25/08/2021 Network Security 1.

0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

 IT Questions Bank Commands Help Resources »  IP Calculators »

 Donations  My account

Search the site 

 Home  CCNA v7 » IT Essentials 7.0 » Security » CyberOps » CCNP v8 »

DevNet Linux » Other courses »

 IT Questions Bank CCNA v6 » CCNA v7 » IT Essentials 7.0 » Security »

CCNA CyberOps » CCNP v8 » DevNet Associate Linux » Networking Essentials

IOS Commands Help Resources » Download Cisco Packet Tracer 8 »

IP Subnet Calculators » Donation Contact  My account

Network Security 1.0 Modules 8 – 10:

ACLs and Firewalls Group Exam
Answers
 May 20, 2021 |
 Last Updated: July 10, 2021 |

 Network Security 1.0 |

 No Comments

Network Security 1.0 Exam

WAREHOUSE WORKER Answers
LEARN MORE
Jobs in Carlisle
JOB OFFER
Network in 1 v1.0
Security HR!
Great pay + Enjoy an active job

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 1/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

Modules 1 – 4: Securing
Networks Group Exam
(Answers)

Modules 5 – 7: Monitoring
and Managing Devices
Group Exam (Answers)

Modules 8 – 10: ACLs and

Firewalls Group Exam
(Answers)

Modules 11 – 12: Intrusion

 Share  Tweet  Share  Pin it Prevention Group Exam
(Answers)

Modules 13 – 14: Layer 2

How to find: Press “Ctrl + F” in the browser and fill in
and Endpoint Security
whatever wording is in the question to find that
Group Exam (Answers)
question/answer. If the question is not here, find it in
Questions Bank. Modules 15 – 17:
Cryptography Group Exam
(Answers)
NOTE: If you have the new question on this test,
please comment Question and Multiple-Choice list in Modules 18 – 19: VPNs
form below this article. We will update answers for Group Exam (Answers)
you in the shortest time. Thank you! We truly value
Modules 20 – 22: ASA
your contribution to the website.
Group Exam (Answers)

Network Security 1.0

Network Security ( Version 1) – Network Practice Final Exam
Security 1.0 Modules 8 – 10: ACLs and Answers

Firewalls Group Exam Answers Network Security 1.0

Final PT Skills Exam
1. When creating an ACL, which keyword should be used
(PTSA) Answers
to document and interpret the purpose of the ACL
statement on a Cisco device? Network Security 1.0
remark Final Exam Answers
description
established
eq

Share your ❤️Buy me a ☕

Explanation: In order to document the purpose of an

ACL and identify its function more easily, the remark Donate
keyword is used when building the ACL. The established
WAREHOUSE WORKER
keyword is used to allow connections that were initially LEARN MORE
Jobs in Carlisle
JOB OFFER in 1 HR!
sourced from the current device. The
Great pay eq operator
+ Enjoy is used
an active job

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 2/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

to specify a port number for denying or permitting traffic. Recent Comments

The description keyword is used when configuring and
Joseph on CCNA 200-301
documenting interfaces.
Dumps Full Questions – Exam
Study Guide & Free
2. Which two pieces of information are required when Briant on CCNA 200-301 Dumps
creating a standard access control list? (Choose two.) Full Questions – Exam Study
Guide & Free
access list number between 1 and 99
Joa on CCIE/CCNP 350-401
source address and wildcard mask ENCOR Dumps Full Questions
destination address and wildcard mask with VCE & PDF
subnet mask and wildcard mask Joa on CCIE/CCNP 350-401
access list number between 100 and 199 ENCOR Dumps Full Questions
with VCE & PDF

Explanation: Standard ACLs can be numbered 1 to 99 ana on CCIE/CCNP 350-401

and 1300 to 1999. Standard IP ACLs filter only on the ENCOR Dumps Full Questions
with VCE & PDF
source IP address.

3. What two steps provide the quickest way to completely

remove an ACL from a router? (Choose two.)

Removal of the ACEs is the only step required.

