nerdexam
GIAC

GSNA · Question #213

GSNA Question #213: Real Exam Question with Answer & Explanation

The correct answer is C. RouterA(config)#access-list 110 deny ip host 10.10.45.2 any. This ACL is an extended ACL. It meets the traffic requirements and is applied to Fa0/0 in the appropriate direction of in, which matches traffic going into the interface. In addition, this ACL meets the needs for subnets 10.10.2.0/24 and 10.10.3.0/24 by applying the subnet and wi

Question

You are tasked with creating an ACL to apply to Fa0/0 based on the following requirements: The ACL must be protocol specific. All traffic from host 10.10.45.2 and subnet 10.10.1.32/27 must be denied access through the router. Telnet and SSH must be denied for ALL hosts except the management host with the IP address of 10.10.0.100. This management host must not only have Telnet and SSH access, but access to any port in the TCP and UDP suite to any destination. HTTP, HTTPS, and DNS requests must be allowed for all hosts on subnets 10.10.2.0/24 and 10.10.3.0/24 to any destination. All remaining traffic must be denied. Cisco IOS applies an implied deny all at the end of an ACL. However, you must provide this configuration manually so that engineers can see hit counts on the deny all traffic when running the show ip access-lists command. Which of the following sets of commands will you choose to complete the configuration on Router A?

Options

  • ARouterA(config)#access-list 110 deny ip host 10.10.45.2 any
  • BRouterA(config)#access-list 110 deny ip host 10.10.45.2 any
  • CRouterA(config)#access-list 110 deny ip host 10.10.45.2 any
  • DRouterA(config)#access-list 99 deny ip host 10.10.45.2 any

Explanation

This ACL is an extended ACL. It meets the traffic requirements and is applied to Fa0/0 in the appropriate direction of in, which matches traffic going into the interface. In addition, this ACL meets the needs for subnets 10.10.2.0/24 and 10.10.3.0/24 by applying the subnet and wildcard mask of 10.10.2.0 0.0.1.255 for the lines that apply http, https, and dns. These subnets are covered by the wildcard mask 0.0.1.255. This wildcard mask is applied to a range of hosts from 10.10.2.0 through 10.10.3.255 which covers both of the subnets required. This is handy since both subnets are next to each other in their network numbers. Note: If the network numbers were not next to each other, for example 10.10.2.0/24 and 10.10.20.0/24, then the wildcard mask of 0.0.1.255 would be incorrect. A wildcard mask of 0.0.0.255 would be required. The configuration of the ACL would then be applied using the following commands: <!-- Only the relevant commands are displayed --> RouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.0.255 any eq 80 RouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.0.255 any eq 443 RouterA(config)#access-list 110 permit udp 10.10.2.0 0.0.0.255 any eq 53 RouterA(config)#access-list 110 permit tcp 10.10.20.0 0.0.0.255 any eq 80 RouterA(config)#access-list 110 permit tcp 10.10.20.0 0.0.0.255 any eq 443 RouterA(config)#access-list 110 permit udp 10.10.20.0 0.0.0.255 any eq 53

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GSNA Practice