1. Your boss is
learning a CCNA training course, refer to the exhibit. The access list has been
configured on the S0/0 interface of router RTB in the outbound direction. Which
two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
- source ip
address: 192.168.15.5; destination port: 21
- source ip
address: 192.168.15.37 destination port: 21
- source ip
address: 192.168.15.41 destination port: 21
-
source ip address: 192.168.15.36 destination port: 23
-
source ip address: 192.168.15.46; destination port: 23
- source ip
address: 192.168.15.49 destination port: 23
Penjelasan : perintah di atas di
summarize sehingga network yang di block adalah 15.32/29 & 15.40/29. Bila admin
mau memblok network 15.32/29 à
perintahnya à
access-list 101 deny tcp 192.168.15.32
0.0.0.7 any eq telnet
2. Refer to the exhibit. Why would the network administrator configure RA in this manner?
2. Refer to the exhibit. Why would the network administrator configure RA in this manner?
-
to prevent students from accessing the command prompt of RA
- to
prevent administrators from accessing the console of RA
- to give
administrators access to the Internet
- to
prevent students from accessing the Internet
- to
prevent students from accessing the Admin network
Pembahasan :
Administrator memasang perintah di atas
untuk mengizinkan network admin (10.1.1.0/25) mengakses telnet, tetapi karena
default dari access-list terakhir deny any any. Maka student tidak akan dapat
mengkases telnet.
3. An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
3. An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
- access-list 10 permit 172.29.16.0 0.0.0.255
- access-list 10 permit 172.29.16.0 0.0.1.255
- access-list 10 permit 172.29.16.0 0.0.3.255 (CUKUP JELAS!)
- access-list 10 permit 172.29.16.0 0.0.15.255
- access-list 10 permit 172.29.0.0 0.0.255.255
4. A network
administrator wants to add a line to an access list that will block only Telnet
access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5.
What command should be issued to accomplish this task?
- access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
- access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
- access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
- access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
- access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
- access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
- access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
- access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
5. As a network
administrator, you have been instructed to prevent all traffic originating on
the LAN from entering the R2 router. Which the following command would implement
the access list on the interface of the R2 router?
-
access-list 101 in
-
access-list 101 out
-
ip access-group 101 in
- ip
access-group 101 out
6. The
following access list below was applied outbound on the E0 interface connected
to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
- FTP
traffic from 192.169.1.22 will be denied
- No
traffic, except for FTP traffic will be allowed to exit E0
- FTP
traffic from 192.169.1.9 to any host will be denied
-
All traffic exiting E0 will be denied
à
karena terkena deny all. Seharusnya ada yang di permit
- All FTP
traffic to network 192.169.1.9/29 will be denied
- from host PC1 to host 5.1.1.10
- from host PC1 to host 5.1.3.10
- from host PC2 to host 5.1.2.10
- from host PC2 to host 5.1.3.8
8. The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
- permit all packets matching the first three octets of the source address to all destinations
(mengizinkan semua paket dengan 3 oktet pertama 10.25.30.XXX ke semua destination)
- permit all packet matching the last octet of the destination address and accept all source addresses
- permit all packet matching the host bits in the source address to all destinations
- permit all packet from the third subnet of the network address to all destinations
- Traffic will be dropped per line 30 of the ACL.
- Traffic will be accepted per line 40 of the ACL.
- Traffic will be dropped, because of the implicit deny all at the end of the ACL.
- Traffic will be accepted, because the source address is not covered by the ACL.
Penjelasan:
Pada access-list syntax nya sebagai berikut :
access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]
Perhatikan bahwa di line 30 network 172.16.0.0 0.0.255.255 adalah source, tapi pertanyaan di atas source traffic berasal dari internet ke destination 172.16.12.10. berarti tidak ada yang cocok dengan line, akan terkena implicit deny all. Ini merupakan jebakan soal.
- Devices will not be able to use Telnet or SSH.
- Devices will be able to use SSH, but not Telnet.
- Devices will be able to use Telnet, but not SSH.
- Devices will be able to use Telnet and SSH.
