An engineer configures new ACL 105 and enables it. The first ACE in the ACL is intended to prevent connections to web servers in subnet 10.55.55.0/24 that do not use HTTPS. The configuration succeeds, with users that could formerly connect to those servers being denied by the ACL. The engineer then issues the show access-list command. Which answers display an output line with all the information you would expect to see in this command’s output per the scenario in this question?

First, look to the left side of the answers. Some list line numbers, and some do not. On IOS and IOS XE, the show access-list command lists the line numbers used for each ACE in an ACL – even for ACLs defined by numbered ACL access-list global commands. By default, IOS assigns line numbers starting at 10 for increments of 10, so the first line of the ACL (represented by the answers) will use line number 10. These facts rule out two answers as incorrect.

If the ACL has been enabled on an interface, and packets have matched the ACE, the show access-list command lists a count of the number of matches for that ACE. The question states that an engineer enabled the ACL. Given that users could connect to the servers before enabling the ACL, but now they cannot, it appears that the ACL matches (and denies) those packets. As a result, the command should list a line-ending statistic about the number of packets that matched the ACE. Only one of the answers that begins with line number 10 also lists a non-zero value for that statistic, making it the correct answer.

Extended IP ACL Example 1: Packets to Web Servers Page number:1290

There are five different port number parameters that can be used to perform different types of match, including eq (equal), ne (not equal), lt (less than), gt (greater than), and range.

The output below shows an excerpt from the show ip interface command on a router running IOS XE. What configuration commands under interface G0/0/1 create the values shown in the final lines of the show command output?

R1# show ip interface

GigabitEthernet0/0/1 is up, line protocol is up

Internet address is 10.1.12.1/24 ...

Outgoing Common access list is one

Outgoing access list is two

Inbound Common access list is three

Inbound access list is four

The show ip interfaces command output from IOS XE lists four lines about enabled interface ACLs. If the configuration uses the ip access-group common… out command, it defines two ACLs in the same direction: A common ACL and a regular ACL. The show ip interface command output lists those two ACLs on separate consecutive lines. Alternately, suppose the configuration uses the ip access-group… out interface subcommand, which omits the common keyword. In that case, it defines a normal ACL for that direction – and informs the router not to use a common ACL.

If no ip access-group command exists under the interface for a given direction, both output lines list “not set” at the end of the output lines.

In this question, the output lists ACL names on all four lines, revealing that the configuration commands for both directions use the common keyword. Focusing on the two lines which begin “Outgoing,” the output does not state “not set” but lists words “one” and “two.” You can infer that “one” and “two” are ACL names. You can infer that the configuration includes the ip access-group common one two out command, referring to the ACLs named one and two.

Similarly, the two output lines beginning “Incoming” lists two names rather than the text “not set,” so you can infer the use of the ip access-group common … in interface subcommand. As shown, the configuration must include the ip access-group common three four in command.

Using a Second (Common) Interface ACL Page number:1314

A junior-level engineer has been given the task of configuring an ACL on a router; she was told that the port that should be blocked is UDP 69. Which access-list command keyword could be used in place of this port number when configured?

There are a number of common application port numbers that can be configured using an access-list command keyword in place of the actual port number. UDP port number 69 is used for Trivial File Transfer Protocol, which can be configured (as is shown in the configuration) using the keyword tftp.

Matching TCP and UDP Port Numbers Page number:1286

When using IOS, the show ip access-lists and show access-lists commands both display the configuration of IPv4 access lists, including ACL line numbers. However, with IOS, neither the show running-config nor show startup-config commands list the ACL line numbers. Note that in this case, because the engineer did not save the configuration, the startup-config file would not contain the ACL configuration at all.

Named IP Access Lists Page number:1277

ACL 105 (shown below) has been configured but not enabled on an interface. Users continue to generate traffic that would match the first ACE in the ACL if it were enabled on the router's G0/0/1 interface in the outbound direction. The answers listing text you might expect to see in the output of the show access-list command on this router related to the first ACE in the ACL. Which answer displays the correct detail and formatting expected in this case?

access-list 105 deny tcp any 10.55.55.0 0.0.0.255 eq www

access-list 105 deny tcp any 10.55.55.0 0.0.0.255 eq 443

access-list 105 permit ip any any

…

First, look to the left side of the answers. Some list line numbers and some do not. On IOS and IOS XE, the show access-list command lists the line numbers used for each ACE in an ACL – even for ACLs defined by numbered ACL access-list global commands. The configuration shown as part of the question shows numbered ACL configuration. By default, IOS assigns line numbers starting at 10 for increments of 10, so the first line of the ACL (represented by the answers) will use line number 10. These facts rule out two answers as incorrect.

Next, look at the right side of the answers, some of which list match counts and others do not. The show access-list command on IOS and IOS XE lists statistics for matches of each line of the ACL once you enable it on an interface. Because the ACL is not enabled, the ACL has not matched any packets, and the command would not list any statistics. That fact rules out two remaining answers, leaving one correct answer. That correct answer lists line number 10 with no matches counter statistics at the end of the line.

Extended IP ACL Example 1: Packets to Web Servers Page number:1290

The text below reveals the first lines of an ACL enabled for outbound packets on router R1's G0/0/1 interface. Clients on the right side of the figure connect to the web servers on the left. All web servers use default well-known ports. When a client connects using HTTP 1.1 with TLS, which ACE matches the packets?

R1# show access-list Hannah

10 permit udp 172.16.10.0 0.0.0.255 eq 443 any

12 permit tcp 172.16.10.0 0.0.0.255 eq 443 any

20 permit tcp 172.16.10.0 0.0.0.255 eq 80 any

22 permit udp 172.16.10.0 0.0.0.255 eq 80 any

…

The web servers reside on the left side of the figure in subnet 172.16.10.0/24. Calculate the wildcard mask based on the DDN mask to match addresses in that subnet. First, /24 converts to DDN mask 255.255.255.0. Subtract that value from 255.255.255.255 to find the wildcard mask:

255.255.255.255 – 255.255.255.0 = 0.0.0.255

All the ACEs use the correct subnet ID and wildcard mask for this question. They also all use the any keyword as the destination address. Given the location as an outbound ACL on R1's G0/0/1 interface, the ACL attempts to match the correct packets: those sourced by the web servers in subnet 172.16.10.0/24 and destined for any other address.

As for matching web traffic, you need to be aware of HTTP versions, the transport protocol used by each, and the default well-known ports. They include:

• HTTP 1.0, 1.1, and 2.0, which use TCP and default well-known server TCP port 80 when not using Secure HTTP

• HTTP 1.0, 1.1, and 2.0, which use TCP and default well-known server TCP port 443 when also using TLS and Secure HTTP

• HTTP 3.0, which uses UDP, TLS, and QUIC, and default well-known UDP port 443

In this case, the question asks about HTTP 1.1 with TLS. The ACE must match TCP (the correct transport protocol) and well-known TCP port 443 to match those packets. Note that all the ACEs place the well-known port in the source port location in the command because the ACL matches packets sent by the server. As a result:

• ACE 10 does not match due to the udp keyword.

• ACE 12 does match, due to: TCP, using the correct source and destination address values, with source port 443.

The router will not attempt to match later ACEs because IOS ACLs use first-match logic.

Page number:NaN