Modify the number of the ACL so that it doesn’t match
the ACL associated with the interface.
Copy the ACL into a text editor, add no before each ACE,
then copy the ACL back into the router.
Remove the inbound/outbound reference to the ACL
from the interface.
Use the no access-list command to remove the entire
ACL.
Use the no keyword and the sequence number of every
ACE within the named ACL to be removed.
WAREHOUSE WORK
Explanation: To completely remove an ACL from a Jobs in Carlisle
router requires two steps. Removing the actual ACL with Great pay
the no access-list command and removing the
association of the ACL from the appropriate interface. Enjoy an active job

4. Which two types of addresses should be denied

inbound on a router interface that attaches to the
LEARN MORE
Internet? (Choose two.)
JOB OFFER in 1 HR!
private IP addresses
any IP address that starts with the number 127
any IP address that starts with the number 1
WAREHOUSE WORKER
NAT translated IP addresses
Jobs in Carlisle LEARN MORE
public IP addresses Great pay + Enjoy an active job
JOB OFFER in 1 HR!

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 3/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

Explanation: The following addresses should not be

permitted inbound from the Internet in order to mitigate IP
spoofing and DoS attacks:

All zero address

Broadcast addresses

Local host addresses that start with 127

Reserved private addresses

IP multicast addresses

5. In the creation of an IPv6 ACL, what is the purpose of

the implicit final command entries, permit icmp any any
nd-na and permit icmp any any nd-ns ?

to allow forwarding of ICMPv6 packets

to allow automatic address configuration
to allow IPv6 to MAC address resolution
to allow forwarding of IPv6 multicast packets

Explanation: IPv6 address to MAC address resolution is

performed through the exchange of ICMPv6 neighbor
discovery packets comprised of neighbor solicitation and
neighbor advertisement packets. Unless these packets
are permitted on a router interface, the interface will not
be able to perform MAC address resolution.

6. What two statements describe characteristics of IPv6

access control lists? (Choose two.)

They permit ICMPv6 router advertisements by default.

They can be named or numbered.
They include two implicit permit statements by
default.
They are applied to an interface with the ip access-group
command .
They use prefix lengths to indicate how much of an
address to match.

Explanation: IPv6 access lists have distinct

characteristics that are different than IPv4 access lists:

They use prefix lengths instead of wildcard masks to

match network bits.

They permit two ICMPv6 message types: neighbor

solicitations and neighbor advertisements by default.

WAREHOUSE
They are only created as named access lists.
WORKER LEARN MORE
Jobs in Carlisle
They use the command ipv6 taffic-filter when applied to JOB OFFER in 1 HR!
Great pay + Enjoy an active job
an interface.
https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 4/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

7. Refer to the exhibit. A network administrator created an

IPv6 ACL to block the Telnet traffic from the
2001:DB8:CAFE:10::/64 network to the
2001:DB8:CAFE:30::/64 network. What is a command the
administrator could use to allow only a single host
2001:DB8:CAFE:10::A/64 to telnet to the
2001:DB8:CAFE:30::/64 network?

permit tcp 2001:DB8:CAFE:10::A/64

2001:DB8:CAFE:30::/64 eq 23
permit tcp 2001:DB8:CAFE:10::A/64 eq 23
2001:DB8:CAFE:30::/64
permit tcp host 2001:DB8:CAFE:10::A eq 23
2001:DB8:CAFE:30::/64
permit tcp host 2001:DB8:CAFE:10::A
2001:DB8:CAFE:30::/64 eq 23 sequence 5

Explanation: When an IPv6 ACE is created and is to be

processed before an existing ACE is processed, the next
command entered must use the sequence argument with
a number lower than the existing ACE. This allows an
entry to be placed before an existing entry, as the default
sequence numbers are commonly numbered by
increments of 10. Thus, using a sequence number of 5 on
an ACE will place it in front of a prior existing entry with a
sequence number of 10.

8. When implementing components into an enterprise

network, what is the purpose of a firewall?

A firewall is a system that inspects network traffic and

makes forwarding decisions based solely on Layer 2
Ethernet MAC addresses.
A firewall is a system that is designed to secure, monitor,
and manage mobile devices, including corporate-owned
devices and employee-owned devices.
A firewall is a system that stores vast quantities of
sensitive and business-critical information.
WAREHOUSE WORKER
A firewall is a system Jobs
that enforces
in Carlislean access LEARN MORE
JOB OFFER in 1 HR!
control policy between internal
Great paycorporate networks
+ Enjoy an active job and

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 5/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

external networks.

