CCNA WAN Chapter 5
It’s the fifth chapter of your studies on wide area networks, which span much further distances than LANs and can extend past a radius of over a kilometre in length, all connected to the same network. Think you have this chapter aced like the four previous? Take the quiz and find out!
- 1.
By default, how is IP traffic filtered in a Cisco router?
- A.
Blocked in and out of all interfaces
- B.
Blocked on all inbound interfaces, but permitted on all outbound interfaces
- C.
Permitted in and out of all interfaces
- D.
Blocked on all outbound interfaces, but permitted on all inbound interfaces
Correct Answer
C. Permitted in and out of all interfacesExplanation
IP traffic is permitted in and out of all interfaces by default in a Cisco router. This means that the router allows all IP traffic to pass through its interfaces without any filtering or restrictions.Rate this question:
-
- 2.
Which three parameters can ACLs use to filter traffic? (Choose three.)
- A.
Packet size
- B.
Protocol suite
- C.
Source address
- D.
Destination address
- E.
Destination router interface
Correct Answer(s)
B. Protocol suite
C. Source address
D. Destination addressExplanation
ACLs, or Access Control Lists, are used to filter network traffic based on certain parameters. The three parameters that ACLs can use to filter traffic are the protocol suite, source address, and destination address. The protocol suite refers to the network protocols being used, such as TCP/IP or UDP. The source address is the IP address of the sender, while the destination address is the IP address of the receiver. By specifying these parameters in an ACL, network administrators can control which traffic is allowed or denied based on these criteria.Rate this question:
-
- 3.
How do Cisco standard ACLs filter traffic?
- A.
By destination UDP por
- B.
By protocol type
- C.
By source IP address
- D.
By source UDP port
- E.
By destination IP address
Correct Answer
C. By source IP addressExplanation
Cisco standard ACLs filter traffic by source IP address. This means that the ACLs examine the source IP address of incoming packets and decide whether to allow or deny them based on the defined rules. The source IP address is the address of the device sending the packet, and by filtering based on this address, Cisco ACLs can control which devices are allowed to communicate with the network.Rate this question:
-
- 4.
Which two statements are correct about extended ACLs? (Choose two)
- A.
Extended ACLs use a number range from 1-99.
- B.
Extended ACLs end with an implicit permit statement.
- C.
Extended ACLs evaluate the source and destination addresses.
- D.
Port numbers can be used to add greater definition to an ACL.
- E.
Multiple ACLs can be placed on the same interface as long as they are in the same direction.
Correct Answer(s)
C. Extended ACLs evaluate the source and destination addresses.
D. Port numbers can be used to add greater definition to an ACL.Explanation
Extended ACLs evaluate the source and destination addresses, allowing for more granular control over network traffic. Port numbers can also be used in extended ACLs to add greater definition, allowing for more specific filtering based on the type of traffic.Rate this question:
-
- 5.
Where should a standard access control list be placed?
- A.
Close to the source
- B.
Close to the destination
- C.
On an Ethernet port
- D.
On a serial port
Correct Answer
B. Close to the destinationExplanation
A standard access control list should be placed close to the destination because it filters traffic based on the source IP address only. By placing it close to the destination, it allows for more efficient filtering and reduces unnecessary traffic from reaching the destination network. This helps in improving network performance and security.Rate this question:
-
- 6.
Which three statements describe ACL processing of packets? (Choose three.)
- A.
An implicit deny any rejects any packet that does not match any ACL statement.
- B.
A packet can either be rejected or forwarded as directed by the statement that is matched.
- C.
A packet that has been denied by one statement can be permitted by a subsequent statement.
- D.
Each statement is checked only until a match is detected or until the end of the ACL statement list.
- E.
Each packet is compared to the conditions of every statement in the ACL before a forwarding decision is made.
Correct Answer(s)
A. An implicit deny any rejects any packet that does not match any ACL statement.
B. A packet can either be rejected or forwarded as directed by the statement that is matched.
D. Each statement is checked only until a match is detected or until the end of the ACL statement list.Explanation
The first statement, "An implicit deny any rejects any packet that does not match any ACL statement," states that if a packet does not match any ACL statement, it will be rejected. The second statement, "A packet can either be rejected or forwarded as directed by the statement that is matched," explains that a packet will either be rejected or forwarded based on the ACL statement it matches. The third statement, "Each statement is checked only until a match is detected or until the end of the ACL statement list," implies that once a match is found, the remaining statements will not be checked.Rate this question:
-
- 7.
Which two statements are true regarding the significance of the access control list wildcard mask 0.0.0.7? (Choose two.)
- A.
The first 29 bits of a given IP address will be ignored.
- B.
The last 3 bits of a given IP address will be ignored.
- C.
The first 32 bits of a given IP address will be checked.
- D.
The first 29 bits of a given IP address will be checked.
- E.
The last 3 bits of a given IP address will be checked.
Correct Answer(s)
B. The last 3 bits of a given IP address will be ignored.
D. The first 29 bits of a given IP address will be checked.Explanation
The access control list wildcard mask 0.0.0.7 is used to determine which bits of an IP address will be checked or ignored. In this case, the last 3 bits of a given IP address will be ignored, meaning that any value in those bits will be disregarded when matching against the ACL. On the other hand, the first 29 bits of a given IP address will be checked, meaning that the values in those bits must match the ACL for the access to be allowed.Rate this question:
-
- 8.
Which two statements are true regarding the following extended ACL? (Choose two.)access-list 101 deny tcp 172.16.3.0 0.0.0.255 any eq 20access-list 101 deny tcp 172.16.3.0 0.0.0.255 any eq 21 access-list 101 permit ip any any
- A.
FTP traffic originating from network 172.16.3.0/24 is denied.
- B.
All traffic is implicitly denied.
- C.
FTP traffic destined for the 172.16.3.0/24 network is denied.
- D.
Telnet traffic originating on network 172.16.3.0/24 is denied.
- E.
Web traffic originating from 172.16.3.0 is permitted.
Correct Answer(s)
A. FTP traffic originating from network 172.16.3.0/24 is denied.
E. Web traffic originating from 172.16.3.0 is permitted.Explanation
The first statement is true because the ACL denies FTP traffic originating from the network 172.16.3.0/24 by specifying "deny tcp 172.16.3.0 0.0.0.255 any eq 20" and "deny tcp 172.16.3.0 0.0.0.255 any eq 21". The second statement is also true because the ACL ends with a "permit ip any any" statement, which allows all other traffic implicitly. Therefore, FTP traffic originating from the network 172.16.3.0/24 is denied, but web traffic originating from the IP address 172.16.3.0 is permitted.Rate this question:
-
- 9.
Interface s0/0/0 already has an IP ACL applied inbound. What happens when the network administrator attempts to apply a second inbound IP ACL?
- A.
The second ACL is applied to the interface, replacing the first.
- B.
Both ACLs are applied to the interface.
- C.
The network administrator receives an error.
- D.
Only the first ACL remains applied to the interface.
Correct Answer
A. The second ACL is applied to the interface, replacing the first.Explanation
When the network administrator attempts to apply a second inbound IP ACL to interface s0/0/0, the second ACL will be applied to the interface, replacing the first ACL that was already applied. This means that only the second ACL will be active and the first ACL will no longer have any effect on the interface.Rate this question:
-
- 10.
Refer to the exhibit. When creating an extended ACL to deny traffic from the 192.168.30.0 network destined for the Web server 209.165.201.30, where is the best location for applying the ACL?
- A.
ISP Fa0/0 outbound
- B.
R2 S0/0/1 inbound
- C.
R3 Fa0/0 inbound
- D.
