-na and permit icmp any any nd-ns?

a) to allow forwarding of ICMPv6 packets

b) to allow automatic address configuration

c) to allow IPv6 to MAC address resolution

d) to allow forwarding of IPv6 multicast packets

Answer:
c) to allow IPv6 to MAC address resolution

Explanation:
Neighbor Discovery (NS/NA) is used for L2 address resolution in IPv6 and must be permitted.

How well did you know this?

Not at all

Perfectly

What two statements describe characteristics of IPv6 access control lists? (Choose two.)

a) They permit ICMPv6 router advertisements by default.

b) They can be named or numbered.

c) They include two implicit permit statements by default.

d) They are applied to an interface with the ip access-group command.

e) They use prefix lengths to indicate how much of an address to match.

Answer:
c) They include two implicit permit statements by default.;

e) They use prefix lengths to indicate how much of an address to match.

Explanation:
IPv6 ACLs are named, applied with ipv6 traffic-filter, use prefix-lengths, and implicitly permit ND (NS/NA).

How well did you know this?

Not at all

Perfectly

(IPv6 ACL) Allow only host 2001:DB8:CAFE:10::A to Telnet to 2001:DB8:CAFE:30::/64 (place before existing ACEs). Which command?

a) permit tcp 2001:DB8:CAFE:10::A/64 2001:DB8:CAFE:30::/64 eq 23

b) permit tcp 2001:DB8:CAFE:10::A/64 eq 23 2001:DB8:CAFE:30::/64

c) permit tcp host 2001:DB8:CAFE:10::A eq 23 2001:DB8:CAFE:30::/64

d) permit tcp host 2001:DB8:CAFE:10::A 2001:DB8:CAFE:30::/64 eq 23 sequence 5

Answer:
d) permit tcp host 2001:DB8:CAFE:10::A 2001:DB8:CAFE:30::/64 eq 23 sequence 5

Explanation:
Use host for a single source and a lower sequence to insert before existing entries.

How well did you know this?

Not at all

Perfectly

When implementing components into an enterprise network, what is the purpose of a firewall?

a) Inspects traffic and makes decisions based solely on Layer 2 MAC addresses.

b) Secures, monitors, and manages mobile devices.

c) Stores sensitive business data.

d) Enforces an access control policy between internal and external networks.

Answer:
d) Enforces an access control policy between internal and external networks.

Explanation:
A firewall enforces policy to protect internal hosts/resources from untrusted networks.

How well did you know this?

Not at all

Perfectly

What are two possible limitations of using a firewall in a network? (Choose two.)

a) It provides accessibility of applications and sensitive resources to external untrusted users.

b) It increases security management complexity by requiring off-loading network access control to the device.

c) A misconfigured firewall can create a single point of failure.

d) Network performance can slow down.

e) It cannot sanitize protocol flows.

Answer:
c) A misconfigured firewall can create a single point of failure.; d) Network performance can slow down.

Explanation:
Firewalls may bottleneck performance and, if misconfigured, become a single point of failure.

How well did you know this?

Not at all

Perfectly

Which type of firewall makes use of a proxy server to connect to remote servers on behalf of clients?

a) stateful firewall

b) stateless firewall

c) packet filtering firewall

d) application gateway firewall

Answer:
d) application gateway firewall

Explanation:
A proxy/application gateway operates up to Layer 7 and proxies client connections.

How well did you know this?

Not at all

Perfectly

How does a firewall handle traffic from the public network to the private network?

a) Not inspected when traveling to the private network.

b) Usually blocked when traveling to the private network.

c) Usually permitted with little/no restrictions.

d) Selectively permitted when traveling to the private network.

Answer:
b) Usually blocked when traveling to the private network.

Explanation:
Default posture is restrictive for outside → inside traffic.

How well did you know this?

Not at all

Perfectly

Which two statements describe the two configuration models for Cisco IOS firewalls? (Choose two.)

a) ZPF must be enabled before enabling an IOS Classic Firewall.

b) The IOS Classic Firewall and ZPF cannot be combined on a single interface.

c) IOS Classic Firewalls and ZPF models can be enabled on a router concurrently.

d) Both IOS Classic Firewall and ZPF require ACLs to define policies.

e) IOS Classic Firewalls must be enabled before enabling ZPF.

Answer:
b) The IOS Classic Firewall and ZPF cannot be combined on a single interface.; c) IOS Classic Firewalls and ZPF models can be enabled on a router concurrently.

Explanation:
Both can coexist on a router, but not on the same interface. ZPF isn’t ACL-dependent.