Explanation: A firewall is a system that enforces an

access control policy and prevents the exposure of
sensitive hosts, resources, and applications to untrusted
users.

9. What are two possible limitations of using a firewall in a

network? (Choose two.)

It provides accessibility of applications and sensitive

resources to external untrusted users.
It increases security management complexity by
requiring off-loading network access control to the device.
A misconfigured firewall can create a single point of
failure.
Network performance can slow down.
It cannot sanitize protocol flows.

Explanation: Firewalls have some limitations:

– A misconfigured firewall can have serious

consequences for the network, such as becoming a
single point of failure.

– The data from many applications cannot be passed

over firewalls securely.

– Users might proactively search for ways around the

firewall to receive blocked material, which exposes the
network to potential attack.

– Network performance can slow down.

– Unauthorized traffic can be tunneled or hidden as

legitimate traffic through the firewall.

10. Which type of firewall makes use of a proxy server to

connect to remote servers on behalf of clients?

stateful firewall
stateless firewall
packet filtering firewall
application gateway firewall

Explanation: An application gateway firewall, also called

a proxy firewall, filters information at Layers 3, 4, 5, and 7
of the OSI model. It uses a proxy server to connect to
remote servers on behalf of WAREHOUSE
clients. Remote serversWORKER will
LEARN MORE
see only a connection fromJobs in Carlisle
the proxy server, not from the JOB OFFER in 1 HR!
individual clients. Great pay + Enjoy an active job

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 6/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

11. How does a firewall handle traffic when it is

originating from the public network and traveling to the
private network?

Traffic that is originating from the public network is not

inspected when traveling to the private network.
Traffic that is originating from the public network is
usually blocked when traveling to the private network.
Traffic that is originating from the public network is
usually permitted with little or no restrictions when traveling
to the private network.
Traffic that is originating from the public network is
selectively permitted when traveling to the private network.

Explanation: When traffic is originating from the public

network it will usually be blocked when traveling to the
private network. Traffic that originates from the private
network will be selectively allowed to be returned to the
public network.

12. Which two statements describe the two configuration

models for Cisco IOS firewalls? (Choose two.)

ZPF must be enabled in the router configuration before

enabling an IOS Classic Firewall.
The IOS Classic Firewall and ZPF cannot be
combined on a single interface.
IOS Classic Firewalls and ZPF models can be
enabled on a router concurrently.
Both IOS Classic Firewall and ZPF models require ACLs
to define traffic filtering policies.
IOS Classic Firewalls must be enabled in the router
configuration before enabling ZPF.

Explanation: There are two configuration models for

Cisco IOS Firewalls, IOS Classic Firewalls and zone-
based policy firewalls (ZPF). Both configuration models
can be enabled concurrently on a router but they cannot
be combined on a single interface. One benefit of using
ZPF is that ZPF is not dependent on ACLs.

13. Designing a ZPF requires several steps. Which step

involves dictating the number of devices between
WAREHOUSE WORKER most-
secure and least-secure zones LEARN MORE
Jobsand determining
in Carlisle
JOB OFFER in 1 HR!
redundant devices? Great pay + Enjoy an active job

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 7/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

determine the zones

design the physical infrastructure
establish policies between zones
identify subsets within zones and merge traffic
requirements

Explanation: Designing ZPFs involves several steps:

Step 1 . Determine the zones – The administrator

focuses on the separation of the network into zones.
Zones establish the security borders of a network.

Step 2 . Establish policies between zones – For each

pair of “source-destination” zones, define the sessions
that clients in the source zones can request from servers
in destination zones.

Step 3 . Design the physical infrastructure – After the

zones have been identified, and the traffic requirements
between them documented, the administrator must
design the physical infrastructure. This includes dictating
the number of devices between most-secure and least-
secure zones and determining redundant devices.

Step 4 . Identify subsets within zones and merge

traffic requirements – For each firewall device in the
design, the administrator must identify zone subsets that
are connected to its interfaces and merge the traffic
requirements for those zones.

