Download New Updated (July) Cisco 640-554 Actual Test 71-80

Ensurepass

 

 

QUESTION 71

Which statement about an access control list that is applied to a router interface is true?

 

A.

It only filters traffic that passes through the router.

B.

It filters pass-through and router-generated traffic.

C.

An empty ACL blocks all traffic.

D.

It filters traffic in the inbound and outbound directions.

 

Correct Answer: A

Explanation:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-acl-ov- gdl.html

 

The Order in Which You Enter Criteria Statements

Note that each additional criteria statement that you enter is appended to the end of the access list statements.

Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list.

The order of access list statements is important! When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order in which the statements were created. After a match is found, no more criteria statements are checked.

 

If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.

 

Apply an Access Control List to an Interface

With some protocols, you can apply up to two access lists to an interface. one inbound access list and one outbound access list. With other protocols, you apply only one access list that checks both inbound and outbound packets.

 

If the access list is inbound, when a device receives a packet, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.

 

If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.

 

Note

Access lists that are applied to interfaces on a device do not filter traffic that originates from that device.

The access list check is bypassed for locally generated packets, which are always outbound.

By default, an access list that is applied to an outbound interface for matching locally generated traffic will bypass the outbound access list check; but transit traffic is subjected to the outbound access list check.

 

 

QUESTION 72

Which option is a key di
fference between Cisco IOS interface ACL configurations and Cisco ASA appliance interface ACL configurations?

 

A.

The Cisco IOS interface ACL has an implicit permit-all rule at the end of each interface ACL.

B.

Cisco IOS supports interface ACL and also global ACL. Global ACL is applied to all interfaces.

C.

The Cisco ASA appliance interface ACL configurations use netmasks instead of wildcard masks.

D.

The Cisco ASA appliance interface ACL also applies to traffic directed to the IP addresses of the Cisco ASA appliance interfaces.

E.

The Cisco ASA appliance does not support standard ACL. The Cisco ASA appliance only support extended ACL.

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_extended.html Additional Guidelines and Limitations

The following guidelines and limitations apply to creating an extended access list:

When you enter the access-list command for a given access list name, the ACE is added to the end of the access list unless you specify the line number.

Enter the access list name in uppercase letters so that the name is easy to see in the configuration. You might want to name the access list for the interface (for example, INSIDE), or you can name it for the purpose for which it is created (for example, NO_NAT or VPN).

Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list of protocol names, see the “Protocols and Applications” section.

Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask.

Enter the any keyword instead of the address and mask to specify any address.

You can specify the source and destination ports only for the tcp or udp protocols. For a list of permitted keywords and well-known port assignments, see the “TCP and UDP Ports” section.

DNS, Discard, Echo, Ident,

NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.

You can specify the ICMP type only for the icmp protocol. Because ICMP is a connectionless protocol, you either need access lists to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine. (See the “Adding an ICMP Type Object Group” section.) The ICMP inspection engine treats ICMP sessions as stateful connections. To control ping, specify echo-reply (0) (ASA to host) or echo (8) (host to ASA). See the “Adding an ICMP Type Object Group” section for a list of ICMP types.

When you specify a network mask, the method is different from the Cisco IOS software access- list command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).

To make an ACE inactive, use the inactive keyword. To reenable it, enter the entire ACE without the inactive keyword. This feature enables you to keep a record of an inactive ACE in your configuration to make reenabling easier.

Use the disable option to disable logging for a specified ACE.

 

 

 

QUESTION 73

Which access list permits HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10?

 

A.

access-list 101 permit tcp any eq 3030

B.

access-list 101 permit tcp 10.1.128.0 0.0.1 .255 eq 3030 192.1 68.1 .0 0.0.0.15 eq www

C.

access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www

D.

access-list 101 permit tcp host 192.1 68.1 .10 eq 80 10.1.0.0 0.0.255.255 eq 3030

E.

access-list 101 permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255

F.

access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.10 eq 80

 

Correct Answer: B

Explanation:

www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

 

Extended ACLs

Extended ACLs were introduced in Cisco IOS Software Release 8.3. Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL.

 

IP

access-list access-list-number

[dynamic dynamic-name [timeout minutes]]

{deny|permit} protocol source source-wildcard

destination destination-wildcard [precedence precedence]

[tos tos] [log|log-input] [time-range time-range-name]

 

ICMP

access-list access-list-number

[dynamic dynamic-name [timeout minutes]]

{deny|permit} icmp source source-wildcard

destination destination-wildcard

[icmp-type [icmp-code] |icmp-message]

[precedence precedence] [tos tos] [log|log-input]

[time-range time-range-name]

 

TCP

access-list access-list-number

[dynamic dynamic-name [timeout minutes]]

{deny|permit} tcp source source-wildcard [operator [port]]

destination destination-wildcard [operator [port]]

[established] [precedence precedence] [tos tos]

[log|log-input] [time-range time-range-name]

 

UDP

access-list access-list-number

[dynamic dynamic-name [timeout minutes]]

{deny|permit} udp source source-wildcard [operator [port]]

destination destination-wildcard [operator [port]]

[precedence precedence] [tos tos] [log|log-input]

[time-range time-range-name]

 

 

 

QUESTION 74

Which location is recommended for extended or extended named ACLs?

