Home > Articles > ACL Concepts

ACL Concepts

Chapter Description

In this sample chapter from Enterprise Networking, Security, and Automation Companion Guide (CCNAv7) for Cisco Networking Academy students, you will explore differences between standard and extended IPv4 ACLs.

Check Your Understanding Questions

Complete all the review questions listed here to test your understanding of the topics and concepts in this chapter. The appendix “Answers to the ‘Check Your Understanding’ Questions” lists the answers.

1. What two functions describe uses of access control lists? (Choose two.)

  1. ACLs assist a router in determining the best path to a destination.

  2. ACLs can control which areas a host can access on a network.

  3. ACLs provide a basic level of security for network access.

  4. Standard ACLs can filter traffic based on source and destination network addresses.

  5. Standard ACLs can restrict access to specific applications and ports.

2. Which three statements describe how an ACL processes packets? (Choose three.)

  1. A packet is compared with all ACEs in the ACL before a forwarding decision is made.

  2. A packet that has been denied by one ACE can be permitted by a subsequent ACE.

  3. An implicit deny at the end of an ACL rejects any packet that does not match an ACE.

  4. Each ACE is checked only until a match is detected or until the end of the ACL.

  5. If an ACE is matched, the packet is either rejected or forwarded, as directed by the ACE.

  6. If an ACE is not matched, the packet is forwarded by default.

3. Which three statements are best practices related to placement of ACLs? (Choose three.)

  1. Filter unwanted traffic before it travels onto a low-bandwidth link.

  2. For every inbound ACL placed on an interface, ensure that there is a matching outbound ACL.

  3. Place extended ACLs close to the destination IP address of the traffic.

  4. Place extended ACLs close to the source IP address of the traffic.

  5. Place standard ACLs close to the destination IP address of the traffic.

  6. Place standard ACLs close to the source IP address of the traffic.

4. Which two characteristics are shared by standard and extended ACLs? (Choose two.)

  1. Both filter packets for a specific destination host IP address.

  2. Both include an implicit deny as a final entry.

  3. Both permit or deny specific services by port number.

  4. They both filter based on protocol type.

  5. They can be created by using either descriptive names or numbers.

5. Which two statement describes a difference between the operation of inbound and outbound ACLs? (Choose two.)

  1. Inbound ACLs are processed before the packets are routed.

  2. Inbound ACLs can be used in both routers and switches.

  3. Multiple inbound ACLs can be applied to an interface.

  4. Multiple outbound ACLs can be applied to an interface.

  5. Outbound ACLs are processed after the routing is completed.

  6. Outbound ACLs can be used only on routers.

  7. Unlike outbound ACLs, inbound ACLs can be used to filter packets with multiple criteria.

6. In which configuration would an outbound ACL placement be preferred over an inbound ACL placement?

  1. When a router has more than one ACL

  2. When an interface is filtered by an outbound ACL and the network attached to the interface is the source network being filtered within the ACL

  3. When an outbound ACL is closer to the source of the traffic flow

  4. When the ACL is applied to an outbound interface to filter packets coming from multiple inbound interfaces before the packets exit the interface

7. What wildcard mask will match networks 10.16.0.0 through 10.19.0.0?

  1. 0.252.255.255

  2. 0.0.255.255

  3. 0.0.3.255

  4. 0.3.255.255

8. What type of ACL offers increased flexibility and control over network traffic?

  1. Extended

  2. Extensive

  3. Named standard

  4. Numbered standard

9. Which statement describes a characteristic of standard IPv4 ACLs?

  1. They can be configured to filter traffic based on both source IP addresses and source ports.

  2. They can be created with a number but not with a name.

  3. They filter traffic based on destination IP addresses only.

  4. They filter traffic based on source IP addresses only.

10. What wildcard mask will match network 10.10.100.64/26?

  1. 0.0.0.15

  2. 0.0.0.31

  3. 0.0.0.63

  4. 0.0.0.127

There are currently no related articles. Please check back later.