Planning and Designing
Questions derived from the 640-801 – Cisco Certified Network Associate (single-exam option) Cisco Self-Test Software Practice Test.
Objective: Planning and Designing
SubObjective: Design or modify a simple LAN using Cisco products
Item Number: 640-801.1.5.1
Single Answer, Multiple Choice
You want to prevent FTP traffic from subnet 192.168.4.0 from reaching the 192.168.5.0 subnet but permit all other traffic. Which commands create an access list that could be applied as an output filter on the router’s E0 interface to meet these specifications?
- Router(config)#access-list 101 deny tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 20
Router(config)#access-list 101 deny tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 21
Router(config)#access-list 101 permit ip any any
- Router(config)#access-list 101 deny 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 tcp eq 20
Router(config)#access-list 101 deny 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 tcp eq 21
Router(config)#access-list 101 permit ip any any
- Router(config)#access-list 101 deny 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 tcp eq 20
Router(config)#access-list 101 deny 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 tcp eq 21
Router(config)#access-list 101 permit ip any any
- Router(config)#access-list 101 deny tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 20
Router(config)#access-list 101 deny tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 21
Router(config)#access-list 101 permit ip any any
Answer:
D. Router(config)#access-list 101 deny tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 20
Router(config)#access-list 101 deny tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 21
Router(config)#access-list 101 permit ip any any
Image:
801.1.5.1.gif
Tutorial:
To create an access list that will block FTP traffic from network 192.168.4.0 that is destined for network 192.168.5.0 while allowing all other traffic, use the following series of commands:
- Router(config)#access-list 101 deny tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 20 – This command blocks FTP control traffic from hosts 192.168.4.0 to 192.168.4.255 that is destined for network 192.168.5.0.
- Router(config)#access-list 101 deny tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 21 – This command blocks FTP data traffic from any host on network 192.168.4.0 is destined for a host on network 192.168.5.0.
- Router(config)#access-list 101 permit ip any any – This command permits all IP traffic from any source host to any destination host that does not match the previously defined filters. It is necessary to add this command to the access list because there is an implicit “deny all” at the end of all access lists. Without this command, all traffic would be blocked.
These commands create the access list but the access list does not affect traffic until it is applied to an interface. The following commands apply the access list to Ethernet 0:
- Router(config)#interface ethernet 0
- Router(config-if)#ip access-group 101 out
The “ip access-group 101 out” command applies access list 101 as an outbound interface to Ethernet 0.
For more information about access lists, see
Reference:
1. ICND Student Guide v2.1 – Volume 2 – Configuring IP Access Lists
– Configuring Extended IP Access Lists
2. Access Control Lists: Overview and Guidelines at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfacls.htm#xtocid0