How well did you know this?

Not at all

Perfectly

Designing a ZPF: which step includes dictating devices between most-secure/least-secure zones and redundancy?

a) determine the zones

b) design the physical infrastructure

c) establish policies between zones

d) identify subsets within zones and merge traffic requirements

Answer:
b) design the physical infrastructure

Explanation:
After zones and policies, design physical topology including redundancy and device placement.

How well did you know this?

Not at all

Perfectly

When a Cisco IOS ZPF is configured, which three actions can be applied to a traffic class? (Choose three.)

a) pass

b) shape

c) reroute

d) queue

e) inspect

f) drop

Answer:
a) pass;
e) inspect
f) drop

Explanation:
ZPF actions: inspect (stateful), pass (permit), drop (deny).

How well did you know this?

Not at all

Perfectly

When using Cisco IOS ZPF, where is the inspection policy applied?

a) to a global service policy

b) to a zone

c) to an interface

d) to a zone pair

Answer:
d) to a zone pair

Explanation:
Policies are applied between zones via zone-pairs.

How well did you know this?

Not at all

Perfectly

What is the first step in configuring a Cisco IOS ZPF via the CLI?

a) Define traffic classes.

b) Assign router interfaces to zones.

c) Define firewall policies.

d) Assign policy maps to zone pairs.

e) Create zones.

Answer:
e) Create zones.

Explanation:
Order: create zones → classes → policies → zone-pairs → assign interfaces.

How well did you know this?

Not at all

Perfectly

What is one benefit of using a stateful firewall instead of a proxy server?

a) ability to perform user authentication

b) better performance

c) ability to perform packet filtering

d) prevention of Layer 7 attacks

Answer:
b) better performance

Explanation:
Stateful firewalls generally outperform proxies; both can filter packets.

How well did you know this?

Not at all

Perfectly

Which statement describes a typical security policy for a DMZ firewall configuration?

a) Traffic that originates from the DMZ interface is selectively permitted to the outside interface.

b) Return traffic from the inside associated with outside-originated traffic is permitted from inside to outside.

c) Return traffic from the outside associated with inside-originated traffic is permitted from outside to the DMZ.

d) Traffic from the inside interface is generally blocked or very selectively permitted to the outside.

e) Traffic from the outside is permitted to the inside with few/no restrictions.

Answer:
a) Traffic that originates from the DMZ interface is selectively permitted to the outside interface.

Explanation:
Typical DMZ policy: DMZ → outside selectively allowed; outside → DMZ specific services; outside → inside restricted.

How well did you know this?

Not at all

Perfectly

What is one limitation of a stateful firewall?

a) weak user authentication

b) cannot filter unnecessary traffic

c) not as effective with UDP- or ICMP-based traffic

d) poor log information

Answer:
c) not as effective with UDP- or ICMP-based traffic

Explanation:
Statefulness relies on connection tracking, which is weaker for connectionless protocols.

How well did you know this?

Not at all

Perfectly

Which statement describes Cisco IOS ZPF operation?

a) The pass action works in only one direction.

b) Router management interfaces must be manually assigned to the self zone.

c) A router interface can belong to multiple zones.

d) Service policies are applied in interface configuration mode.

Study These Flashcards

Answer:
a) The pass action works in only one direction.

Explanation:
pass is unidirectional; interfaces are automatically in self; policies applied via zone-pairs (global config).

What is the result in the self zone if a router is the source or destination of traffic?

a) No traffic is permitted.

b) All traffic is permitted.

c) Only traffic that originates in the router is permitted.

d) Only traffic destined for the router is permitted.

Study These Flashcards

Answer:
b) All traffic is permitted. ✔

Explanation:
The self zone allows all traffic to/from the router by default.

What are two characteristics of ACLs? (Choose two.)

a) Extended ACLs can filter on destination TCP and UDP ports.

b) Standard ACLs can filter on source TCP and UDP ports.

c) Extended ACLs can filter on source and destination IP addresses.

d) Standard ACLs can filter on source and destination IP addresses.

e) Standard ACLs can filter on source and destination TCP and UDP ports.

Study These Flashcards

Answer:
a) Extended ACLs can filter on destination TCP and UDP ports.

c) Extended ACLs can filter on source and destination IP addresses.

Explanation:
Extended ACLs filter by IP, protocol, and ports; standard ACLs filter source IP only.

