ACL Question
fieldmonkey
Users Awaiting Email Confirmation Posts: 254 ■■■□□□□□□□
in CCNA & CCENT
This question was on the Boson ICND2 practice exam. I do not understand how from the output one can come to conclusion that the answer also includes answer (D).
If anyone could help clarify this I would greatly appreciate it. Additionally, the exam doesn't even provide an explanation for question.
############################################
The exhibit shows the output from two commands on router R1. Which of the following statements are true about the operation of ACL stop-packet on interface S0/0/1.
Exhibit 1
R1#show ip access-list
Extended IP access list stop-packets
10 permit tcp host 10.1.1.2 eq www any (12 matches)
20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255 ( 0 matches)
30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 (345 matches)
40 permit tcp 10.1.4.0 .0.0.1.255 10.1.5.0 0.0.0.255 eq www any (3 matches)
70 permit ip any any (0 matches)
R1# show ip interface s0/0/1
Serial0/0/1 is up, line protocol is up
Internet address is 10.1.1.2.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is stop-packets
A. The ACL discards packets that try to enter S0/0/1 with source address 10.1.1.1, destination address 10.1.2.1, going to any UDP port.
B. The ACL discards packets that try to enter S0/0/1 with source address 10.1.1.2, destination address 10.1.2.1, going to any TCP port 80.
C. The ACL discards packets that try to exit S0/0/1 with source address 10.1.1.1, destination address 10.1.2.1, going to any UDP port.
D. No packets have matched the implicit deny all considered to be at the end of every IP ACL.
E. The ACL discards packets that try to exit S0/0/1 with source address 10.1.4.1, destination address 10.1.5.1, going to TCP port 80.
####################################################
If anyone could help clarify this I would greatly appreciate it. Additionally, the exam doesn't even provide an explanation for question.
############################################
The exhibit shows the output from two commands on router R1. Which of the following statements are true about the operation of ACL stop-packet on interface S0/0/1.
Exhibit 1
R1#show ip access-list
Extended IP access list stop-packets
10 permit tcp host 10.1.1.2 eq www any (12 matches)
20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255 ( 0 matches)
30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 (345 matches)
40 permit tcp 10.1.4.0 .0.0.1.255 10.1.5.0 0.0.0.255 eq www any (3 matches)
70 permit ip any any (0 matches)
R1# show ip interface s0/0/1
Serial0/0/1 is up, line protocol is up
Internet address is 10.1.1.2.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is stop-packets
A. The ACL discards packets that try to enter S0/0/1 with source address 10.1.1.1, destination address 10.1.2.1, going to any UDP port.
B. The ACL discards packets that try to enter S0/0/1 with source address 10.1.1.2, destination address 10.1.2.1, going to any TCP port 80.
C. The ACL discards packets that try to exit S0/0/1 with source address 10.1.1.1, destination address 10.1.2.1, going to any UDP port.
D. No packets have matched the implicit deny all considered to be at the end of every IP ACL.
E. The ACL discards packets that try to exit S0/0/1 with source address 10.1.4.1, destination address 10.1.5.1, going to TCP port 80.
####################################################
WIP:
Husband & Fatherhood Caitlin Grace born 8-26-2010
Future Certs:
Q1-2011 - INCD2, Microsoft or Linux (decisions, decisions...)
Husband & Fatherhood Caitlin Grace born 8-26-2010
Future Certs:
Q1-2011 - INCD2, Microsoft or Linux (decisions, decisions...)
Comments
-
murali9231
Member Posts: 1 ■□□□□□□□□□
HIfieldmonkey wrote: »This question was on the Boson ICND2 practice exam. I do not understand how from the output one can come to conclusion that the answer also includes answer (D).
If anyone could help clarify this I would greatly appreciate it. Additionally, the exam doesn't even provide an explanation for question.
############################################
The exhibit shows the output from two commands on router R1. Which of the following statements are true about the operation of ACL stop-packet on interface S0/0/1.
Exhibit 1
R1#show ip access-list
Extended IP access list stop-packets
10 permit tcp host 10.1.1.2 eq www any (12 matches)
20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255 ( 0 matches)
30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 (345 matches)
40 permit tcp 10.1.4.0 .0.0.1.255 10.1.5.0 0.0.0.255 eq www any (3 matches)
70 permit ip any any (0 matches)
R1# show ip interface s0/0/1
Serial0/0/1 is up, line protocol is up
Internet address is 10.1.1.2.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is stop-packets
A. The ACL discards packets that try to enter S0/0/1 with source address 10.1.1.1, destination address 10.1.2.1, going to any UDP port.
B. The ACL discards packets that try to enter S0/0/1 with source address 10.1.1.2, destination address 10.1.2.1, going to any TCP port 80.
C. The ACL discards packets that try to exit S0/0/1 with source address 10.1.1.1, destination address 10.1.2.1, going to any UDP port.
D. No packets have matched the implicit deny all considered to be at the end of every IP ACL.
E. The ACL discards packets that try to exit S0/0/1 with source address 10.1.4.1, destination address 10.1.5.1, going to TCP port 80.
####################################################
i confused with show ip int s0/0/1, can you tel me what is exact ip ? So that i explain you the issue. I got clue but i need to trace . -
kalebksp
Member Posts: 1,033 ■■■■■□□□□□
Sequence 70 matches everything so no packet would ever reach the implicit deny.
-
notgoing2fail
Member Posts: 1,138
Just like kale said, the last ACL before the implicit deny is this.
70 permit ip any any (0 matches)
And it is IP ANY ANY. So anything else matches.In fact, you'll never get to the implicit deny because of this last ACL. Because it has 0 matches, most traffic further up were either permitted at some point or denied.... -
fieldmonkey
Users Awaiting Email Confirmation Posts: 254 ■■■□□□□□□□
Wow!
I really didn't view the question with that regard. I mean I fully understand the "implicit deny all", but I would have thought "something" would have indicated this in the output other than just ACL 70.
Back to the grind ...
I would assume since it states "0 matches" that there have not been any packets that have successfully passed through using this ACL 70 statement?
Would that be correct?WIP:
Husband & Fatherhood Caitlin Grace born 8-26-2010
Future Certs:
Q1-2011 - INCD2, Microsoft or Linux (decisions, decisions...) -
notgoing2fail
Member Posts: 1,138
fieldmonkey wrote: »
I would assume since it states "0 matches" that there have not been any packets that have successfully passed through using this ACL 70 statement?
Would that be correct?
Kind of but I would be careful with that statement.
It means that all packets that had a destination had already met an ACL earlier up. You don't want to assume that no packets were successful with the 70 ACL because they never had a chance to get there in the first place.
If you go with the phrase that no packets have successfully passed, it means that at some point they tried to, and that's not the case here...
It's kind of a gray area, and you can take it different ways whatever your point of view is.
Which is why I'm not a good test taker because I can argue myself out of the right answer. LOL!!!!