14. When a Cisco IOS zone-based policy firewall is being

configured, which three actions can be applied to a traffic
class? (Choose three.)

pass
shape
reroute
queue
inspect
drop

Explanation: The inspect CCP action is similar to the

classic firewall ip inspect command in that it inspects
traffic going through the firewall and allowing return traffic
that is part of the same flow to pass through the firewall.
The drop action is similar to the deny parameter in an
ACL. This action drops whatever traffic fits the defined
policy. The pass action is similar to a permit ACL
WAREHOUSE WORKER
statement–traffic is allowedJobs
to pass through
in Carlisle because it LEARN MORE
met the criteria of the defined
Greatpolicy statement.
pay + Enjoy an active job
JOB OFFER in 1 HR!

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 8/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

15. When using Cisco IOS zone-based policy firewall,

where is the inspection policy applied?

to a global service policy

to a zone
to an interface
to a zone pair

Explanation: After configuring the firewall policy, apply

the policy to traffic that would flow between a pair of
zones. Use the zone-pair security command in global
configuration mode.

16. What is the first step in configuring a Cisco IOS zone-

based policy firewall via the CLI?

Define traffic classes.

Assign router interfaces to zones.
Define firewall policies.
Assign policy maps to zone pairs.
Create zones.

Explanation: The steps for configuring a Cisco IOS

zone-based policy firewall are as follows:
1. Create zones.

2. Define traffic classes.

3. Define firewall policies.

4. Apply policy maps to zone pairs.

5. Assign router interfaces to zones.

17. What is one benefit of using a stateful firewall instead

of a proxy server?

ability to perform user authentication

better performance
ability to perform packet filtering
prevention of Layer 7 attacks

Explanation: A stateful firewall performs better than a

proxy server. A stateful firewall cannot authenticate users
or prevent Layer 7 attacks. Both a stateful firewall and a
proxy server can filter packets.

WAREHOUSE WORKER
18. Which statement describes LEARN MORE
Jobsain typical security policy
Carlisle
JOB OFFER in 1 HR!
for a DMZ firewall configuration?
Great pay + Enjoy an active job

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 9/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

Traffic that originates from the DMZ interface is

selectively permitted to the outside interface.
Return traffic from the inside that is associated with traffic
originating from the outside is permitted to traverse from the
inside interface to the outside interface.
Return traffic from the outside that is associated with
traffic originating from the inside is permitted to traverse
from the outside interface to the DMZ interface.
Traffic that originates from the inside interface is
generally blocked entirely or very selectively permitted to
the outside interface.
Traffic that originates from the outside interface is
permitted to traverse the firewall to the inside interface with
few or no restrictions.

Explanation:

With a three interface firewall design that has internal,

external, and DMZ connections, typical configurations
include the following:

Traffic originating from DMZ destined for the internal

network is normally blocked.

Traffic originating from the DMZ destined for external

networks is typically permitted based on what services
are being used in the DMZ.

Traffic originating from the internal network destined from

the DMZ is normally inspected and allowed to return.

Traffic originating from external networks (the public

network) is typically allowed in the DMZ only for specific
services.

19. What is one limitation of a stateful firewall?

weak user authentication

cannot filter unnecessary traffic
not as effective with UDP- or ICMP-based traffic
poor log information

Explanation: Limitations of stateful firewalls include the

following:

Stateful firewalls cannot prevent application layer attacks.

Protocols such as UDP and ICMP are not stateful and do

not generate information needed for a state table.

An entire range of ports must sometimes be opened in

order to support specific applications
WAREHOUSE that openWORKER
multiple
ports.
Jobs in Carlisle LEARN MORE
Stateful firewalls lack user Great
authentication.
pay + Enjoy an active job
JOB OFFER in 1 HR!

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 10/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

20. Which statement describes Cisco IOS Zone-Based

Policy Firewall operation?

The pass action works in only one direction.

Router management interfaces must be manually
assigned to the self zone.
A router interface can belong to multiple zones.
Service policies are applied in interface configuration
mode.