Which three statements describe ACL processing of packets? (Choose three.)

a) An implicit deny any rejects any packet that does not match any ACE.

b) A packet can either be rejected or forwarded as directed by the ACE that is matched.

c) A packet that has been denied by one ACE can be permitted by a subsequent ACE.

d) A packet that does not match the conditions of any ACE will be forwarded by default.

e) Each statement is checked only until a match is detected or until the end of the ACE list.

f) Each packet is compared to the conditions of every ACE in the ACL before a decision is made.

Study These Flashcards

Answer:
a) An implicit deny any rejects any packet that does not match any ACE.

b) A packet can either be rejected or forwarded as directed by the ACE that is matched.

e) Each statement is checked only until a match is detected or until the end of the ACE list.

Explanation:
ACLs are evaluated top-down until a match; no match hits the implicit deny.

access-list 1 permit 172.16.0.0 0.0.15.255 — which two IPs match? (Choose two.)

a) 172.16.0.255

b) 172.16.15.36

c) 172.16.16.12

d) 172.16.31.24

e) 172.16.65.21

Study These Flashcards

Answer:
a) 172.16.0.255

b) 172.16.15.36

Explanation:
Wildcard 0.0.15.255 matches 172.16.0.0–172.16.15.255.

What single ACL statement matches networks 192.168.16.0–192.168.19.0? a) access-list 10 permit 192.168.16.0 0.0.3.255 b) access-list 10 permit 192.168.16.0 0.0.0.255 c) access-list 10 permit 192.168.16.0 0.0.15.255 d) access-list 10 permit 192.168.0.0 0.0.15.255

Answer: a) access-list 10 permit 192.168.16.0 0.0.3.255 Explanation: Four /24s share /22 (22 high-order bits): wildcard 0.0.3.255.

Which two characteristics are shared by both standard and extended ACLs? (Choose two.) a) Both can filter based on protocol type. b) Both can permit or deny services by port number. c) Both include an implicit deny as a final statement. d) Both filter packets for a specific destination host IP address. e) Both can be created by using either a descriptive name or number.

Answer: c) Both include an implicit deny as a final statement. e) Both can be created by using either a descriptive name or number. Explanation: Both support names or numbers and end with implicit deny.

Result of adding the established argument to the end of the ACE? a) Any traffic is allowed to reach 192.168.254.0/23. b) Any IP traffic is allowed to reach 192.168.254.0/23 if in response to an originated request. c) 192.168.254.0/23 traffic is allowed to reach any network. d) Any TCP traffic is allowed to reach 192.168.254.0/23 if it is in response to an originated request.

Answer: d) Any TCP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network if it is in response to an originated request. Explanation: established permits TCP return traffic (ACK/RST seen).

Which two keywords can replace an address/wildcard pair in an ACL? (Choose two.) a) most b) host c) all d) any e) some f) gt

Answer: b) host; d) any ✔ Explanation: host x.x.x.x = x.x.x.x 0.0.0.0; any = 0.0.0.0 255.255.255.255.

If these ACEs are in the same ACL, which should be listed first (best practice)? a) permit ip any any b) permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap c) permit tcp 172.16.0.0 0.0.3.255 any established d) permit udp any any range 10000 20000 e) deny udp any host 172.16.1.5 eq snmptrap f) deny tcp any any eq telnet

Answer: b) permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap ✔ Explanation: Place the most specific ACEs first to ensure correct matching.

To facilitate troubleshooting, which inbound ICMP message should be permitted on an outside interface? a) echo request b) echo reply c) time-stamp request d) time-stamp reply e) router advertisement

Answer: b) echo reply Explanation: Allow echo replies inbound so internal hosts can ping external targets and receive responses.

IPv6 ACL to block web access from sales (2001:db8:48:2c::/64) to server 2001:db8:48:1c::50/64. Which three commands? (Choose three.) a) permit tcp any host 2001:db8:48:1c::50 eq 80 b) deny tcp host 2001:db8:48:1c::50 any eq 80 c) deny tcp any host 2001:db8:48:1c::50 eq 80 d) permit ipv6 any any e) deny ipv6 any any f) ip access-group WebFilter in g) ipv6 traffic-filter WebFilter in

Answer: c) deny tcp any host 2001:db8:48:1c::50 eq 80; d) permit ipv6 any any; g) ipv6 traffic-filter WebFilter in ✔ Explanation: Deny TCP/80 to the server, then permit the rest, and apply with ipv6 traffic-filter.