 

A.

an intermediate location to filter as much traffic as possible

B.

a location as close to the destination traffic as possible

C.

when using the established keyword, a location close to the destination point to ensure that return traffic is allowed

D.

a location as close to the source traff
ic as possible

 

Correct Answer: D

Explanation:

www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

 

Apply ACLs

You can define ACLs without applying them. But, the ACLs have no effect until they are applied to the interface of the router. It is a good practice to apply the ACL on the interface closest to the source of the traffic.

 

 

QUESTION 75

Which single Cisco IOS ACL entry permits IP addresses from 172.16.80.0 to 172.16.87.255?

 

A.

permit 172.16.80.0 0.0.3.255

B.

permit 172.16.80.0 0.0.7.255

C.

permit 172.16.80.0 0.0.248.255

D.

permit 176.16.80.0 255.255.252.0

E.

permit 172.16.80.0 255.255.248.0

F.

permit 172.16.80.0 255.255.240.0

 

Correct Answer: B

Explanation:

www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

ACL Summarization

Note. Subnet masks can also be represented as a fixed length notation. For example,

192.168.10.0/24

represents 192.168.10.0 255.255.255.0.

This list describes how to summarize a range of networks into a single network for ACL optimization. Consider these networks.

 

192.168.32.0/24

192.168.33.0/24

192.168.34.0/24

192.168.35.0/24

192.168.36.0/24

192.168.37.0/24

192.168.38.0/24

192.168.39.0/24

 

The first two octets and the last octet are the same for each network. This table is an explanation of how to summarize these into a single network.

 

The third octet for the previous networks can be written as seen in this table, according to the octet bit position and address value for each bit.

 

Decimal 128 64 32 16 8 4 2 1

32 0 0 1 0 0 0 0 0

33 0 0 1 0 0 0 0 1

34 0 0 1 0 0 0 1 0

35 0 0 1 0 0 0 1 1

36 0 0 1 0 0 1 0 0

37 0 0 1 0 0 1 0 1

38 0 0 1 0 0 1 1 0

39 0 0 1 0 0 1 1 1

M M M M M D D D

 

Since the first five bits match, the previous eight networks can be summarized into one network (192.168.32.0/21 or 192.168.32.0 255.255.248.0). All eight possible combinations of the three low- order bits are relevant for the network ranges in question. This command defines an ACL that permits this network. If you subtract 255.255.248.0 (normal mask) from 255.255.255.255, it yields 0.0.7.255.

access-list acl_permit permit ip 192.168.32.0 0.0.7.255

 

 

QUESTION 76

Which type of network masking is used when Cisco IOS access control lists are configured?

 

A.

extended subnet masking

B.

standard subnet masking

C.

priority masking

D.

wildcard masking

 

Correct Answer: D

Explanation:

Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied.

Masks in order to configure IP addresses on interfaces start with 255 and have the large values on the left side, for example, IP address 209.165.202.129 with a 255.255.255.224 mask. Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a “don’t care”.

Reference: http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

 

 

QUESTION 77

Which three statements about applying access control lists to a Cisco router are true? (Choose three.)

 

A.

Place more specific ACL entries at the top of the ACL.

B.

Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce “noise” on the network.

C.

ACLs always search for the most specific entry before taking any filtering action.

D.

Router-generated packets cannot be filtered by ACLs on the router.

E.

If an access list is applied but it is not configured, all traffic passes.

 

Correct Answer: ADE

Explanation:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-acl-ov-gdl.html

 

The Order in Which You Enter Criteria Statements

Note that each additional criteria statement that you enter is appended to the end of the access list statements.

 

Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list.

The order of access list statements is important! When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order in which the statements were created. After a match is found, no more criteria statements are checked.

 

If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.

 

Apply an Access Control List to an Interface

With some protocols, you can apply up to two access lists to an interfacE. one inbound access list and one outbound access list. With other protocols, you apply only one access list that checks both inbound and outbound packets.

 

If the access list is inbound, when a device receives a packet, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet. If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.

 

Note

Access lists that are applied to interfaces on a device do not filter traffic that originates from that device.

The access list check is bypassed for locally generated packets, which are always outbound.

By default, an access list that is applied to an outbound interface for matching locally generated traffic will bypass the outbound access list check; but transit traffic is subjected to the outbound access list check.

 

 

QUESTION 78

Refer to the exhibit. This Cisco IOS access list has been configured on the FA0/0 interface in the inbound direction. Which four TCP packets sourced from 10.1.1.1 port 1030 and routed to the FA0/0 interface are permitted? (Choose four.)

 

clip_image002

clip_image004

 

A.

destination ip address: 192.168.15.37 destination port: 22

B.

destination ip address: 192.168.15.80 destination port: 23

C.

destination ip address: 192.168.15.66 destination port: 8080

D.

destination ip address: 192.168.15.36 destination port: 80

E.

destination ip address: 192.168.15.63 destination port: 80

F.

destination ip address: 192.168.15.40 destination port: 21

 

Correct Answer: BCDE

Explanation:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

 

Extended ACLs (registered customers only) control traffic by comparing the source and destination addresses of the IP packets to the addresses configured in the ACL. You can also make extended ACLs more granular and configured to filter traffic by criteria such as:

 

Protocol

Port numbers

Differentiated services code point (DSCP) value

Precedence value

State of the synchronize sequence number (SYN) bit

The command syntax formats of extended ACLs are:

IP

access-list access-list-number [dynamic dynamic-name [timeout minutes]]

{deny | permit} protocol source source-wildcard destination destination-wildcard

[precedence precedence] [tos tos] [log | log-input]

[time-range time-range-name][fragments]

Internet Control Message Protocol (ICMP)

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}

icmp source source-wildcard destination destination-wildcard

[icmp-type [icmp-code] | [icmp-message]] [precedenceprecedence] [tos tos] [log | log-input] [time-range time-range-name][fragments]

Transport Control Protocol (TCP)

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp

source source-wildcard
[operator [port]] destination destination-wildcard

[operator [port]] [established] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name][fragments]

User Datagram Protocol (UDP)

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} udp

source source-wildcard [operator [port]] destination destination-wildcard

[operator [port]] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name][fragments]

 

 

QUESTION 79

Which type of Cisco IOS access control list is identified by 100 to 199 and 2000 to 2699?

 

A.

standard

B.

extended

C.

named

D.

IPv4 for 100 to 199 and IPv6 for 2000 to 2699

 

Correct Answer: < /font>B

Explanation:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html

 

ACL Numbers

The number you use to denote your ACL shows the type of access list that you are creating. Table 23-2 lists the access list number and corresponding type and shows whether or not they are supported by the switch.

The Catalyst 2950 switch supports IP standard and IP extended access lists, numbers 1 to 199 and 1300 to 2699.

1-99

IP standard access list

100-199

IP extended access list

200-299

Protocol type-code access list

300-399

DECnet access list

400-499

XNS standard access list

500-599

XNS extended access list

600-699

AppleTalk access list

700-799

48-bit MAC address access list

800-899

IPX standard access list

900-999

IPX extended access list

1000-1099

IPX SAP access list

1100-1199

Extended 48-bit MAC address access list

1200-1299

IPX summary address access list

1300-1999

IP standard access list (expanded range)

2000-2699

IP extended access list (expanded range)

 

 

QUESTION 80

Which priority is most important when you plan out access control lists?

 

A.

Build ACLs based upon your security policy.

B.

Always put the ACL closest to the source of origination.

C.

Place deny statements near the top of the ACL to prevent unwanted traffic from passing through the router.

D.

Always test ACLs in a small, controlled production environment before you roll it out into the larger production network.

 

Correct Answer: A

Explanation:

Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. One by one, it tests packets against the conditions in an access list. The first match decides whether the switch accepts or rejects the packets. Because the switch stops testing after the first match, the order of conditions in the list is critical. If no conditions match, the switch rejects the packet. If there are no restrictions, the switch forwards the packet; otherwise, the switch drops the packet. The switch can use ACLs on all packets it forwards, including packets bridged within a VLAN.

You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail traffic to be forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound traffic, or both.

Depending on your security policy, the Layer 3 ACLs can be as simple as not allowing IP traffic from the non-voice VLANS to access the voice gateway in the network, or the ACLs can be detailed enough to control the individual ports and the time of the day that are used by other devices to communicate to IP Telephony devices. As the ACLs become more granular and detailed, any changes in port usage in a network could break not only voice but also other applications in the network.

Reference: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/security.html#pgfId-1045388

 

Free VCE & PDF File for Cisco 640-554 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

 

This entry was posted in 640-554 Real Tests (July) and tagged , , , , , , . Bookmark the permalink.