Penjelasan.
analisa access-lists 100
# 10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22
Syntax ini mengizinkan TCP traffic dari network 172.16.16.0/28 mengakses host 172.16.48.63 (SVR-A) dengan destination port 22(SSH)
#20 permit tcp 172.16.16.0 0.0.0.15 eq telnet host 172.16.48.63
Perhatikan syntax ini, setiap device yang akan melakukan telnet/SHH akan mearuh port di destination bukan si source.
Access-list 100 di masukkan di Fa0/0 in. maka router1 akan mengizinkan traffic SSH masuk tidak untuk telnet
Analisis access list 101
#10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15
Mengizinkan traffic dari host 172.16.48.63 source port SSH utuk mengakses network 172.16.16.0/28
#20 permit tcp host 172.16.48.63 172.16.16.0 0.0.0.15 eq telnet
Mengizinkan traffic dari host 172.16.48.63 untuk mengakses telnet ke network 172.16.16.0/28
Access list 101 di pasang di Fa0/1 in. maka traffic dengan source port SSH akan di izinkan.
Intinya network 172.16.0.0 dapat melakukan SSH ke SVR-A tidak bisa telnet dan SRV-A dapat melakukan telnet ke 172.16.0.0 tidak bisa SSH. (KARENA DEVICE nya ada di network 172.16.0.0 jadi jawabanya B)
11. Refer to the exhibit. Which three variables (router, protocol port, and router ACL direction) apply to an extended ACL that will prevent student 01 from securely browsing the internet?
- OUT
- Router 3
- HTTPS
- IN --------- di taruh di in derection untuk menghemat process di router
- Router 1
12. Which two statements apply to dynamic access lists? (choose two)
- they offer simpler management in large internetworks.
- you can control logging messages.
- they allow packets to be filtered based on upper-layer session information.
- you can set a time-based security policy.
- they provide a level of security against spoofing.
- they are used to authenticate individual users.
Penjelasan :
Dynamic ACLs memiliki beberapa keuntungan security di bandingkan standard dan static extended ACLs :
+ Use of a challenge mechanism to authenticate individual users à mengunakan authenticate user
+ Simplified management in large internetworks à mudah di management di network yg besar
+ In many cases, reduction of the amount of router processing that is required for ACLs à mengurangi process.
+ Reduction of the opportunity for network break-ins by network hackers à mengurangi kemungkinan network di bobol hacker
+ Creation of dynamic user access through a firewall, without compromising other configured security restrictions à membuat user access secara dynamic pada firewall.
13. Which command shows if an access list is assigned to an interface?
- show ip interface [interface] access-lists
- show ip access-lists interface [interface]
- show ip interface [interface]
- show ip access-lists [interface]
Penjelasan :
7.
The access control list shown in the graphic has been applied to the
Ethernet interface of router R1 using the ip access-group 101 in command. Which
of the following Telnet sessions will be blocked by this ACL? (Choose two)
- from host PC1 to host 5.1.1.10
- from host PC1 to host 5.1.3.10
- from host PC2 to host 5.1.2.10
- from host PC2 to host 5.1.3.8
8. The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
- permit all packets matching the first three octets of the source address to all destinations
(mengizinkan semua paket dengan 3 oktet pertama 10.25.30.XXX ke semua destination)
- permit all packet matching the last octet of the destination address and accept all source addresses
- permit all packet matching the host bits in the source address to all destinations
- permit all packet from the third subnet of the network address to all destinations
9.
Refer to the exhibit. What will happen to HTTP traffic coming from the
Internet that is destined for 172.16.12.10 if the traffic is processed by this
ACL?
- Traffic will be dropped per line 30 of the ACL.
- Traffic will be accepted per line 40 of the ACL.
- Traffic will be dropped, because of the implicit deny all at the end of the ACL.
- Traffic will be accepted, because the source address is not covered by the ACL.
Penjelasan:
Pada access-list syntax nya sebagai berikut :
access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]
Perhatikan bahwa di line 30 network 172.16.0.0 0.0.255.255 adalah source, tapi pertanyaan di atas source traffic berasal dari internet ke destination 172.16.12.10. berarti tidak ada yang cocok dengan line, akan terkena implicit deny all. Ini merupakan jebakan soal.
10.
Refer to the exhibit. Which statement describes the effect that the
Router1 configuration has on devices in the 172.16.16.0 subnet when they try to
connect to SVR-A using Telnet or SSH?