What are two characteristics of a stateful firewall? (Choose two.) a) uses static packet filtering techniques b) uses connection information maintained in a state table c) analyzes traffic at Layers 3, 4 and 5 of the OSI model d) uses complex ACLs which can be difficult to configure e) prevents Layer 7 attacks

Answer: b) uses connection information maintained in a state table; c) analyzes traffic at Layers 3, 4 and 5 of the OSI model ✔ Explanation: Stateful devices track flows/sessions and evaluate at L4–L5 (and routing info).

What are two differences between stateful and stateless firewalls? (Choose two.) a) A stateless firewall filters sessions with dynamic port negotiations; a stateful cannot. b) A stateless firewall examines each packet individually; a stateful observes the state of a connection. c) A stateless firewall provides more logging information than a stateful firewall. d) A stateful firewall prevents spoofing by checking if packets belong to an existing connection; a stateless follows rules only. e) A stateless firewall provides more stringent control over security than a stateful firewall.

Answer: b) A stateless firewall will examine each packet individually while a stateful firewall observes the state of a connection. d) A stateful firewall will prevent spoofing by determining whether packets belong to an existing connection while a stateless firewall follows pre-configured rule sets. Explanation: Stateless = per-packet, rule-based; stateful = tracks sessions, better against spoofing/DoS.

In ZPF, what is the default security setting when forwarding traffic between two interfaces in the same zone? a) Selectively forwarded based on Layer 3 info. b) Not subject to any policy and passes freely. c) Blocked. d) Selectively forwarded based on default policy restrictions

Answer: b) Not subject to any policy and passes freely. Explanation: Traffic within the same zone is permitted by default.

Which two rules about interfaces are valid when implementing a ZPF? (Choose two.) a) If neither interface is a zone member, then the action is to pass traffic. b) If one interface is a zone member, but the other is not, all traffic will be passed. c) If both interfaces belong to the same zone-pair and a policy exists, all traffic will be passed. d) If both interfaces are members of the same zone, all traffic will be passed. e) If one interface is a zone member and a zone-pair exists, all traffic will be passed.

Answer: a) If neither interface is a zone member, then the action is to pass traffic.; d) If both interfaces are members of the same zone, all traffic will be passed. ✔ Explanation: No-zone → traffic passes; same zone → passes; mismatch (one zoned, one not) → dropped; zone-pair with policy governs cross-zone flows.

In applying an ACL to a router interface, which traffic is designated as outbound? a) traffic that is coming from the source IP address into the router b) traffic that is going from the destination IP address into the router c) traffic that is leaving the router and going toward the destination host d) traffic for which the router can find no routing table entry

Answer: c) traffic that is leaving the router and going toward the destination host Explanation: “Inbound/Outbound” are from the router’s perspective. Outbound is traffic leaving the interface toward the destination.

What is the quickest way to remove a single ACE from a named ACL? a) Use the no access-list command to remove the entire ACL, then recreate it without the ACE. b) Copy the ACL into a text editor, remove the ACE, then copy the ACL back into the router. c) Use the no keyword and the sequence number of the ACE to be removed. d) Create a new ACL with a different number and apply the new ACL to the router interface.

Which ICMP message type should be stopped inbound? a) echo-reply b) echo c) source quench d) unreachable

Answer: b) echo Explanation: Block inbound ICMP echo (ping requests) from the Internet; allow echo-reply so internal pings get responses.

Which scenario would cause an ACL misconfiguration and deny all traffic? a) Apply a standard ACL using the ip access-group out command. b) Apply an ACL that has all deny ACE statements. c) Apply a standard ACL in the inbound direction. d) Apply a named ACL to a VTY line.

Answer: b) Apply an ACL that has all deny ACE statements. ✔ Explanation: ACLs end with an implicit deny; if all ACEs are denies, everything is dropped.

Refer to the exhibit. A network administrator is configuring an IPv6 ACL to allow hosts on the 2001:DB8:CAFE:10::/64 network to access remote web servers, except for PC1. However, a user on PC1 can successfully access the web server PC2. Why is this possible? a) The IPv6 ACL Deny_WEB is spelled incorrectly when applied to the interface. b) The IPv6 ACL Deny_WEB is applied to the wrong interface of router R1. c) The IPv6 ACL Deny_WEB is permitting all web traffic before the specific host is blocked. d) The IPv6 ACL Deny_WEB is applied in the incorrect direction on router R1.

Answer: c) The IPv6 ACL Deny_WEB is permitting all web traffic before the specific host is blocked. Explanation: ACLs are top-down. A broad permit above a specific deny lets traffic through. Put specific denies first.

