500
Chapter 9
Managing Traffic with Access Lists
11.
B, C. You can see the access lists with the
show
ip
access-list
command or the
show
access-list
#
command.
12.
D. Extended IP access lists use the range from 100 to 199.
13.
B. Remember to first look for the access-list numbers. Since all of the
access lists are using 101, they are all set for IP extended access lists.
The second thing to look for is the protocol. Only one list is using
TCP, which is needed to access the FTP protocol.
14.
B. Standard IPX uses the range 800899, and extended IPX lists use
the range 900999.
15.
C. To apply an access list, the proper command is:
ip
access-group
101
in
.
16.
B. The command
show
ip
interface
will show you whether an
access list is set on an interface and in which direction it is filtering.
17.
D. The
access-list
110
permit
ip
any
any
command is used to
specify and permit all traffic. The
0.0.0.0
255.255.255.255
com-
mand is the same as the
any
command.
18.
C. This is a standard IP access list that only filters on source IP
addresses. The number range for IP access list is 199. The command
to place an IP access list on an interface is
ip
access-group
. Since the
question specified incoming traffic, only the third option works.
19.
C. To place an access list on an interface use the
ip
access-group
command.
20.
D. When trying to find the best answer to an access-list question,
always check the access-list number and then the protocol. When
filtering to an upper-layer protocol, you must use an extended list,
numbers 100199. Also, when you filter to an upper-layer protocol,
you must use either
tcp
or
udp
in the protocol field. If it says
ip
in the
protocol field, you cannot filter to an upper-layer protocol.
21.
D. If you add an access list to an interface and you do not have at
least one permit statement, then you will effectively shut down the
interface because of the implicit
deny
any
at the end of every list.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com