Refer to the exhibit. An IT staff member comes into the office during normal office hours and cannot access devices through SSH. Which action should be taken to resolve this issue?
A.
Modify the access list to use the correct IP address.
B.
Configure the correct time range.
C.
Modify the access list to correct the subnet mask.
D.
Configure the access list in the outbound direction.
I changed my mind, i think it is A.
Because C says subnetmask. And i dont think they would use the word subnet mask instead of wildcard mask.
For A to be true, we need to know that IT guy`s ip address and use that to correct the ACL
..the main problem is sender address 10.0.0.0 It's unlikely that our worker has such an address configured. And then we should choose honey A and C.
A - if it is assumed that the employee works from a PС from the network 10.1.1.0/24, then changing the address to 10.1.1.x/32 is reasonable.
C - let's say we set /8. It's not very elegant, but any package from 10.1.1.0/24 will pass this access list.
It seems to me that opting for a stricter rule is more correct than giving access to the entire 10/8 network.
It is C:
we don't know the IT member's IP address, but it is not for sure the 10.1.1.1 showing on picture, that is the interface IP address, and it is /24 subnet, meaning that the IT member would have any one of those 10.1.1.0/24 subnet IP addresses.
so by changing the subnet from 0.0.0.0 to 0.0.0.255 we can cover the entire subnet rather than guessing one IP, or permitting the interface IP, which is pointless
ignore it please, but still we need it to be covering the 10.1.1.0 /24 not 10.0.0.0/24
so either we make it /8 or we change it to the specific IP of the IT member
either way, changing it to /8 would cover more than we need, which is not secure, so I change my mind to A back
The correct answer appears to be A. Modify the access list to use the correct IP address.
This is because the ACL's source IP is 10.0.0.0 with a wildcard mask of 0.0.0.0, which does not cover the subnet 10.1.1.x (where the IT staff might be located). Correcting the ACL to use 10.1.1.0 with an appropriate mask (like 0.0.0.255) would allow access for any host within the 10.1.1.0 subnet.
I agree that A is correct because ACL's use wildcard bits and the entry matches only the 10.0.0.0 address. Why is D not considered? If the someone is trying to access remote devices wouldn't the ACL need to be applied in the outbound direction?
Im going with A considering that 0.0.0.0 is the equivalent to 255.255.255.255 on on normal mask. So the likelihood of doing a mistake here (considering the scenario) its on the ip address.
The question is "An IT staff member ", in this case it is only 1 person, the correct answer is A.
If the question were "IT staff members" the correct answer will be C
My choice: Answer C
Enough to change the ACL like this:
access-list 101 permit tcp 10.0.0.0 0.1.255.255 172.16.1.0 0.0.0.255 eq ssh time-range Office-hour
With answer A, we get only one IP address, from where ssh allowed, while this company has an IT staff.
Okay, I will go with C. I was torn between A and C, but C seems more plausible as the answer because chainging the IP address of the source portion of the ACL will only apply to one host device, when there could be a Staff with multiple devices...
I agree that there may be a discrepancy in wording of Subnet Mask and Wildcard mask, but subnetmask can be changed from 0.0.0.0 to 0.255.255.255 to cover the correct subnetmask.
The information is missing, what should we set as the source in the ACL.
Is the device shown in the question the source or the destination of the telnet traffic? Or is telnet transiting through it?
If it is the source, and telnet should be initiated from this device (10.1.1.1 0.0.0.0) to other devices (172.16.1.0 0.0.0.255), then:
-the ACL won't work. We can't apply any ACL to the outbound traffic generated locally by the router itself
If telnet is transiting through this device (for instance, coming from a LAN connected to E0/0), then:
-we should correct the ip address and wildcard mask, too:
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq ssh time-range Office-hour
The device with IP 10.1.1.1 could also be the destination, and telnet traffic would enter on E0/0 inbound. In that case the ACL would be something like this:
access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 10.1.1.1 eq ssh time-range Office-hour
The output does not show clearly, how they want to use the ACL.
The question didn't say what IP the connection is from or to. It didn't say the SSH is to the router itself. It is more than likely the SSH traffic is through the router instead of destined or sourced from the router. In that case, I think C would make more sense. 10.0.0.0/0.0.0.0 is clearly wrong.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
cakmamail
Highly Voted 3 years, 5 months agotubirubs
5 months, 1 week agowts
Highly Voted 2 years, 10 months agowwwwaaaa
Most Recent 1 month agowwwwaaaa
1 month agolohitnadimpalli
4 months, 3 weeks ago[Removed]
6 months agokldoyle97
6 months, 3 weeks agodapardo
7 months agodapardo
7 months agohennnn
8 months, 2 weeks agoBTK0311
1 year, 3 months agojansan55
1 year, 4 months ago[Removed]
1 year, 5 months agoHungarianDish_111
1 year, 7 months agoHungarianDish_111
1 year, 7 months agoHungarianDish_111
1 year, 7 months agoMalasxd
1 year, 8 months agoDacusai
1 year, 8 months agoAlexloh
1 year, 11 months agoCisconAWSGURU
2 years, 2 months agoHuntkey
2 years, 3 months ago