Explanation: The pass action allows traffic only in one

direction. Interfaces automatically become members of
the self zone. Interfaces are assigned to zones in
interface configuration mode, but most configuration
takes place in global configuration mode and associated
submodes. Interfaces can belong to only one zone at any
time.

21. What is the result in the self zone if a router is the

source or destination of traffic?

No traffic is permitted.
All traffic is permitted.
Only traffic that originates in the router is permitted.
Only traffic that is destined for the router is permitted.

Explanation: All traffic is permitted in the self zone if the

traffic originates from, or is destined for, the router.

22. What are two characteristics of ACLs? (Choose two.)

Extended ACLs can filter on destination TCP and

UDP ports.
Standard ACLs can filter on source TCP and UDP ports.
Extended ACLs can filter on source and destination
IP addresses.
Standard ACLs can filter on source and destination IP
addresses.
Standard ACLs can filter on source and destination TCP
and UDP ports.

Explanation: Standard ACLs can only filter on source

addresses. That is why they are normally placed closest
WAREHOUSE WORKER
to the destination. Extended ACLs can filter on source LEARN MORE
Jobs in Carlisle
and destination IP addresses, port numbers, and specific JOB OFFER in 1 HR!
Great pay + Enjoy an active job

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 11/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

message types within a particular protocol such as echo

request within the ICMP protocol.

23. Which three statements describe ACL processing of

packets? (Choose three.)

An implicit deny any rejects any packet that does not

match any ACE.
A packet can either be rejected or forwarded as
directed by the ACE that is matched.
A packet that has been denied by one ACE can be
permitted by a subsequent ACE.
A packet that does not match the conditions of any ACE
will be forwarded by default.
Each statement is checked only until a match is
detected or until the end of the ACE list.
Each packet is compared to the conditions of every ACE
in the ACL before a forwarding decision is made.

Explanation: When a packet comes into a router that

has an ACL configured on the interface, the router
compares the condition of each ACE to determine if the
defined criteria has been met. If met, the router takes the
action defined in the ACE (allows the packet through or
discards it). If the defined criteria has not been met, the
router proceeds to the next ACE. An implicit deny any
statement is at the end of every standard ACL.

24. A network administrator configures an ACL with the

command R1(config)# access-list 1 permit 172.16.0.0
0.0.15.255 . Which two IP addresses will match this ACL
statement? (Choose two.)

172.16.0.255
172.16.15.36
172.16.16.12
172.16.31.24
172.16.65.21

Explanation: The wildcard mask indicates that any IP

address within the range of 172.16.0.0 to 172.16.15.255
matches.

25. What single access list WAREHOUSE

statement matchesWORKER
all of the
LEARN MORE
following networks? Jobs in Carlisle
JOB OFFER in 1 HR!
Great pay + Enjoy an active job

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 12/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

192.168.16.0
192.168.17.0
192.168.18.0
192.168.19.0
access-list 10 permit 192.168.16.0 0.0.3.255
access-list 10 permit 192.168.16.0 0.0.0.255
access-list 10 permit 192.168.16.0 0.0.15.255
access-list 10 permit 192.168.0.0 0.0.15.255

Explanation: The ACL statement access-list 10 permit

192.168.16.0 0.0.3.255 will match all four network
prefixes. All four prefixes have the same 22 high order
bits. These 22 high order bits are matched by the network
prefix and wildcard mask of 192.168.16.0 0.0.3.255.

26. Which two characteristics are shared by both

standard and extended ACLs? (Choose two.)

Both kinds of ACLs can filter based on protocol type.

Both can permit or deny specific services by port
number.
Both include an implicit deny as a final statement.
Both filter packets for a specific destination host IP
address.
Both can be created by using either a descriptive
name or number.

Explanation: Standard ACLs filter traffic based solely on

a specified source IP address. Extended ACLs can filter
by source or destination, protocol, or port. Both standard
and extended ACLs contain an implicit deny as a final
statement. Standard and extended ACLs can be
identified by either names or numbers.

27. Refer to the exhibit. What is the result of adding the

established argument to the end of the ACE?