- Devices will not be able to use Telnet or SSH.
- Devices will be able to use SSH, but not Telnet.
- Devices will be able to use Telnet, but not SSH.
- Devices will be able to use Telnet and SSH.
Penjelasan.
analisa access-lists 100
# 10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22
Syntax ini mengizinkan TCP traffic dari network 172.16.16.0/28 mengakses host 172.16.48.63 (SVR-A) dengan destination port 22(SSH)
#20 permit tcp 172.16.16.0 0.0.0.15 eq telnet host 172.16.48.63
Perhatikan syntax ini, setiap device yang akan melakukan telnet/SHH akan mearuh port di destination bukan si source.
Access-list 100 di masukkan di Fa0/0 in. maka router1 akan mengizinkan traffic SSH masuk tidak untuk telnet
Analisis access list 101
#10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15
Mengizinkan traffic dari host 172.16.48.63 source port SSH utuk mengakses network 172.16.16.0/28
#20 permit tcp host 172.16.48.63 172.16.16.0 0.0.0.15 eq telnet
Mengizinkan traffic dari host 172.16.48.63 untuk mengakses telnet ke network 172.16.16.0/28
Access list 101 di pasang di Fa0/1 in. maka traffic dengan source port SSH akan di izinkan.
Intinya network 172.16.0.0 dapat melakukan SSH ke SVR-A tidak bisa telnet dan SRV-A dapat melakukan telnet ke 172.16.0.0 tidak bisa SSH. (KARENA DEVICE nya ada di network 172.16.0.0 jadi jawabanya B)
11. Refer to the exhibit. Which three variables (router, protocol port, and router ACL direction) apply to an extended ACL that will prevent student 01 from securely browsing the internet?
- OUT
- Router 3
- HTTPS
- IN --------- di taruh di in derection untuk menghemat process di router
- Router 1
12. Which two statements apply to dynamic access lists? (choose two)
- they offer simpler management in large internetworks.
- you can control logging messages.
- they allow packets to be filtered based on upper-layer session information.
- you can set a time-based security policy.
- they provide a level of security against spoofing.
- they are used to authenticate individual users.
Penjelasan :
Dynamic ACLs memiliki beberapa keuntungan security di bandingkan standard dan static extended ACLs :
+ Use of a challenge mechanism to authenticate individual users à mengunakan authenticate user
+ Simplified management in large internetworks à mudah di management di network yg besar
+ In many cases, reduction of the amount of router processing that is required for ACLs à mengurangi process.
+ Reduction of the opportunity for network break-ins by network hackers à mengurangi kemungkinan network di bobol hacker
+ Creation of dynamic user access through a firewall, without compromising other configured security restrictions à membuat user access secara dynamic pada firewall.
13. Which command shows if an access list is assigned to an interface?
- show ip interface [interface] access-lists
- show ip access-lists interface [interface]
- show ip interface [interface]
- show ip access-lists [interface]
Penjelasan :
Dari output dapat kita lihat access list 1 di masukkan di interface inbound direction.
14. Which item represents the standard IP ACL?
- access-list 50 deny 192.168.1.1 0.0.0.255
- access-list 110 permit ip any any
- access-list 2500 deny tcp any host 192.168.1.1 eq 22
- access-list 101 deny tcp any host 192.168.1.1
15. Which statement about access lists that are applied to an interface is true?
- you can apply only one access list on any interface
- you can configure one access list, per direction, per layer 3 protocol
- you can place as many access lists as you want on any interface
- you can configure one access list, per direction, per layer 2 protocol
16. A network engineer wants to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet. Which ACL can be used?
- Reflexive
- Extended
- Standard
- Dynamic
Penjelasan :
Kita bisa mengunakan dynamic access list untuk authentication username dan password, untuk konfigurasinya bisa dilihat di sini
17. Which parameter standard access list takes into consideration for traffic filtering decisions?
- Source MAC address
- Destination IP address
- Destination MAC address
- Source IP address
18. In which solution is a router ACL used?
- protecting a server from unauthorized access
- controlling path selection, based on the route metric
- reducing router CPU utilization
- filtering packets that are passing through a router
Tidak ada komentar:
Posting Komentar