Refer to the exhibit. Which command set must be added to permit and log all traffic that comes from 172.20.10.1 in interface GigabitEthernet0/1 without impacting the functionality of the access list? A. B. C. D.
A
Two things to keep in mind. 1) the requirement of "WITHOUT impacting the functionality of the access list, and 2) the wildcard mask of ACE #20 does not overlap with the 172.20.10.1/32 therefore not affecting it
Another thing to note is that without the sequence keyword, the new ACE is added at the end of the list.
A. tested again:
cisco_R3#show access-lists 123
Extended IP access list 123
5 permit ip host 1.1.1.1 any log
15 permit ip host 4.4.4.0 any log
cisco_R3#s runn | i 123
access-list 123 permit ip host 1.1.1.1 any log
access-list 123 permit ip host 4.4.4.0 any log
cisco_R3#
cisco_R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
cisco_R3(config)#access-list 123 permit ip host 172.20.10.1 any log <<<<<<<<<<<<<<<<<
cisco_R3(config)#^Z
cisco_R3#
cisco_R3#s runn | i 123
access-list 123 permit ip host 1.1.1.1 any log
access-list 123 permit ip host 4.4.4.0 any log
access-list 123 permit ip host 172.20.10.1 any log <<<<<<<<<<<<<<
cisco_R3#show access-lists 123
Extended IP access list 123
5 permit ip host 1.1.1.1 any log
15 permit ip host 4.4.4.0 any log
25 permit ip host 172.20.10.1 any log <<<<<<<<<<<<<<<<<<<<
cisco_R3#
A is the closest but its not correct as the syntax is wrong
Router(config)#ip access-list 100 ?
% Unrecognized command
Router(config)#ip access-list extended 100 ?
<cr> <cr>
Router(config-ext-nacl)#5 permit ip host x.x.x.
Option B uses the wrong syntax, the sequence number is specified only after you enter the ACL configuration using an IP prefix (e.g., "ip access-list extended 100") (Incorrect answer).
Option C will permit the entire subnet (172.16.10.1 - 172.16.10.255) through the ACL, but we need to allow only host "172.16.10.1" (Incorrect answer).
Option D will delete the entire list and add the entry "permit ip 172.16.0.0 0.0.15.255 any log" to the extended ACL 100, thus modifying the ACL content (Incorrect answer).
Correct Answer is 'A'
It is A because none of the existing ACEs match host 172.20.10.1. Even though this ACE would be the third in list, non of the other can match the host.
B syntax is wrong (at least on the IOS I tried)
C matches a whole subnet instead of a host
D breaks the functionality of the ACL
Correct answer: A
A is the correct answer. Been working with Cisco for a while I can just snipe correct syntax. idk what else to say.. Good luck folks. A is the correct answer.
People saying "B" do you have access to any network gear at all? or are you all book jockies? JFC. No wonder half the network admin pop sucks at their job, they have all these certs yet never touch a CLI
LAB THIS STUFF BEFORE YOU COMMENT
Answer is A
Correct is answer C
Answer A cannot be correct, as if the entry is added without sequence number is placed at the end, so its processed last. If its processed last then the same traffic will be matched earlier by 172.16.0.0. 0.0.15.255 statement and in result log will never be generated !! And question specifically ask for log !
Correct is answer C as correctly position new entry before 172.16.0.0. 0.0.15.255 statement thus enable logging, while not altering the rest of the ACL as the 172.20.10.0 0.0.0.255 would be matched by later statement and permitted.
Not quite. The idea of a sequence number is to put the interesting traffic where you want it to be on the ACE. For example, if you have already permitted all traffic for a subnet and now wants to deny a single host from that subnet, then you will use sequence number to place it above the earlier permit statement, because ACL is processed from top-to-bottom. If you put the deny statement without a sequence number, it will append the ace at the bottom of the list, and it won't be effective for the purpose that you want to achieve.
Therefore A is the correct answer because 172.20.10.1 is not overlapping with 172.16.0.0, and the list will be appended below.
Chuckzero#sh ip access-lists
Extended IP access list 100
10 permit ip 192.168.0.0 0.0.255.255 any
20 permit ip 172.16.0.0 0.0.15.255 any
30 deny ip host 172.20.10.1 any
Chuckzero#
Answer A) is correct. As Clauster writes "the question wants you to just permit the Interface, not the entire network". That is why A is better than C.
A is correct
172.16.0.0 0.0.15.255 includes 172.16.0.0 - 172.16.15.255
Router(config)#do show access-list 100
Extended IP access list 100
10 permit ip 192.168.0.0 0.0.255.255 any
20 permit ip 172.16.0.0 0.0.15.255 any
Router(config)#access-list 100 permit ip host 172.20.10.1 any log
Router(config)#do show access-list 100
Extended IP access list 100
10 permit ip 192.168.0.0 0.0.255.255 any
20 permit ip 172.16.0.0 0.0.15.255 any
30 permit ip host 172.20.10.1 any log
Router(config)#
A. extended ACL does not have seq keyword:
Router(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<2700-2799> MPLS access list
<300-399> DECnet access list
<700-799> 48-bit MAC address access list
compiled Enable IP access-list compilation
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
Router(config)#access-list
extended NAMED ACL has seq:
Router(config)#ip access-list extended MY_NAME ?
<cr>
Router(config)#ip access-list extended MY_NAME
Router(config-ext-nacl)#?
Ext Access List configuration commands:
<1-2147483647> Sequence Number
default Set a command to its defaults
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment
Router(config-ext-nacl)#
Router(config-ext-nacl)#3 permit udp any host 8.8.8.8 eq 53 log
Router(config-ext-nacl)#do s access-l
Extended IP access list 100
10 permit ip 192.168.0.0 0.0.255.255 any
20 permit ip 172.16.0.0 0.0.15.255 any
30 permit ip host 172.20.10.1 any log
Extended IP access list MY_NAME
3 permit udp any host 8.8.8.8 eq domain log
10 deny ip any any log
Router(config-ext-nacl)#
Router#show running-config | se
Router#show running-config | section acc
ip access-group 100 in
ip access-list extended MY_NAME
permit udp any host 8.8.8.8 eq domain log
deny ip any any log
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip 172.16.0.0 0.0.15.255 any
access-list 100 permit ip host 172.20.10.1 any log
Router#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#acc
Router(config)#access-list 100 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment
Router(config)#access-list 100
technically "C" also can be right ...
Router(config)#ip access-list extended MY_NAME
Router(config-ext-nacl)#5 permit tcp any host 8.8.8.8 eq 53 log
Router(config-ext-nacl)#do s access-l
Extended IP access list 100
10 permit ip 192.168.0.0 0.0.255.255 any
20 permit ip 172.16.0.0 0.0.15.255 any
30 permit ip host 172.20.10.1 any log
Extended IP access list MY_NAME
3 permit udp any host 8.8.8.8 eq domain log
5 permit tcp any host 8.8.8.8 eq domain log
10 deny ip any any log
Router(config-ext-nacl)#
in the end my reply is - A
Router(config)#ip access-list extended 100
Router(config-ext-nacl)#
Router(config-ext-nacl)#5 permit ip host 1.1.1.1 any log
Router(config-ext-nacl)#
Router(config-ext-nacl)#do s access-l
Extended IP access list 100
5 permit ip host 1.1.1.1 any log
10 permit ip 192.168.0.0 0.0.255.255 any
20 permit ip 172.16.0.0 0.0.15.255 any
30 permit ip host 172.20.10.1 any log
100 deny ip any any log
Extended IP access list MY_NAME
3 permit udp any host 8.8.8.8 eq domain log
5 permit tcp any host 8.8.8.8 eq domain log
10 deny ip any any log
Router(config-ext-nacl)#
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
[Removed]
Highly Voted 1 year, 9 months agorogi2023
1 year, 9 months agonushadu
Highly Voted 2 years, 3 months agoIarn
Most Recent 3 days, 19 hours agoAbdullahMohammad251
6 months, 2 weeks ago[Removed]
10 months, 2 weeks ago[Removed]
9 months, 1 week agoJoGt2
12 months agoClaudiu1
1 year, 1 month agoCCNPWILL
1 year, 5 months agomgiuseppe86
1 year, 6 months agoalex711
1 year, 8 months agoalex711
1 year, 8 months agoforeignbishop
1 year, 10 months agoAbandonedDonner
1 year, 11 months agobyallmeans
1 year, 11 months agoChuckzero
1 year, 7 months agoHungarianDish_111
2 years agoMO_2022
2 years, 3 months agostationx
2 years, 3 months agonushadu
2 years, 3 months agonushadu
2 years, 3 months agonushadu
2 years, 3 months agonushadu
2 years, 3 months agonushadu
2 years, 3 months agonushadu
2 years, 3 months ago