This Quiz On CCNA 4, Chapter 4 Exam
In chapter four we got to learn more in routing and switching in the introduction to networking which helps in sharing of information. Do you remember that there a switch can either be managed or unmanaged? Take up This Quiz on CCNA 4, Chapter 4 quiz and see what else you remember.
- 1.
Which range represents all the IP addresses that are affected when network 10.120.160.0 with a wildcard mask of 0.0.7.255 is used in an ACE?
- A.
10.120.160.0 to 10.127.255.255
- B.
10.120.160.0 to 10.120.167.255
- C.
10.120.160.0 to 10.120.168.0
- D.
10.120.160.0 to 10.120.191.255
Correct Answer
B. 10.120.160.0 to 10.120.167.255Explanation
The given wildcard mask of 0.0.7.255 indicates that the first three octets of the IP address (10.120.160) are fixed, while the last octet can range from 0 to 255. Therefore, the range of IP addresses affected will be from 10.120.160.0 to 10.120.167.255.Rate this question:
-
- 2.
What two functions describe uses of an access control list? (Choose two.)
- A.
ACLs assist the router in determining the best path to a destination.
- B.
Standard ACLs can restrict access to specific applications and ports.
- C.
ACLs provide a basic level of security for network access.
- D.
ACLs can permit or deny traffic based upon the MAC address originating on the router.
- E.
ACLs can control which areas a host can access on a network.
Correct Answer(s)
C. ACLs provide a basic level of security for network access.
E. ACLs can control which areas a host can access on a network.Explanation
Access Control Lists (ACLs) are used to control network traffic and provide security by allowing or denying access to network resources. They can restrict access to specific applications and ports, thus providing a basic level of security for network access. Additionally, ACLs can control which areas a host can access on a network, allowing administrators to define and enforce network segmentation and access policies. ACLs do not assist routers in determining the best path to a destination, nor do they permit or deny traffic based on MAC addresses originating from the router.Rate this question:
-
- 3.
Which two statements describe the effect of the access control list wildcard mask 0.0.0.15? (Choose two.)
- A.
The first 28 bits of a supplied IP address will be ignored.
- B.
The last four bits of a supplied IP address will be ignored.
- C.
The first 32 bits of a supplied IP address will be matched.
- D.
The first 28 bits of a supplied IP address will be matched.
- E.
The last five bits of a supplied IP address will be ignored.
- F.
The last four bits of a supplied IP address will be matched.
Correct Answer(s)
B. The last four bits of a supplied IP address will be ignored.
D. The first 28 bits of a supplied IP address will be matched.Explanation
The wildcard mask 0.0.0.15 means that the last four bits of a supplied IP address will be ignored. This means that any IP address that matches the first 28 bits of the supplied IP address will be allowed or denied access, depending on the configuration. Therefore, the first 28 bits of a supplied IP address will be matched by the access control list.Rate this question:
-
- 4.
Refer to the exhibit. A network administrator is configuring an ACL to limit the connection to R1 vty lines to only the IT group workstations in the network 192.168.22.0/28. The administrator verifies the successful Telnet connections from a workstation with IP 192.168.22.5 to R1 before the ACL is applied. However, after the ACL is applied to the interface Fa0/0, Telnet connections are denied. What is the cause of the connection failure?
- A.
The permit ACE specifies a wrong port number.
- B.
The enable secret password is not configured on R1.
- C.
The login command has not been entered for vty lines.
- D.
The IT group network is included in the deny statement.
- E.
The permit ACE should specify protocol ip instead of tcp.
Correct Answer
D. The IT group network is included in the deny statement.Explanation
The reason for the connection failure is that the IT group network is included in the deny statement of the ACL. This means that the ACL is explicitly blocking any connections from the IT group workstations in the network 192.168.22.0/28. As a result, when the ACL is applied to the interface Fa0/0, Telnet connections from the workstation with IP 192.168.22.5 are denied.Rate this question:
-
- 5.
Refer to the exhibit. The network administrator that has the IP address of 10.0.70.23/25 needs to have access to the corporate FTP server (10.0.54.5/28). The FTP server is also a web server that is accessible to all internal employees on networks within the 10.x.x.x address. No other traffic should be allowed to this server. Which extended ACL would be used to filter this traffic, and how would this ACL be applied? (Choose two.)
- A.
Access-list 105 permit ip host 10.0.70.23 host 10.0.54.5access-list 105 permit tcp any host 10.0.54.5 eq wwwaccess-list 105 permit ip any any
- B.
Access-list 105 permit tcp host 10.0.54.5 any eq wwwaccess-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 20access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 21
- C.
Access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 20access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 21access-list 105 permit tcp 10.0.0.0 0.255.255.255 host 10.0.54.5 eq wwwaccess-list 105 deny ip any host 10.0.54.5access-list 105 permit ip any any
- D.
R2(config)# interface gi0/0R2(config-if)# ip access-group 105 in
- E.
R1(config)# interface gi0/0R1(config-if)# ip access-group 105 out
- F.
R1(config)# interface s0/0/0R1(config-if)# ip access-group 105 out
Correct Answer(s)
C. Access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 20access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 21access-list 105 permit tcp 10.0.0.0 0.255.255.255 host 10.0.54.5 eq wwwaccess-list 105 deny ip any host 10.0.54.5access-list 105 permit ip any any
E. R1(config)# interface gi0/0R1(config-if)# ip access-group 105 outExplanation
The correct ACL to filter the traffic is access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 20, access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 21, access-list 105 permit tcp 10.0.0.0 0.255.255.255 host 10.0.54.5 eq www, access-list 105 deny ip any host 10.0.54.5, and access-list 105 permit ip any any. The ACL allows TCP traffic from the host 10.0.70.23 to the FTP server on ports 20 and 21, and allows TCP traffic from any internal network to the FTP server on port 80. It then denies any IP traffic from any source to the FTP server and allows all other IP traffic. The ACL is applied out on the R1 Gi0/0 interface and the R1 S0/0/0 interface.Rate this question:
-
- 6.
A network administrator is designing an ACL. The networks 192.168.1.0/25, 192.168.0.0/25, 192.168.0.128/25, 192.168.1.128/26, and 192.168.1.192/26 are affected by the ACL. Which wildcard mask, if any, is the most efficient to use when specifying all of these networks in a single ACL permit entry?
- A.
0.0.0.127
- B.
0.0.0.255
- C.
0.0.1.255
- D.
0.0.255.255
- E.
A single ACL command and wildcard mask should not be used to specify these particular networks or other traffic will be permitted or denied and present a security risk.
Correct Answer
C. 0.0.1.255Explanation
The most efficient wildcard mask to use when specifying all of these networks in a single ACL permit entry is 0.0.1.255. This wildcard mask will match all the given networks (192.168.1.0/25, 192.168.0.0/25, 192.168.0.128/25, 192.168.1.128/26, and 192.168.1.192/26) because it allows for any value in the last octet while keeping the first three octets constant. This ensures that only the specified networks are permitted and no other traffic is allowed, maintaining security.Rate this question:
-
- 7.
Refer to the exhibit. A network administrator wants to permit only host 192.168.1.1 /24 to be able to access the server 192.168.2.1 /24. Which three commands will achieve this using best ACL placement practices? (Choose three.)
- A.
R2(config)# access-list 101 permit ip host 192.168.1.1 host 192.168.2.1
- B.
R2(config)# access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
- C.
R2(config)# interface fastethernet 0/0
- D.
R2(config-if)# ip access-group 101 out
- E.
R2(config)# access-list 101 permit ip any any
- F.
R2(config)# interface fastethernet 0/1
- G.
R2(config-if)# ip access-group 101 in
Correct Answer(s)
A. R2(config)# access-list 101 permit ip host 192.168.1.1 host 192.168.2.1
C. R2(config)# interface fastethernet 0/0
G. R2(config-if)# ip access-group 101 inExplanation
The first command "access-list 101 permit ip host 192.168.1.1 host 192.168.2.1" creates an access control list (ACL) rule that permits IP traffic from host 192.168.1.1 to host 192.168.2.1.
The second command "interface fastethernet 0/0" enters the configuration mode for the FastEthernet interface 0/0.
The third command "ip access-group 101 in" applies the ACL with the number 101 to inbound traffic on the interface.
These three commands together allow only the specified host to access the specified server by filtering traffic at the interface level.Rate this question:
-
- 8.
Which two statements are correct about extended ACLs? (Choose two)
- A.
Extended ACLs use a number range from 1-99.
- B.
Extended ACLs end with an implicit permit statement.
- C.
Extended ACLs evaluate the source and destination addresses.
- D.
Port numbers can be used to add greater definition to an ACL.
- E.
Multiple ACLs can be placed on the same interface as long as they are in the same direction.
Correct Answer(s)
C. Extended ACLs evaluate the source and destination addresses.
D. Port numbers can be used to add greater definition to an ACL.Explanation
Extended ACLs evaluate the source and destination addresses, allowing for more granular control over network traffic. Port numbers can also be used in extended ACLs to further define the type of traffic that is allowed or denied.Rate this question:
-
- 9.
Which three values or sets of values are included when creating an extended access control list entry? (Choose three.)
- A.
access list number between 1 and 99
- B.
Access list number between 100 and 199
- C.
default gateway address and wildcard mask
- D.
destination address and wildcard mask
- E.
Source address and wildcard mask
- F.
Source subnet mask and wildcard mask
- G.
destination subnet mask and wildcard mask
Correct Answer(s)
B. Access list number between 100 and 199
D. destination address and wildcard mask
E. Source address and wildcard maskExplanation
When creating an extended access control list entry, three values or sets of values that are included are: access list number between 100 and 199, destination address and wildcard mask, and source address and wildcard mask. These values are necessary to define the specific traffic that the access control list will permit or deny. The access list number determines the order in which the access control list entries are processed. The destination address and wildcard mask specify the destination IP address or range of addresses that the access control list will match. Similarly, the source address and wildcard mask specify the source IP address or range of addresses that the access control list will match.Rate this question:
-
- 10.
Refer to the exhibit. This ACL is applied on traffic outbound from the router on the interface that directly connects to the 10.0.70.5 server. A request for information from a secure web page is sent from host 10.0.55.23 and is destined for the 10.0.70.5 server. Which line of the access list will cause the router to take action (forward the packet onward or drop the packet)?
- A.
1
- B.
2
- C.
3
- D.
4
- E.
5
- F.
the deny ip any any that is at the end of every ACL
Correct Answer
C. 3Explanation
The line 3 of the access list is "permit tcp any host 10.0.70.5 eq www", which allows TCP traffic from any source IP address to the destination IP address 10.0.70.5 on port 80 (HTTP). Since the request for information from a secure web page is sent from host 10.0.55.23 to the 10.0.70.5 server, this line will match the traffic and the router will forward the packet onward.Rate this question:
-
- 11.
Which set of access control entries would allow all users on the 192.168.10.0/24 network to access a web server that is located at 172.17.80.1, but would not allow them to use Telnet?
- A.
Access-list 103 deny tcp host 192.168.10.0 any eq 23access-list 103 permit tcp host 192.168.10.1 eq 80
- B.
Access-list 103 permit 192.168.10.0 0.0.0.255 host 172.17.80.1access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq telnet​​
- C.
Access-list 103 permit tcp 192.168.10.0 0.0.0.255 host 172.17.80.1 eq 80access-list 103 deny tcp ​192.168.10.0 0.0.0.255 any eq 23
- D.
Access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23
Correct Answer
C. Access-list 103 permit tcp 192.168.10.0 0.0.0.255 host 172.17.80.1 eq 80access-list 103 deny tcp ​192.168.10.0 0.0.0.255 any eq 23Explanation
The given set of access control entries allows all users on the 192.168.10.0/24 network to access the web server located at 172.17.80.1 by permitting TCP traffic from the network to the server on port 80. It also denies any TCP traffic from the network to any destination on port 23, effectively blocking Telnet access.Rate this question:
-
- 12.
Which two packet filters could a network administrator use on an IPv4 extended ACL? (Choose two.)
- A.
Destination MAC address
- B.
ICMP message type
- C.
computer type
- D.
source TCP hello address
- E.
destination UDP port number
Correct Answer(s)
B. ICMP message type
E. destination UDP port numberExplanation
A network administrator could use the packet filters "ICMP message type" and "destination UDP port number" on an IPv4 extended ACL. The "ICMP message type" filter allows the administrator to control the types of ICMP messages that are allowed or denied. The "destination UDP port number" filter allows the administrator to control which UDP ports are allowed or denied as destinations for incoming packets. These filters provide control over specific types of network traffic based on their characteristics, allowing for more granular security and network management.Rate this question:
-
- 13.
Which two ACE commands will block traffic that is destined for a web server which is listening to default ports? (Choose two.)
- A.
Access-list 110 deny tcp any any eq 21
- B.
access-list 110 deny tcp any any eq https
- C.
access-list 110 deny tcp any any gt 443
- D.
Access-list 110 deny tcp any any gt 75
- E.
access-list 110 deny tcp any any lt 80
Correct Answer(s)
B. access-list 110 deny tcp any any eq https
D. Access-list 110 deny tcp any any gt 75Explanation
The two ACE commands that will block traffic destined for a web server listening on default ports are "access-list 110 deny tcp any any eq https" and "access-list 110 deny tcp any any gt 75". The first command denies any TCP traffic with a destination port of 443, which is the default port for HTTPS. The second command denies any TCP traffic with a destination port greater than 75, which would include all ports commonly used for web traffic. By using these two commands, any traffic attempting to access the web server on default ports will be blocked.Rate this question:
-
- 14.
Which feature is unique to IPv6 ACLs when compared to those of IPv4 ACLs?
- A.
the use of wildcard masks
- B.
an implicit deny any any ACE
- C.
the use of named ACL ACE
- D.
an implicit permit of neighbor discovery packets
Correct Answer
D. an implicit permit of neighbor discovery packetsExplanation
IPv6 ACLs have an implicit permit of neighbor discovery packets, which means that these packets are allowed by default without explicitly configuring a rule for them. This is a unique feature of IPv6 ACLs compared to IPv4 ACLs, where neighbor discovery packets would require a specific rule to permit them.Rate this question:
-
- 15.
What two ACEs could be used to deny IP traffic from a single source host 10.1.1.1 to the 192.168.0.0/16 network? (Choose two.)
- A.
access-list 100 deny ip host 10.1.1.1 192.168.0.0 0.0.255.255
- B.
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 10.1.1.1
- C.
access-list 100 deny ip 10.1.1.1 255.255.255.255 192.168.0.0 0.0.255.255
- D.
Access-list 100 deny ip 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255
- E.
Access-list 100 deny ip 192.168.0.0 0.0.255.255 10.1.1.1 255.255.255.255
- F.
access-list 100 deny ip 192.168.0.0 0.0.255.255 10.1.1.1 0.0.0.0
Correct Answer(s)
A. access-list 100 deny ip host 10.1.1.1 192.168.0.0 0.0.255.255
D. Access-list 100 deny ip 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255Explanation
The first ACE "access-list 100 deny ip host 10.1.1.1 192.168.0.0 0.0.255.255" denies IP traffic from the source host 10.1.1.1 to the destination network 192.168.0.0/16. The second ACE "access-list 100 deny ip 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255" also denies IP traffic from the source host 10.1.1.1 to the destination network 192.168.0.0/16, but it uses a wildcard mask for the source IP address. Both ACEs achieve the same result of denying traffic from the specified source host to the specified destination network.Rate this question:
-
- 16.
Refer to the exhibit. The IPv6 access list LIMITED_ACCESS is applied on the S0/0/0 interface of R1 in the inbound direction. Which IPv6 packets from the ISP will be dropped by the ACL on R1?
- A.
HTTPS packets to PC1
- B.
ICMPv6 packets that are destined to PC1
- C.
Packets that are destined to PC1 on port 80
- D.
neighbor advertisements that are received from the ISP router
Correct Answer
B. ICMPv6 packets that are destined to PC1Explanation
The LIMITED_ACCESS IPv6 access list on R1 is applied inbound on the S0/0/0 interface. This means that any packets coming from the ISP and destined to PC1 will be checked against this access list. The access list is configured to drop ICMPv6 packets that are destined to PC1, so any ICMPv6 packets with PC1 as the destination will be dropped by the ACL on R1.Rate this question:
-
- 17.
Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table?
- A.
ipv6 access-class ENG_ACL in
- B.
ipv6 access-class ENG_ACL out
- C.
ipv6 traffic-filter ENG_ACL in
- D.
ipv6 traffic-filter ENG_ACL out
Correct Answer
C. ipv6 traffic-filter ENG_ACL inExplanation
The correct answer is "ipv6 traffic-filter ENG_ACL in". This command is used to activate an IPv6 ACL named ENG_ACL on an interface. The "in" keyword indicates that the ACL should be applied to incoming traffic, filtering it before it is processed by the routing table.Rate this question:
-
- 18.
Which IPv6 ACL command entry will permit traffic from any host to an SMTP server on network 2001:DB8:10:10::/64?
- A.