Any traffic is allowed to reach the 192.168.254.0

255.255.254.0 network.
Any IP traffic is allowed to reach the 192.168.254.0
WAREHOUSE WORKER
255.255.254.0 network as Jobslong as
initCarlisle
is in response to an LEARN MORE
originated request. Great pay + Enjoy an active job
JOB OFFER in 1 HR!

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 13/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

192.168.254.0 /23 traffic is allowed to reach any network.

Any TCP traffic is allowed to reach the 192.168.254.0
255.255.254.0 network if it is in response to an
originated request.

Explanation: The established argument allows TCP

return traffic from established connections to be sent on
an outgoing interface to a network.

28. Which two keywords can be used in an access control

list to replace a wildcard mask or address and wildcard
mask pair? (Choose two.)

most
host
all
any
some
gt

Explanation: The host keyword is used when using a

specific device IP address in an ACL. For example, the
deny host 192.168.5.5 command is the same is the deny
192.168.5.5 0.0.0.0 command. The any keyword is used
to allow any mask through that meets the criteria. For
example, the permit any command is the same as permit
0.0.0.0 255.255.255.255 command.

29. If the provided ACEs are in the same ACL, which ACE
should be listed first in the ACL according to best
practice?

permit ip any any

permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq
snmptrap
permit tcp 172.16.0.0 0.0.3.255 any established
permit udp any any range 10000 20000
deny udp any host 172.16.1.5 eq snmptrap
deny tcp any any eq telnet

Explanation: A best practice for configuring an extended

ACL is to ensure that the most specific ACE is placed
higher in the ACL. Consider the two permit UDP
statements. If both of theseWAREHOUSE
were in an ACL, the WORKER
SNMP
LEARN MORE
ACE is more specific than Jobs
the UDPin Carlisle
statement that JOB OFFER in 1 HR!
permits a range of 10,001 UDP port Enjoy
Great pay + numbers. The
an active jobSNMP

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 14/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

ACE would be entered before the other UDP ACE. The

ACEs from most specific to least specific are as follows:
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq
snmptrap

deny udp any host 172.16.1.5 eq snmptrap

permit tcp 172.16.0.0 0.0.3.255 any established

deny tcp any any eq telnet

permit udp any any range 10000 20000

permit ip any any

30. To facilitate the troubleshooting process, which

inbound ICMP message should be permitted on an
outside interface?

echo request
echo reply
time-stamp request
time-stamp reply
router advertisement

Explanation: By allowing the ICMP echo reply message

inbound to the organization, internal users are allowed to
ping external addresses (and the reply message allowed
to return).

31. A security specialist designs an ACL to deny access

to a web server from all sales staff. The sales staff are
assigned addressing from the IPv6 subnet
2001:db8:48:2c::/64. The web server is assigned the
address 2001:db8:48:1c::50/64. Configuring the WebFilter
ACL on the LAN interface for the sales staff will require
which three commands? (Choose three.)

permit tcp any host 2001:db8:48:1c::50 eq 80

deny tcp host 2001:db8:48:1c::50 any eq 80
deny tcp any host 2001:db8:48:1c::50 eq 80
permit ipv6 any any
deny ipv6 any any
ip access-group WebFilter in
ipv6 traffic-filter WebFilter in

Explanation: The ACL requires an ACE denying Telnet

access from all users in the LAN to the file server at
2001:db8:48:1c::50/64. The IPv6 ACL also hasWORKER
WAREHOUSE an implicit
deny, so a permit statement is required
Jobs to allow all other
in Carlisle LEARN MORE
JOB OFFER in 1 HR!
Great pay + Enjoy an active job

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 15/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

traffic. With IPv6, the ipv6 traffic filter command is used to

bind the ACL to the interface.

32. What are two characteristics of a stateful firewall?

(Choose two.)

uses static packet filtering techniques

uses connection information maintained in a state
table
analyzes traffic at Layers 3, 4 and 5 of the OSI model
uses complex ACLs which can be difficult to configure
prevents Layer 7 attacks

Explanation: Stateful firewalls are the most versatile and

the most common firewall technologies in use. Stateful
firewalls provide stateful packet filtering by using
connection information maintained in a state table.
Stateful filtering is a firewall architecture that is classified
at the network layer. It also analyzes traffic at OSI Layers
4 and 5.​Stateful firewalls cannot prevent application layer
attacks because they do not examine the actual contents
of an HTTP connection.