R3 S0/0/1 outbound
Correct Answer
C. R3 Fa0/0 inboundExplanation
The best location for applying the extended ACL to deny traffic from the 192.168.30.0 network destined for the Web server 209.165.201.30 is on R3 Fa0/0 inbound. This is because the traffic from the 192.168.30.0 network will first reach R3 before being forwarded to the Web server. By applying the ACL on R3 Fa0/0 inbound, the traffic can be filtered and denied before it reaches the Web server.Rate this question:
-
- 11.
Which two statements are true regarding named ACLs? (Choose two.)
- A.
Only named ACLs allow comments.
- B.
Names can be used to help identify the function of the ACL.
- C.
Named ACLs offer more specific filtering options than numbered ACLs.
- D.
Certain complex ACLs, such as reflexive ACLs, must be defined with named ACLs.
- E.
More than one named IP ACL can be configured in each direction on a router interface.
Correct Answer(s)
B. Names can be used to help identify the function of the ACL.
D. Certain complex ACLs, such as reflexive ACLs, must be defined with named ACLs.Explanation
Named ACLs allow comments and names can be used to help identify the function of the ACL. Certain complex ACLs, such as reflexive ACLs, must be defined with named ACLs.Rate this question:
-
- 12.
Which three items must be configured before a dynamic ACL can become active on a router? (Choose three.)
- A.
Extended ACL
- B.
Reflexive ACL
- C.
Console logging
- D.
Authentication
- E.
Telnet connectivity
Correct Answer(s)
A. Extended ACL
D. Authentication
E. Telnet connectivityExplanation
Before a dynamic ACL can become active on a router, three items must be configured:
1. Extended ACL: This is the type of ACL that will be used to define the specific rules and conditions for allowing or denying traffic.
2. Authentication: This is necessary to ensure that only authorized users are allowed to access the router and make changes to the ACL.
3. Telnet connectivity: This is required to establish a remote connection to the router, allowing for the configuration and activation of the dynamic ACL.Rate this question:
-
- 13.
Refer to the exhibit. How does this access list process a packet with the source address 10.1.1.1 and a destination of 192.168.10.13?
- A.
It is allowed because of the implicit deny any.
- B.
It is dropped because it does not match any of the items in the ACL.
- C.
It is allowed because line 10 of the ACL allows packets to 192.168.0.0/16.
- D.
It is allowed because line 20 of the ACL allows packets to the host 192.168.10.13.
Correct Answer
B. It is dropped because it does not match any of the items in the ACL.Explanation
The packet with the source address 10.1.1.1 and a destination of 192.168.10.13 is dropped because it does not match any of the items in the ACL. The access list does not have any specific rules or lines that permit traffic between these source and destination addresses. Therefore, the packet is denied by default.Rate this question:
-
- 14.
A network administrator needs to allow traffic through the firewall router for sessions that originate from within the company network, but the administrator must block traffic for sessions that originate outside the network of the company. What type of ACL is most appropriate?
- A.
Dynamic
- B.
Port-based
- C.
Reflexive
- D.
Time-based
Correct Answer
C. ReflexiveExplanation
A reflexive ACL is most appropriate in this scenario because it allows traffic for sessions that originate from within the company network, but blocks traffic for sessions that originate outside the network. Reflexive ACLs keep track of the state of the connection and allow return traffic for established sessions while denying new sessions from external sources. This helps to protect the network from unauthorized access while allowing legitimate internal traffic to pass through the firewall router.Rate this question:
-
- 15.
Refer to the exhibit. How will Router1 treat traffic matching the time-range requirement of EVERYOTHERDAY?
- A.
TCP traffic entering fa0/0 from 172.16.1.254/24 destined to the 10.1.1.0/24 network is permitted.
- B.
TCP traffic entering fa0/0 from 10.1.1.254/24 destined to the 172.16.1.0/24 network is permitted.
- C.
Telnet traffic entering fa0/0 from 172.16.1.254/24 destined to the 10.1.1.0/24 network is permitted.
- D.
Telnet traffic entering fa0/0 from 10.1.1.254/24 destined to the 172.16.1.0/24 network is permitted.
Correct Answer
D. Telnet traffic entering fa0/0 from 10.1.1.254/24 destined to the 172.16.1.0/24 network is permitted.Explanation
Router1 will permit Telnet traffic entering fa0/0 from 10.1.1.254/24 destined to the 172.16.1.0/24 network. This is because the time-range requirement of EVERYOTHERDAY does not apply to TCP traffic entering fa0/0 from 172.16.1.254/24 destined to the 10.1.1.0/24 network, nor to TCP traffic entering fa0/0 from 10.1.1.254/24 destined to the 172.16.1.0/24 network. Therefore, the only traffic that meets the time-range requirement and is permitted is Telnet traffic entering fa0/0 from 10.1.1.254/24 destined to the 172.16.1.0/24 network.Rate this question:
-
- 16.
The following commands were entered on a router:Router(config)# access-list 2 deny 172.16.5.24Router(config)# access-list 2 permit anyThe ACL is correctly applied to an interface. What can be concluded about this set of commands?
- A.
The wildcard mask 0.0.0.0 is assumed.
- B.
The access list statements are misconfigured.
- C.
All nodes on the 172.16.0.0 network will be denied access to other networks.
- D.
No traffic will be allowed to access any nodes or services on the 172.16.0.0 network.
Correct Answer
A. The wildcard mask 0.0.0.0 is assumed.Explanation
The wildcard mask 0.0.0.0 is assumed means that the deny statement in the access list 2 will not match any IP addresses since the wildcard mask 0.0.0.0 means that all bits in the IP address must match exactly. Therefore, the deny statement will have no effect and all traffic will be permitted.Rate this question:
-
- 17.
Refer to the exhibit. The administrator wishes to block web traffic from 192.168.1.50 from reaching the default port of the web service on 192.168.3.30. To do this, the access control list name is applied inbound on the router R1 LAN interface. After testing the list, the administrator has noted that the web traffic remains successful. Why is web traffic reaching the destination?
- A.
Web traffic does not use port 80 by default.
- B.
The access list is applied in the wrong direction.
- C.
The access list needs to be placed closer to the destination, on R3.
- D.
The range of source addresses specified in line 10 does not include host 192.168.1.50.
Correct Answer
D. The range of source addresses specified in line 10 does not include host 192.168.1.50.Explanation
The web traffic is reaching the destination because the range of source addresses specified in line 10 of the access control list does not include host 192.168.1.50. This means that the access control list is not blocking the web traffic from that specific host.Rate this question:
-
- 18.
Refer to the exhibit. What will be the effect of the configuration that is shown?
- A.
Users attempting to access hosts in the 192.168.30.0/24 network will be required to telnet to R3.
- B.
Hosts connecting to resources in the 191.68.30.0/24 network have an idle timeout of 15 minutes.
- C.
Anyone attempting to telnet into R3 will have an absolute time limit of five minutes.
- D.
Telnet access to R3 will only be permitted on Serial 0/0/1.
Correct Answer
A. Users attempting to access hosts in the 192.168.30.0/24 network will be required to telnet to R3.Explanation
The given configuration will require users attempting to access hosts in the 192.168.30.0/24 network to use telnet to connect to R3. This means that users will not be able to directly access the hosts in the network, but instead, they will have to go through R3. This can provide an additional layer of security and control over the network, as all traffic to the hosts will be routed through R3.Rate this question:
-
- 19.
Which statement about standard ACLs is true?
- A.
Standard ACLS must be numbered and cannot be named.
- B.
They should be placed as close to the destination as possible.
- C.
They can filter based on source and destination address as well as on source and destination port.
- D.
When applied to an outbound interface, incoming packets are processed before they are routed to the outbound interface.
