2013 Latest Cisco 350-001 Exam Section 1: Access Lists (5 Questions)
QUESTION NO: 1
The TestKing network consists of network X and Y that are connected via Router TK1 and Router TK2. The TestKing network is shown in the following exhibit: You wish to set up an IPSec VPN between routers TK1 and TK2. Now, which of the following crypto access-lists must be configured on Router TK1 in order to send LAN to LAN traffic across the encrypted VPN tunnel?
A. access-list 101 permit ip host 192.168.1.1 host 192.168.1.2
B. access-list 101 permit ip 10.1.1.0.0.0.0.255 host 192.168.1.2
C. access-list 101 permit ip 10.1.1.0.0.0.0.255 10.1.2.0.0.0.0.255
D. access-list 101 permit ip 10.1.1.0.0.0.0.255 10.1.2.0.0.0.0.255 access-list 101 permit ip 10.1.2.0.0.0.0.255 10.1.1.0.0.0.0.255
E. access-list 10 permit ip 10.1.1.0.0.0.0.255 10.1.2.0.0.0.0.255
The format of the command for configuring IPSec is shown below:
access-list 101 permit “Source Network Addresses on X” “Destination Network Subnets
A. You define the traffic that is to be sent over the encrypted tunnel, which is all traffic from subnet X to subnet Y, not the serial interfaces.
B. This would only be useful for traffic going from subnet X to the serial interface of TK2, not for LAN to LAN traffic.
D. You only need to specify the traffic from X to Y on router TK1, as this is the traffic that will be encrypted. The second line of this access list would need to be applied to router TK2 only.
E. Access list 100 or higher must be used, as this is an extended access list.
QUESTION NO: 2
You try to perform a traceroute to an Internet destination from your PC, but the Traceroute hangs when it reaches the router. Currently, there is an inbound access-list applied to the serial interface on the Internet router with a single line: “access-list 101 permit tcp any any”.
What access-list entry may you need to be added to the access-list in order to get traceroute to work?
A. access-list 101 permit tcp any any
B. access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any port-unreachable
C. access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any echo-reply
D. access-list 101 permit icmp any any echo access-list 101 permit icmp any any net-unreachable
E. access-list 101 permit udp any any access-list 101 permit icmp any any protocol-unreachable
Port-unreachable and time-exceeded are the ICMP messages that Cisco traceroute uses, so these ports must be permitted to allow the traceroute to go through.
A, C, D, E. None of these options give us both the time-exceeded and port-unreachable ICMP ports that need to be opened in the access list to allow traceroute through.
QUESTION NO: 3
You are writing an access list on a router to prevent users on the Ethernet LAN connected to Ethernet interface 0 from accessing a TFTP server (10.1.1.5) located on the LAN connected to Ethernet interface 1. Which of the following would be the correct configuration change if applying the ACL inbound on the Ethernet 0 interface?
A. access-list 1 deny tcp 0.0.0.0 255.255.255.255 10.1.1.5. 0.0.0.0 eq 69
B. access-list 100 deny tcp 0.0.0.0 255.255.255.255 10.1.1.5. 0.0.0.0 eq 69
C. access-list 100 deny tcp 0.0.0.0 255.255.255.255 10.1.1.5. 0.0.0.0 eq 68
D. access-list 100 deny tcp 10.1.1.5 0.0.0.0 0.0.0.0 255.255.255.255 eq 69
E. access-list 100 deny tcp 0.0.0.0 255.255.255.255 10.1.1.5. 0.0.0.0 eq port 68
F. None of the above
TFTP uses UDP port 69, so choice F would be the correct access list entry. An extended access list is needed when filtering based on source and destination address, as well as layer 4 port information. However, all of the choices listed are filtering based on TCP ports, and since TFTP uses UDP none are correct. Incorrect Answers:
A. This is an invalid command, since using source and destination information along with port numbers requires an extended access list.
B. This would be the correct choice if UDP was specified as the transport layer protocol instead of TCP.
C, E. In addition to incorrectly specifying TCP instead of UDP, the port number of 68 is also incorrect.
D. The order of the IP address arrangement is incorrect. This access list will block all TCP port 69 traffic sourced from the TFTP server, not destined to it. This choice is also incorrectly using TCP instead of UDP.
QUESTION NO: 4
You wish to allow only telnet traffic to a server with an IP address 10.1.1.100. You add the following access list on the router:
access-list 101 permit tcp any host 10.1.1.100 eq telnet
access-list 101 deny ip any any
You then apply this access list to the inbound direction of the serial interface. Which types of packets will be permitted through the router after this change? (Choose all that apply)
A. A non-fragment packet en route to the server on port 21.
B. A non-initial fragment packet en route to the server on port 23.
C. A non-initial fragment packet passing through to another host that’s not 10.1.1.100.
D. A non-initial fragment packet going to the server on port 21.
E. An initial-fragment or non-fragment packet en route to the server on port 23.
Answer: B, D, E
B, E: Telnet (port 23) is permitted by ACL.
D: A non initial fragment destined to the server will indeed be permitted. The reason for
this is that the first line of ACL has some L3 and some L4 information which needs to be
matched for a packet to be permitted.
Since a non initial frame matches the L3 information it will pass the layer 3 check.
Moreover, since it isa non initial frame it will contain no L4 information in it. Hence the
packet will be permitted.
A, C. For non-initial fragments, only telnet packets going to the 10.1.1.100 address will be allowed.
QUESTION NO: 5
The following access list is configured on router TK1:
access-list 100 deny udp 0.0.0.0 255.255.255.255 10.1.1.5 0.0.0.0 eq 69
What does the access-list accomplish?
Note: Assume that all other traffic is permitted with a permit all statement at the end of
the access list.
A. It blocks all incoming traffic arriving on E0 from accessing any FTP server.
B. It blocks all incoming traffic, except traffic addresses to 10.1.1.5, from accessing any FTP servers.
C. It blocks all incoming traffic arriving on E0 from accessing the FTP server with an address of 10.1.1.5.
D. It blocks all incoming UDP traffic.
E. This access list is trying to block traffic from accessing a TFTP server. However, this is only half of what is needed to accomplish that. You would also need the following:
access-list deny tcp 0.0.0.0 255.255.255.255 10.1.1.5 0.0.0.0 eq 69
The access list shown above is designed to block UDP port 69 traffic from all sources to the destination device with the IP address of 10.1.1.5. Port 69 is used for TFTP. Both TCP and UDP ports are used with the TFTP application, so in order to block all TFTP traffic another access list block TCP port 69 should also be applied. Incorrect Answers: A, B: TFTP traffic is being blocked, not FTP. In addition, this traffic is being blocked only for traffic destined to a single server, not all traffic.
C. TFTP uses port 69, not FTP. FTP uses ports 20 and 21. Since TFTP uses both TCP and UDP, both ports will need to be filtered.
D. Only UDP port 69 traffic destined to a single server is being filtered, not all UDP traffic. Reference:http://www.ibiblio.org/security/articles/ports.html
Ensurepass offers Latest 2013 CCIE 350-001 Real Exam Questions , help you to pass exam 100%.