33. What are two differences between stateful and

stateless firewalls? (Choose two.)

A stateless firewall is able to filter sessions that use

dynamic port negotiations while a stateful firewall cannot.
A stateless firewall will examine each packet
individually while a stateful firewall observes the state
of a connection.
A stateless firewall will provide more logging information
than a stateful firewall.
A stateful firewall will prevent spoofing by
determining whether packets belong to an existing
connection while a stateless firewall follows pre-
configured rule sets.
A stateless firewall provides more stringent control over
security than a stateful firewall.

Explanation: There are many differences between a

stateless and stateful firewall.

Stateless firewalls:

are susceptible to IP spoofing

WAREHOUSE WORKER
do not reliably filter fragmented
Jobspackets

in Carlisle LEARN MORE

use complex ACLs, which Greatcan be difficult to implement
pay + Enjoy an active job
JOB OFFER in 1 HR!

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 16/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

and maintain

cannot dynamically filter certain services

examine each packet individually rather than in the

context of the state of a connection

Stateful firewalls:

are often used as a primary means of defense by filtering

unwanted, unnecessary, or undesirable traffic

strengthen packet filtering by providing more stringent

control over security

improve performance over packet filters or proxy servers

defend against spoofing and DoS attacks by determining

whether packets belong to an existing connection or are
from an unauthorized source

provide more log information than a packet filtering

firewall

34. When implementing a ZPF, what is the default security

setting when forwarding traffic between two interfaces in
the same zone?

Traffic between interfaces in the same zone is selectively

forwarded based on Layer 3 information.
Traffic between interfaces in the same zone is not
subject to any policy and passes freely.
Traffic between interfaces in the same zone is blocked.
Traffic between interfaces in the same zone is selectively
forwarded based on the default policy restrictions.

Explanation: A zone-based policy firewall uses the

concept of zones to specify where firewall rules and
policies should be applied. By default, the traffic between
interfaces that exist in the same zone is not subject to
any policy and passes freely.

35. Which two rules about interfaces are valid when

implementing a Zone-Based Policy Firewall? (Choose
two.)

If neither interface is a zone member, then the action

is to pass traffic.
If one interface is a zone member, but the other is not, all
traffic will be passed.
If both interfaces belong to the same zone-pair and a
policy exists, all traffic will be passed.
WAREHOUSE
If both interfaces are members WORKER
of the same zone, all
LEARN MORE
traffic will be passed. Jobs in Carlisle
JOB OFFER in 1 HR!
Great pay + Enjoy an active job

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 17/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

If one interface is a zone member and a zone-pair exists,

all traffic will be passed.

Explanation: The rules for traffic transiting through the

router are as follows:If neither interface is a zone
member, then the resulting action is to pass the traffic.

If both interfaces are members of the same zone, then

the resulting action is to pass the traffic.

If one interface is a zone member, but the other is not,

then the resulting action is to drop the traffic regardless of
whether a zone-pair exists.

If both interfaces belong to the same zone-pair and a

policy exists, then the resulting action is inspect, allow, or
drop as defined by the policy.

Download Modules 8 – 10: ACLs and Firewalls

Group Exam Answers PDF:

Modules 8 – 10 ACLs and Firewalls DOWNLOAD

Group Exam Answers PDF
 1 file(s)  1.21 MB

Related Articles

WAREHOUSE WORKER
LEARN MORE
Jobs in Carlisle
JOB OFFER in 1 HR!
Great pay + Enjoy an active job

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 18/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

B e the First to Comment!

0 COMMENTS

ITExamAnswers.net Copyright © 2021. Privacy Policy | Contact

WAREHOUSE WORKER
LEARN MORE
Jobs in Carlisle
JOB OFFER in 1 HR!
Great pay + Enjoy an active job

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 19/20
25/08/2021 Network Security 1.0 Modules 8 - 10: ACLs and Firewalls Group Exam Answers

https://itexamanswers.net/network-security-1-0-modules-8-10-acls-and-firewalls-group-exam-answers.html 20/20