Correct Answer
B. They should be placed as close to the destination as possible.Explanation
Standard ACLs should be placed as close to the destination as possible. This is because standard ACLs filter traffic based on the source IP address only, and placing them closer to the destination allows for more precise control over which traffic is allowed or denied. By placing the ACL closer to the destination, unnecessary traffic can be filtered out earlier in the network, reducing network congestion and improving overall network performance.Rate this question:
-
- 20.
Which benefit does an extended ACL offer over a standard ACL?
- A.
Extended ACLs can be named, but standard ACLs cannot.
- B.
Unlike standard ACLs, extended ACLS can be applied in the inbound or outbound direction.
- C.
Based on payload content, an extended ACL can filter packets, such as information in an e-mail or instant message.
- D.
In addition to the source address, an extended ACL can also filter on destination address, destination port, and source port.
Correct Answer
D. In addition to the source address, an extended ACL can also filter on destination address, destination port, and source port.Explanation
Extended ACLs offer the benefit of being able to filter packets based on not only the source address but also the destination address, destination port, and source port. This allows for more granular control and specificity in filtering network traffic. Standard ACLs, on the other hand, can only filter based on the source address.Rate this question:
-
- 21.
Which feature will require the use of a named ACL rather than a numbered ACL?
- A.
The ability to filter traffic based on a specific protocol
- B.
The ability to filter traffic based on an entire protocol suite and destination
- C.
The ability to specify source and destination addresses to use when identifying traffic
- D.
The ability to edit the ACL and add additional statements in the middle of the list without removing and re-creating the list
Correct Answer
D. The ability to edit the ACL and add additional statements in the middle of the list without removing and re-creating the listExplanation
A named ACL allows for the ability to edit and add additional statements in the middle of the list without removing and re-creating the list. Numbered ACLs do not provide this flexibility and require the entire list to be recreated when changes are made. Therefore, the ability to edit and add statements in the middle of the list is the feature that requires the use of a named ACL rather than a numbered ACL.Rate this question:
-
- 22.
A technician is creating an ACL and needs a way to indicate only the subnet 172.16.16.0/21. Which combination of network address and wildcard mask will accomplish the desired task?
- A.
172.16.0.0 0.0.255.255
- B.
127.16.16.0 0.0.0.255
- C.
172.16.16.0 0.0.7.255
- D.
172.16.16.0 0.0.15.255
- E.
172.16.16.0 0.0.255.255
Correct Answer
C. 172.16.16.0 0.0.7.255Explanation
The wildcard mask 0.0.7.255 allows for a range of IP addresses from 172.16.16.0 to 172.16.23.255, which falls within the subnet 172.16.16.0/21. This wildcard mask will match the first 21 bits of the IP address, indicating only the desired subnet.Rate this question:
-
- 23.
Which two statements accurately describe the characteristics of wildcard masks in an ACL? (Choose two.)
- A.
Wildcard masks are the inverse of the subnet mask.
- B.
The word "any" indicates that all corresponding bits must be matched.
- C.
The word "host" corresponds to a wildcard mask of 0.0.0.0 in an ACL statement.
- D.
A wildcard mask of 0.0.255.255 can be used to create a match for an entire Class B network.
- E.
A wildcard mask bit of 1 indicates that the corresponding bit in the address must be matched.
Correct Answer(s)
C. The word "host" corresponds to a wildcard mask of 0.0.0.0 in an ACL statement.
D. A wildcard mask of 0.0.255.255 can be used to create a match for an entire Class B network.Explanation
The first statement, "The word 'host' corresponds to a wildcard mask of 0.0.0.0 in an ACL statement," is accurate because when the word "host" is used in an ACL statement, it means that the wildcard mask should match exactly with the host address, which is represented by 0.0.0.0.