Permit tcp any host 2001:DB8:10:10::100 eq 25
- B.
permit tcp host 2001:DB8:10:10::100 any eq 25
- C.
permit tcp any host 2001:DB8:10:10::100 eq 23
- D.
permit tcp host 2001:DB8:10:10::100 any eq 23
Correct Answer
A. Permit tcp any host 2001:DB8:10:10::100 eq 25Explanation
The correct answer is "permit tcp any host 2001:DB8:10:10::100 eq 25". This command entry allows any host to establish a TCP connection with the SMTP server on network 2001:DB8:10:10::/64 by permitting TCP traffic from any source IP address to the destination IP address 2001:DB8:10:10::100 on port 25, which is the port commonly used for SMTP (Simple Mail Transfer Protocol).Rate this question:
-
- 19.
In applying an ACL to a router interface, which traffic is designated as outbound?
- A.
traffic that is leaving the router and going toward the destination host
- B.
traffic that is coming from the source IP address into the router
- C.
traffic that is going from the destination IP address into the router
- D.
traffic for which the router can find no routing table entry
Correct Answer
A. traffic that is leaving the router and going toward the destination hostExplanation
When applying an ACL to a router interface, outbound traffic refers to the traffic that is leaving the router and going towards the destination host. This means that the router is filtering the traffic that is being transmitted from the router to the destination host. The ACL is applied to the interface to control and restrict the outbound traffic based on the defined rules and criteria.Rate this question:
-
- 20.
Fill in the blanks. Use dotted decimal format.The wildcard mask that is associated with the network 192.168.12.0/24 is ______
Correct Answer
0.0.0.255Explanation
The wildcard mask that is associated with the network 192.168.12.0/24 is 0.0.0.255. In a wildcard mask, the bits that are set to 0 indicate the network portion, and the bits that are set to 1 indicate the host portion. Since the network address 192.168.12.0 has a subnet mask of /24, it means that the first 24 bits are used for the network portion and the remaining 8 bits are used for the host portion. In the wildcard mask, the bits that correspond to the host portion are set to 1, which is represented by 0.0.0.255.Rate this question:
- 21.
An access list has been applied to a router LAN interface in the inbound direction. The IP address of the LAN segment is 192.168.83.64/26. The entire ACL appears below:access-list 101 deny tcp 192.168.83.64 0.0.0.63 any eq 23access-list 101 permit ip 192.168.83.64 0.0.0.63 192.168.83.128 0.0.0.63Drag the descriptions of the packets on the left to the action that the router will perform on the right.THE ROUTER WILL DROP THE PACKET
- A.
Destination: 202.16.83.131 protocol: HTTP
- B.
Destination: 192.168.83.157 protocol: Telnet
- C.
Destination: 192.168.83.189 protocol: FTP
Correct Answer(s)
A. Destination: 202.16.83.131 protocol: HTTP
B. Destination: 192.168.83.157 protocol: TelnetExplanation
The router will drop the packets with the destination IP address of 202.16.83.131 and protocol HTTP, as well as the packets with the destination IP address of 192.168.83.157 and protocol Telnet. This is because the first line of the access list denies TCP traffic from the IP address range 192.168.83.64/26 (which includes both of these destination IP addresses) to any destination with port 23 (Telnet). The second line of the access list permits all other IP traffic within the same IP address range.Rate this question:
-
- 22.
An access list has been applied to a router LAN interface in the inbound direction. The IP address of the LAN segment is 192.168.83.64/26. The entire ACL appears below:access-list 101 deny tcp 192.168.83.64 0.0.0.63 any eq 23access-list 101 permit ip 192.168.83.64 0.0.0.63 192.168.83.128 0.0.0.63Drag the descriptions of the packets on the left to the action that the router will perform on the right.THE ROUTER WILL FORWARD THE PACKET
- A.
Destination: 202.16.83.131 protocol: HTTP
- B.
Destination: 192.168.83.157 protocol: Telnet
- C.
Destination: 192.168.83.189 protocol: FTP
Correct Answer
C. Destination: 192.168.83.189 protocol: FTPExplanation
The router will forward the packet with destination IP address 192.168.83.189 and protocol FTP because the access list permits any IP traffic to that specific IP address range. The deny statement in the access list only applies to TCP traffic with a source IP address within the LAN segment and a destination port of 23. Since the destination IP address 192.168.83.189 does not match the deny statement criteria, the packet will be forwarded.Rate this question:
-
Quiz Review Timeline +
Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.
-
Current Version
-
Mar 21, 2023Quiz Edited by
ProProfs Editorial Team -
Oct 31, 2017Quiz Created by
Leanne