CCNA640-802题库解析–访问控制列表(ACL)

上一篇 / 下一篇 2008-06-11 15:07:45

查看( 246 ) / 评论( 0 ) / 评分( 0 / 0 )

本文主要结合例题描述ACLs的作用和类型，基于网络过滤要求配置和应用ACLs。
What are two reasons that anetworkadministrator would use access lists? (Choose two.)
A:to control vty access into a router
B:to control broadcast traffic through a router
C:to filter traffic as it passes through a router
D:to filter traffic that originates from the router
E:to replace passwords as a line of defense against security incursions
Correct Answers:A, C
在路由器上设置访问控制列表的目的是：控制用户的访问和过滤通过路由器的流量.
What is the effect of the following access list condition?
access-list101 permit ip 10.25.30.0 0.0.0.255 any
A: permit all packets matching the first three octets of the source address to all destinations
B: permit all packets matching the last octet of the destination address and accept all source addresses
C: permit all packets from the third subnet of the network address to all destinations
D: permit all packets matching the host bits in the source address to all destinations
E: permit all packets to destinations matching the first three octets in the destination address
Correct Answers:A
这是一个扩展的访问控制列表，他可以基于源和目的进行匹配，10.25.30.0 0.0.0.255匹配的是源地址凡是在这个范围的都被匹配了，而目的用的是any，表示任何。意思是从10.25.30.0/24的地址范围内的任何IP都可以访问任何的网段。
What three pieces of information can be used in an extended access list to filter traffic? (Choose three.)
A:protocol
B:VLAN number
C:TCP or UDP port numbers
D:sourceswitchport number
E:source IP address and destination IP address
F:source MAC address and destination MAC address
Correct Answers:A, C, E
1.标准访问控制列表,针对源地址对流量进行过滤
2.扩展访问控制列表,针对源或者目标地址、协议、TCP或者UDP端口号对流量进行过滤
Refer to the exhibit. The FMJ manufacturing company is concerned about unauthorized access to the Payroll Server. The Accounting1, CEO, Mgr1, and Mgr2 workstations should be the only computers with access to the Payroll Server. What two technologies should be implemented to help prevent unauthorized access to the server? (Choose two.)
A:access lists
B:encrypted router passwords
C:STP
D:VLANs
E:VTP
F:wireless LANs
Correct Answers:A, D
首先根据不同的部门划分3个VLAN,office1 shipping production.由于CEO Mgr1 mgr2属于不同的VLAN,因此需要配置访问列表access lists控制其它主机对Payroll Server的访问.
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A: access-list 10 permit 172.29.16.0 0.0.0.255
B: access-list 10 permit 172.29.16.0 0.0.1.255
C: access-list 10 permit 172.29.16.0 0.0.3.255
D: access-list 10 permit 172.29.16.0 0.0.15.255
E: access-list 10 permit 172.29.0.0 0.0.255.255
Correct Answers:C
用一个单独的语句来匹配上面写出的四条ACL，也就一一个汇总的问题，将172.29.16.0/24，172.29.17.0/24, 172.29.18.0/24, 172.29.19.0/24进行汇总，将他们的第3个八字节以二进制展开，相同的位作为他们的汇总的条目，然后计算他们的掩码位数为多少，所以这四个条目汇总到一个条目为172.29.16.0/22,掩码用通配符来写应该是0.0.3.255。
Refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two.)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A:source ip address: 192.168.15.5; destination port: 21
B:source ip address:, 192.168.15.37 destination port: 21
C:source ip address:, 192.168.15.41 destination port: 21
D:source ip address:, 192.168.15.36 destination port: 23
E:source ip address: 192.168.15.46; destination port: 23
F:source ip address:, 192.168.15.49 destination port: 23
Correct Answers:D, E
通过访问控制列表的配置信息,可以推算出被拒绝的网络范围是: 192.168.15.32 0.0.0.15
即:192.168.15.32/28—192.168.15.32~192.168.15.47只要是位于该网段内的主机对外发出的telnet请求都将被拒绝，telnet的端口号为23.
Refer to the exhibit. Why would the network administrator configure RA in this manner
A: to give students access to the Internet
B: to prevent students from accessing the command prompt of RA
C: to prevent administrators from accessing the console of RA
D: to give administrators access to the Internet
E: to prevent students from accessing the Internet
F: to prevent students from accessing the Admin network
Correct Answers:B
在这儿，将ＡＣＬ应用到ＶＴＹ线路下，而且是ＩＮ的方向，表示凡是被我的ＡＣＬ允许的才能telnet到我．在ＲＡ上配置的是permit 10.1.1.0 0.0.0.255根据隐式的deny any允许Ａdmin的网段中的用户可以telnet到他，所以Ｓtudent的网段中的用户是被拒绝的.
An access list has been designed to prevent HTTP traffic from the Accounting Department from reaching the HR server attached to the Holyoke router. Which of the following access lists will accomplish this task when grouped with the e0 interface on the Chicopee router?
A: permit ip any any
deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80
B: permit ip any any
deny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 80
C: deny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 80
permit ip any any
D: deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80
permit ip any any
Correct Answers:D
因为HTTP服务是通过TCP建立连接,所以拒绝掉accounting部门子网所有通过80接口的TCP请求,并且拒绝掉HR服务器对accounting部门的TCP连接请求.