The fourth statement, "A wildcard mask of 0.0.255.255 can be used to create a match for an entire Class B network," is also accurate. In a wildcard mask, a 0 bit indicates that the corresponding bit in the address must match, while a 1 bit indicates that the corresponding bit can be ignored. So, a wildcard mask of 0.0.255.255 means that the first two octets are fixed (0.0), and the last two octets can be anything (255.255), allowing for a match with any address in a Class B network.Rate this question:
-
- 24.
Refer to the exhibit. Which statement is true about ACL 110 if ACL 110 is applied in the inbound direction on S0/0/0 of R1?
- A.
It will deny TCP traffic to the Internet if the traffic is sourced from the 172.22.10.0/24 network.
- B.
It will not allow TCP traffic coming from the Internet to enter the network 172.22.10.0/24.
- C.
It will allow any TCP traffic from the Internet to enter the network 172.22.10.0/24.
- D.
It will permit any TCP traffic that originated from network 172.22.10.0/24 to return inbound on the S0/0/0 interface.
Correct Answer
D. It will permit any TCP traffic that originated from network 172.22.10.0/24 to return inbound on the S0/0/0 interface.Explanation
If ACL 110 is applied in the inbound direction on S0/0/0 of R1, it will permit any TCP traffic that originated from the network 172.22.10.0/24 to return inbound on the S0/0/0 interface. This means that any TCP traffic initiated from the 172.22.10.0/24 network will be allowed to enter the network through the S0/0/0 interface.Rate this question:
-
- 25.
Refer to the exhibit. ACL 120 is configured inbound on the serial0/0/0 interface on router R1, but the hosts on network 172.11.10.0/24 are able to telnet to network 10.10.0.0/16. On the basis of the provided configuration, what should be done to remedy the problem?
- A.
Apply the ACL outbound on the serial0/0/0 interface on router R1.
- B.
Apply the ACL outbound on the FastEthernet0/0 interface on router R1.
- C.
Include the established keyword at the end of the first line in the ACL.
- D.
Include a statement in the ACL to deny the UDP traffic that originates from 172.11.10.0/24 network.
Correct Answer
A. Apply the ACL outbound on the serial0/0/0 interface on router R1.Explanation
The correct answer is to apply the ACL outbound on the serial0/0/0 interface on router R1. This is because the ACL is currently configured inbound on the serial0/0/0 interface, which means it is only applied to incoming traffic. In order to prevent the hosts on network 172.11.10.0/24 from being able to telnet to network 10.10.0.0/16, the ACL needs to be applied outbound on the serial0/0/0 interface so that it filters outgoing traffic as well.Rate this question:
-
- 26.
Refer to the exhibit. The network administrator applied an ACL outbound on S0/0/0 on router R1. Immediately after the administrator did so, the users on network 172.22.30.0/24 started complaining that they have intermittent access to the resources available on the server on the 10.10.0.0/16 network. On the basis of the configuration that is provided, what is the possible reason for the problem?
- A.
The ACL allows only the mail traffic to the server; the rest of the traffic is blocked.
- B.
The ACL permits the IP packets for users on network 172.22.30.0/24 only during a specific time range.
- C.
The ACL permits TCP packets only if a connection is established from the server to the network 172.22.0.0/16.
- D.
The ACL allows only TCP traffic from users on network 172.22.40.0/24 to access the server; TCP traffic from any other sources is blocked.
Correct Answer
B. The ACL permits the IP packets for users on network 172.22.30.0/24 only during a specific time range.Explanation
The possible reason for the problem is that the ACL applied on S0/0/0 on router R1 permits the IP packets for users on network 172.22.30.0/24 only during a specific time range. This means that outside of the specified time range, the users on network 172.22.30.0/24 will be blocked from accessing the resources on the server on the 10.10.0.0/16 network, resulting in intermittent access.Rate this question:
-
Quiz Review Timeline +
Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.
-
Current Version
-
Mar 20, 2023Quiz Edited by
ProProfs Editorial Team -
Apr 27, 2010Quiz Created by
Rodney.butler
Back to top