Refer to the exhibit. A network administrator wants to create a standard ACL to prevent Network 1 traffic from being transmitted to the Research and Development network. On which router interface and in which direction should the standard ACL be applied? a) R1 Gi0/0 outbound b) R2 S0/0/0 inbound c) R1 S0/0/0 outbound d) R2 Gi0/0 outbound e) R2 Gi0/0 inbound f) R1 Gi0/0 inbound

Answer: d) R2 Gi0/0 outbound Explanation: Standard ACLs can only specify source addresses, so the standard ACL would contain the network 1 address and appropriate wildcard mask. Also, because standard ACLs can only contain source addresses, the ACL should be placed as close to the destination as possible. The destination is the Research and Development LAN. The R2 Gi0/0 interface is that destination. By tracing the path that the packets will take starting with network 1 and traveling to the Research and Development network, a student can determine that the packets would be coming out of the R2 Gi0/0 interface.

Which two statements describe appropriate general guidelines for ACLs? (Choose two.) a) Standard ACLs are placed closest to the source, whereas extended ACLs are placed closest to the destination. b) If an ACL contains no permit statements, all traffic is denied by default. c) The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs. d) If a single ACL is to be applied to multiple interfaces, it must be configured with a unique number for each interface. e) Multiple ACLs per protocol and per direction can be applied to an interface.

Answer: b) If an ACL contains no permit statements, all traffic is denied by default.; c) The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs. Explanation: ACLs have an implicit deny and are evaluated top-down, so put specific entries first. One ACL per direction per interface.

Refer to the exhibit. Which statement describes the function of the ACEs? a) These ACEs automatically appear at the end of every IPv6 ACL to allow IPv6 routing to occur. b) These ACEs must be manually added to the end of every IPv6 ACL to allow IPv6 routing to occur. c) These are optional ACEs that can be added to allow ICMP messages in nd-na and nd-ns groups. d) These ACEs allow for IPv6 neighbor discovery traffic.

Answer: d) These ACEs allow for IPv6 neighbor discovery traffic. Explanation: Permits ICMPv6 Neighbor Solicitation/Advertisement needed for ND (L2 resolution).

What wildcard mask will match networks 172.16.0.0 through 172.19.0.0? a) 0.0.3.255 b) 0.252.255.255 c) 0.3.255.255 d) 0.0.255.255

Answer: c) 0.3.255.255 Explanation: 172.16.0.0–172.19.0.0 share /14. Wildcard for /14: 0.3.255.255.

What method is used to apply an IPv6 ACL to a router interface? a) the use of the access-class command b) the use of the ipv6 traffic-filter command c) the use of the ip access-group command d) the use of the ipv6 access-list command

Answer: b) the use of the ipv6 traffic-filter command Explanation: Apply IPv6 ACLs with ipv6 traffic-filter in|out under the interface.

What type of ACL offers greater flexibility and control over network access? a) named standard b) numbered standard c) flexible d) extended

Answer: d) extended Explanation: Extended ACLs filter by source/destination, protocol, ports, giving finer control.

Which operator is used in an ACL statement to match packets of a specific application? a) established b) gt c) lt d) eq

Answer: d) eq Explanation: Use eq to match a specific port/service (e.g., eq 80, eq 21).

Which two keywords can replace an address/wildcard pair in an ACL? (Choose two.) a) some b) any c) gt d) most e) all f) host

Answer: b) any f) host Explanation: any = 0.0.0.0 255.255.255.255; host x.x.x.x = x.x.x.x 0.0.0.0.

Consider the ACL (inbound on G0/0 with IP 192.168.10.254): **access-list 100 permit ip host 192.168.10.1 any access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo access-list 100 permit ip any any** Which two actions occur? (Choose two.) a) Only the network device assigned the IP address 192.168.10.1 is allowed to access the router. b) Devices on the 192.168.10.0/24 network are allowed to reply to any ping requests. c) A Telnet or SSH session is allowed from any device on 192.168.10.0 into the router. d) Devices on 192.168.10.0/24 can successfully ping devices on 192.168.11.0. e) Only Layer 3 connections are allowed to be made from the router to any other network device.

Answer: b) Devices on the 192.168.10.0/24 network are allowed to reply to any ping requests.; c) A Telnet or SSH session is allowed from any device on 192.168.10.0 into the router. ✔ Explanation: Host .1 is fully permitted (first ACE). ICMP echo from 192.168.10.0/24 is denied, but echo-replies and other traffic (incl. Telnet/SSH) are permitted by the final permit ip any any.

Modules 8-10 Flashcards

(49 cards)