exam questions

Exam 300-101 All Questions

View all questions & answers for the 300-101 exam

Exam 300-101 topic 1 question 408 discussion

Actual exam question from Cisco's 300-101
Question #: 408
Topic #: 1
[All 300-101 Questions]

Which access list used to filter upper layer protocol?

  • A. Extended acl
  • B. Standart acl
  • C. Reflexive acl
  • D. Time based acl
  • E. Dynamic acl A
Show Suggested Answer Hide Answer
Suggested Answer: Explanation 🗳️
Remember the three Ps Per protocol, Per direction, and Per interface
One ACL per protocol- To control traffic flow on an interface an ACL must be defined for each protocol enabled on the interface (example IP, IPX, AppleTalk)
One ACL per direction- ACLs control traffic in one direction at one time on an interface. You must create two separate ACLs to control traffic in both inbound and outbound connections.
One ACL per interface- ACLs control traffic for an interface such as Fast Ethernet.

Dynamic ACLs -
Dynamic or lock-and-key ACLs are available for Internet Protocol traffic only. Dynamic ACLs starts with the application of an extended ACL to block traffic through the router.
Common reasons to use Dynamic ACLs are:
When you want a specific remote user or group of remote users to access a host within your network.
Connecting to the outside of your network (Internet) Lock-and-key authenticates the user and then permits limited access through your firewall router.
You want a subset of hosts on a local network to access a host from a remote network that is protected by a firewall.
Lock-and-key requires users to authenticate through an AAA, TACACS server or other security server before it allows access.

Reflexive ACLs -
Reflexive ACLs allow IP packets to be filtered based on upper-layer session information. Generally are used to allow outbound traffic and to limit inbound traffic by using sessions that originate inside the router. When a router sees a new outbound connection it adds an entry to a temporary ACL to allow replies back into the network. Reflexive ACLs can be defined only with an extended named IP ACL. They cannot be defined with numbered or standard named ACLs or with other protocols.

Time-Based ACLs -
Time-Based ACLs are like extended ACLs in function, but they allow access control based on time. To use time-based ACLs you create a time range that defines specific times of the day and days of the week. You use the time range with a name and then refer to it by a function. The time range relies on the router system clock. This feature works with NTP (Network Time Protocol) synchronization, but the router clock can also be used.

Numbered ACL -
You can assign a number based on whether your ACL is standard or extended
1 to 99 and 1300 to 1999 are Standard IP ACL
100 to 199 and 2000 to 2699 are Extended IP ACL
You cannot add or delete entries within the ACL (You have to totally delete the ACL in order to edit it)

Named ACL -
You can assign names to the ACL instead of numbers.
Names can contain alphanumeric characters
Recommended to type the name in all CAPITAL LETTERS
Names cannot contain spaces or punctuation and must begin with an alphabetic character
You can add or delete entries within the ACL
You can specify whether the ACL is standard or extended

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
CraigB83
4 years, 1 month ago
I think C is the best answer Reflexive Access Lists Reflexive access lists provide filtering on upper-layer IP protocol sessions. They contain temporary entries that are automatically created when a new IP session begins. They are nested within extended, named IP access lists that are applied to an interface. Reflexive access lists are typically configured on border routers, which pass traffic between an internal and external network. These are often firewall routers. Reflexive access lists do not end with an implicit deny statement because they are nested within an access list and the subsequent statements need to be examined. cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-1s/sec-access-list-ov.html
upvoted 1 times
...
Bastex
5 years, 2 months ago
A is correct. We asked about just filter upper layer protocol, not "based on upper-layer SESSION information".
upvoted 4 times
...
routeweaver
5 years, 6 months ago
I agree with james
upvoted 1 times
...
james
5 years, 6 months ago
Answer should be Reflexive ACL - it even says it in the explanation.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago