Planning and Designing

Questions derived from the 640-801 – Cisco Certified Network Associate (single-exam option) Cisco Self-Test Software Practice Test.

Objective: Planning and Designing
SubObjective: Design or modify a simple LAN using Cisco products

Item Number: 640-801.1.5.1
Single Answer, Multiple Choice

You want to prevent FTP traffic from subnet 192.168.4.0 from reaching the 192.168.5.0 subnet but permit all other traffic. Which commands create an access list that could be applied as an output filter on the router’s E0 interface to meet these specifications?

1. Router(config)#access-list 101 deny tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 20
   Router(config)#access-list 101 deny tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 21
   Router(config)#access-list 101 permit ip any any

2. Router(config)#access-list 101 deny 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 tcp eq 20
   Router(config)#access-list 101 deny 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 tcp eq 21
   Router(config)#access-list 101 permit ip any any

3. Router(config)#access-list 101 deny 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 tcp eq 20
   Router(config)#access-list 101 deny 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 tcp eq 21
   Router(config)#access-list 101 permit ip any any

4. Router(config)#access-list 101 deny tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 20
   Router(config)#access-list 101 deny tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 21
   Router(config)#access-list 101 permit ip any any

Answer:
D. Router(config)#access-list 101 deny tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 20
Router(config)#access-list 101 deny tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 21
Router(config)#access-list 101 permit ip any any

Image:
801.1.5.1.gif

Tutorial:

To create an access list that will block FTP traffic from network 192.168.4.0 that is destined for network 192.168.5.0 while allowing all other traffic, use the following series of commands:

• Router(config)#access-list 101 deny tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 20 – This command blocks FTP control traffic from hosts 192.168.4.0 to 192.168.4.255 that is destined for network 192.168.5.0.
• Router(config)#access-list 101 deny tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 21 – This command blocks FTP data traffic from any host on network 192.168.4.0 is destined for a host on network 192.168.5.0.
• Router(config)#access-list 101 permit ip any any – This command permits all IP traffic from any source host to any destination host that does not match the previously defined filters. It is necessary to add this command to the access list because there is an implicit “deny all” at the end of all access lists. Without this command, all traffic would be blocked.

These commands create the access list but the access list does not affect traffic until it is applied to an interface. The following commands apply the access list to Ethernet 0:

• Router(config)#interface ethernet 0
• Router(config-if)#ip access-group 101 out

The “ip access-group 101 out” command applies access list 101 as an outbound interface to Ethernet 0.

For more information about access lists, see

Reference:
1. ICND Student Guide v2.1 – Volume 2 – Configuring IP Access Lists
– Configuring Extended IP Access Lists

2. Access Control Lists: Overview and Guidelines at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfacls.htm#xtocid0