문제: 200-120.examcollection.premium.exam.316q. QUESTION 252~254 참고:  후티의 스마트프한 세상이야기 문제파일:  다운로드 후티의 설명을 참고하였고, 개인적으로 모르는 부분을 추가하였다. ...

4. ACCESS LIST SIM 3

문제: 200-120.examcollection.premium.exam.316q. QUESTION 252~254

후티의 설명을 참고하였고, 개인적으로 모르는 부분을 추가하였다.

































Q. An administrator is trying to ping and telnet from SwitchC to
RouterC with the results shown below.

SwitchC>
SwitchC> ping 10.4.4.3
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 10.4.4.3, timeout is 2 seconds
U.U.U
success rate is 0 percent (0/5)
SwitchC>
SwitchC> telnet 10.4.4.3
Trying 10.4.4.3
% Destination unreachable; gateway or host down
SwitchC>

Click the console connected to RouterC and issue appropriate
commands to answer the question.

먼저 질문의 내용은 다음과 같다.
관리자가 스위치 C에서 라우터 C로 ping, telnet을 다음과 같이 시도하고 있다.
SwitchC> .....
성공률 0 퍼센트
telnet 10.4.4.3
10.4.4.3에 시도하는 중..
목적지에 도달할 수 없음. 게이트 또는 호스가 down 상태
....
라우터C에 연결된 콘솔과 질문의 답변에 맞는 명령어를 선택하시오.
즉, ping이 되지 않는 상태이므로, ping을 할 수 있게 해야함.


1. Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?
A. Correctly assign an IP address to interface fa0/1.
B. Change the ip access-group command on fa0/0 from "in* to "out.
C. Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D. Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E. Remove access-group 106 in from interface fa0/0 and add access-group 104 in. (O)

텔넷을 disabled 하면서 ping만 허용하기 위해서는 어떤 것을 고쳐야 하는가.

1)
RouterC>enable

RouterC#show running-config

2)
Fa0/0
ip access-group 106 in
access-list 106 permit tcp any any eq ftp
access-list 106 deny tcp any any eq telnet

access-list 106 permit icmp any any echo-reply

ftp 허용, telnet&ping 차단

ping 을 할려면 any any echo를 적용
access-list 104 permit icmp any any echo

Remove access-group 106 in from interface fa0/0 and add access-group 104 in.

2. What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?
A. Attempts to telnet to the router would fail.
B. It would allow all traffic from the 10.4.4.0 network.  (O)
C. IP traffic would be passed through the interface but TCP and UDP traffic would not.
D. Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface.

fa0/0에 명령어  ip access-group 114 in 를 적용했을 때 결과는?
access-list 114 permit ip 10.4.4.0 0.0.0.255 any
permit ip 출발지 목적지 any: 출발지를 기준으로 어디든 허용.

3. What would be the effect of Issuing the command ip access-group 115 in on the s0/0/1 interface?
A. No host could connect to RouterC through s0/0/1. (O)
B. Telnet and ping would work but routing updates would fail.
C. FTP, FTP-DATA, echo, and www would work but telnet would fail.
D. Only traffic from the 10.4.4.0 network would pass through the interface.

s/0/0/1 인터페이스에 ip access-group 115 in을 적용했을 때 결과는?
- s/0/0/1의 ACL 정책

interface Serial0/0/1
bandwidth 64
ip address 10.45.45.1 255.255.255.0
ip ospf authentication
ip ospf authentication-key san-fran
ip access-group 102 in  --- 102가 적용되어 있음.
ipv6 address 2001:410:2:10::/64 eui-64
clock rate 2000000

shutdown

ACL에는 한개의 정책만 가능.
중복되는 문제가 발생.

access-list 115 permit ip 0.0.0.0 255.255.255.0 any: 0.0.0.0을 기준으로 어디든 허용.
































0 개의 댓글: