access-group [in|out] is used to tie an access-list to an interface.
access-class [in|out] is used to tie an access-list to vty lines.
So in case you want to prevent incoming network traffic on port 80 through Ethernet 0/0 you use
int E0/0
ip access-group 123 in
In case you want to allow only your PC from accessing the VTY via telnet/SSH use
line vty 0 4
ip access-class 1 in
A and B both are correct, BUT if you choose g0/0 interface then PC1 still be able to SSH using RTR-1 loopback interfaces, So you should implement that ACL on VTY lines to prevent SSH connections thro any interface.
both A and B are correct, as the both block ssh.
option B. applies ACL to the VTY lines using line vty 0 15, which controls SSH access to the router via VTY but does not block SSH from the interface where PC-1 is connected. ALso it does not address the inbound traffic from PC-1 on GigabitEthernet0/0.
Option A is more specific with question, deny traffic at interface level. "RTR-1 denies SSH access from PC-1 to any RTR-1 interface"
interface is the keyword.
I will go with option A.
Answer: A
You can apply a standard ACL directly on VTY lines. But you can't apply an extended ACL on VTY lines. If you want to use extended ACLs to secure VTY lines, you have to use an ACL for each interface that a user can use to access the VTY lines.
https://www.computernetworkingnotes.com/ccna-study-guide/how-to-secure-vty-access-to-the-router.html#:~:text=You%20can%20apply%20a%20standard,to%20access%20the%20VTY%20lines.
Good eye, but apparently this isn't true as of IOS 12.4 (All the way back 15 years ago!), so extended ACLs are actually accepted.
https://blog.ipspace.net/2006/12/vty-access-class-accepts-extended-and.html
Answer A.
Both A and B have same result. Tested in PT.
My answer is based on the fact that extended ACL should be applied closest to the source.
If ACL is applied to vty the pachets will cross G0/0 to reach virtual terminal.
Usually vty are secured with standard ACL, lines with extended ACL.
The practice result of A and B are the same.
I think is more abotu best practice. Regards,
Read: https://www.computernetworkingnotes.com/ccna-study-guide/how-to-secure-vty-access-to-the-router.html
Perhaps the router would be vulnerable with an ACL on the interface, as another host could access the VTY lines from other interfaces (if it has one), without ACLs. I believe it would be better to place the ACLs directly on the VTY lines, to ensure security.
the part that trips you up: denies SSH access from PC-1 to any RTR-1 interface. option a indicates a single interface, which goes against te statement "to any RTR-1 interface". therefore you should aim for live vty 0 15. thus you should rule out a
Hello! B and D are not the same. B is eq 22 which means SSH while D is eq 23 means TELNET. Port 22 is for SSH while port 23 is for TELNET. SSH data transmission is encrypted while TELNET data transmission is in plain where anyone can read it.
A is correct because the question is asking for 1 host. not a whole network. we are denying traffic to the router. we dont need any complex config. its simply answer A.
A will block SSH traffic for anything on any other interface of the router as well I believe.
It specifically asks to block SSH to RTR-1 interface, AKA the vyt lines.
Close. A will block PC1 from being able to SSH into anything on the other side of the router. Our goal is to ensure PC1 can't SSH into RTR-1, not to stop it from SSHing into any devices beyond.
If the ACL is applied to the G0/0 interface it completely denies SSH traffic to the network as a whole. In this case, you just what to deny SSH traffic to the router's VTY ports. Therefore, question A is not correct. I know poorly worded question. Some of these questions do not prove if you know the content, it just proves that you are able to pick out "Key" words in a timely manner.
only from the host to any. ACL structure = access-list "number" deny/permit host "sourceip" (source port) "destination ip" "destination port"
In this case source address is pc1, destination any, so ssh connection qill be blocked from pc1 to all the network
Correct. All SSH traffic stops at gi0/0 with A, even SSH packets that are headed to elsewhere on any other interface of the router.
So, if another router was connect to another interface on RTR-1, and you wanted to SSH to that router, traffic would not flow past gi0/0 for anything, on any network from that specific host.
for interface, add ip access-group <access list number> in/out
for vty, access-class <access list number> in/out
upvoted 3 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
nakres64
Highly Voted 3 years, 5 months agoiGlitch
Highly Voted 2 years, 2 months agojoeylam
1 year, 7 months agoLse
Most Recent 1 week, 6 days ago[Removed]
3 months, 2 weeks agoNewJeans
9 months, 2 weeks ago[Removed]
7 months, 1 week agoDa_Costa
1 year agoliviuml
1 year, 3 months agodropspablo
1 year, 1 month agocormorant
1 year, 7 months agoComputerguy
2 years agoHodicek
2 years, 8 months agoHodicek
2 years, 8 months agoshakyak
2 years, 7 months agoBelinda
2 years, 4 months agodave1992
2 years, 9 months agoCpynch
2 years, 5 months agosgashashf
2 years, 4 months agoRay12345
3 years, 2 months agoSten111
3 years agoddino
3 years, 3 months agoJoe_Q
3 years, 3 months agoonmils2
2 years, 11 months ago[Removed]
2 years, 10 months agoCpynch
2 years, 5 months agoNhan
3 years, 4 months agoxsp
3 years, 5 months ago