CCNA4 (Chapter4)
Study online at quizlet.com/_4e5yv9
1. An administrator has configured an access list on R1 to
allow SSH administrative access from host 172.16.1.100.
Which command correctly applies the ACL?
2. Fill in the blanks. Use dotted decimal format.
The wildcard mask that is associated with 192.168.12.96/27
is _______________
3. Match each statement with the example subnet and
wildcard that it describes. (Not all options are used.)
4. A network administrator configures an ACL with the
command R1(config)# access-list 1 permit 172.16.0.0
0.0.15.255. Which two IP addresses will match this ACL
statement? (Choose two.)
R1(config-line)# access-class 1 in
Refer to curriculum topic: 4.3.2
Administrative access over SSH to the router is through the vty lines.
Therefore, the ACL must be applied to those lines in the inbound
direction. This is accomplished by entering line configuration mode and
issuing the access-class command.
0.0.0.31
Refer to curriculum topic: 4.1.1
The wildcard mask can be found by subtracting the subnet mask from
255.255.255.255.
- Hosts in a subnet with the subnet mask 255.255.252.0 - 192.168.5.0
0.0.3.255
- All IP address bits must match exactly - host 192.168.15.2
- The first valid host address in a subnet - 192.168.15.65 255.255.255.240
- Subnetwork addresses of a subnet with 14 valid host addresses -
192.168.15.144 0.0.0.15
- Addresses with a subnet mask of 255.255.255.248 - 192.168.3.64 0.0.0.7
Refer to curriculum topic: 4.2.2
Converting the wildcard mask 0.0.3.255 to binary and subtracting it from
255.255.255.255 yields a subnet mask of 255.255.252.0.
Using the host parameter in a wildcard mask requires that all bits match
the given address.
192.168.15.65 is the first valid host address in a subnetwork beginning with
the subnetwork address 192.168.15.64. The subnet mask contains 4 host
bits, yielding subnets with 16 addresses.
192.168.15.144 is a valid subnetwork address in a similar subnetwork.
Change the wildcard mask 0.0.0.15 to binary and subtract it from
255.255.255.255, and the resulting subnet mask is 255.255.255.240.
192.168.3.64 is a subnetwork address in a subnet with 8 addresses.
Convert 0.0.0.7 to binary and subtract it from 255.255.255.255, and the
resulting subnet mask is 255.255.255.248. That mask contains 3 host bits,
and yields 8 addresses.
1. 172.16.0.255
2. 172.16.15.36
Refer to curriculum topic: 4.1.1
The wildcard mask indicates that any IP address within the range of
172.16.0.0 to 172.16.15.255 matches.
5. A network administrator needs to configure a
standard ACL so that only the workstation of the
administrator with the IP address 192.168.15.23 can
access the virtual terminal of the main router.
Which two configuration commands can achieve
the task? (Choose two.)
6. Refer to the exhibit. A network administrator
configures a named ACL on the router. Why is
there no output displayed when the show
command is issued?
7. What is the only type of ACL available for IPv6?
8. What range of IP addresses is represented by the
network and wildcard mask 192.168.70.0 0.0.0.127?
9. Which IPv4 address range covers all IP addresses
that match the ACL filter specified by 172.16.2.0
with wildcard mask 0.0.1.255?
10. Which statement describes a characteristic of
standard IPv4 ACLs?
11. Which statement describes a difference between
the operation of inbound and outbound ACLs?
1. Router1(config)# access-list 10 permit host 192.168.15.23
2. Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.0
Refer to curriculum topic: 4.1.2
To permit or deny one specific IP address, either the wildcard mask 0.0.0.0
(used after the IP address) or the wildcard mask keyword host (used before the
IP address) can be used.
The ACL name is case sensitive.
Refer to curriculum topic: 4.1.3
The name in a named ACL is alphanumeric, case sensitive and unique. Thus,
the router treats access_network and ACCESS_NETWORK as if they are two
separate ACLs.
named extended
Refer to curriculum topic: 4.3.1
Unlike IPv4, IPv6 has only one type of access list and that is the named
extended access list.
192.168.70.0 to 192.168.70.127
Refer to curriculum topic: 4.1.1
The number of 1s in the wildcard mask represents the number of 0s in the
subnet mask.
The range of IP addresses for this network would be 192.168.70.0 -
192.168.70.127 with 192.168.70.127 being the broadcast address.
172.16.2.0 to 172.16.3.255
Refer to curriculum topic: 9.1.3
The wildcard mask 0.0.1.255 means the first 23 bits are matched and the last 9
bits are ignored. That is, a matching IP address should be from 172.16.2.0 to
172.16.3.255 (where last 9 bits are from all 0s to all 1s and any value between).
They filter traffic based on source IP addresses only.
Refer to curriculum topic: 4.1.2
A standard IPv4 ACL can filter traffic based on source IP addresses only.
Unlike an extended ACL, it cannot filter traffic based on Layer 4 ports.
However, both standard and extended ACLs can be identified with either a
number or a name, and both are configured in global configuration mode.
Inbound ACLs are processed before the packets are routed while outbound
ACLs are processed after the routing is completed.
Refer to curriculum topic: 4.4.1
With an inbound ACL, incoming packets are processed before they are routed.
With an outbound ACL, packets are first routed to the outbound interface, then
they are processed. Thus processing inbound is more efficient from the router
perspective. The structure, filtering methods, and limitations (on an interface,
only one inbound and one outbound ACL can be configured) are the same for
both types of ACLs.
12. Which three implicit 1. deny ipv6 any any
access control entries 2. permit icmp any any nd-ns
are automatically added 3. permit icmp any any nd-na
to the end of an IPv6
ACL? (Choose three.) Refer to curriculum topic: 4.3.1
All IPv6 ACLs automatically include two implicit permit statements; permit icmp any any nd-ns and
permit icmp any any nd-na. These statements allow the router interface to perform neighbor discovery
operations. There is also an implicit deny ipv6 any any automatically included at the very end of any IPv6
ACL that blocks all IPv6 packets not otherwise permitted.
13. Which three statements 1. An implicit deny any rejects any packet that does not match any ACL statement.
describe ACL 2. A packet can either be rejected or forwarded as directed by the statement that is matched.
processing of packets? 3. Each statement is checked only until a match is detected or until the end of the ACL statement list is
(Choose three.) reached.

Refer to curriculum topic: 4.1.1

ACLs are processed in a top down manner. When an ACL is inspected, if the information in a packet
header and an ACL statement match, the remaining statements are not examined, and the packet is either
denied or permitted through as specified by the ACL. If a packet header does not match an ACL
statement, the packet is tested against the next statement in the list. This matching process continues until
the end of the list is reached. Every ACL has an implied deny at the end of the list. This implied deny
statement is applied to all packets for which conditions did not test true.
14. Which two keywords 1. host
can be used in an 2. any
access control list to
replace a wildcard mask Refer to curriculum topic: 4.1.3
or address and wildcard The two keywords that can be used when configuring ACLs are host and any. The host keyword is
mask pair? (Choose equivalent to using the 0.0.0.0 wildcard mask and the any keyword could be used instead of the
two.) 255.255.255.255 wildcard mask.