Sunday, January 29, 2012

EIGRP SIM (New)

LAB: EIGRPQuestion#After adding RTR_2 router, no routing updates are being exchanged between RTR_1 and the new location. All other inter connectivity and internet access for the existing locations of the 
company are working properly.

The task is to identify the fault(s) and correct the router configuration to provide full connectivity between the routers.

Access to the router CLI can be gained by clicking on the appropriate host.
All passwords on all routers are cisco .
IP addresses are listed in the chart below.




RTR_A#show run
!
!
interface FastEthernet0/0
ip address 192.168.60.97 255.255.255.240
!
interface FastEthernet0/1
ip address 192.168.60.113 255.255.255.240
!
interface Serial0/0
ip address 192.168.36.14 255.255.255.252
clockrate 64000
!

router eigrp 212
network 192.168.36.0
network 192.168.60.0
no auto-summary
!

RTR_A#show ip route
192.168.36.0/30 is subnetted, 1 subnets
C 192.168.36.12 is directly connected, Serial 0/0
192.168.60.0/24 is variably subnetted, 5 subnets, 2 masks
C 192.168.60.96/28 is directly connected, FastEthernet0/0
C 192.168.60.112/28 is directly connected, FastEthernet0/1
D 192.168.60.128/28 [ 90/21026560 ] via 192.168.36.13, 00:00:57, Serial 0/0
D 192.168.60.144/28 [ 90/21026560 ] via 192.168.36.13, 00:00:57, Serial 0/0
D 192.168.60.24/30 [ 90/21026560 ] via 192.168.36.13, 00:00:57, Serial 0/0
D* 198.0.18.0 [ 90/21026560 ] via 192.168.36.13, 00:00:57, Serial 0/0

********************************************************************************

RTR_2#show run
!
!
interface FastEthernet0/0
ip address 192.168.77.34 255.255.255.252
!
interface FastEthernet0/1
ip address 192.168.60.65 255.255.255.240
!
interface FastEthernet1/0
ip address 192.168.60.81 255.255.255.240
!
!

router eigrp 22
network 192.168.77.0
network 192.168.60.0
no auto-summary
!

RTR_2#show ip route
192.168.60.0/28 is variably subnetted, 2 subnets
C 192.168.60.80 is directly connected, FastEthernet1/0
C 192.168.60.64 is directly connected, FastEthernet0/1
192.168.77.0/30 is subnetted, 1 subnets
C 192.168.77.32 is directly connected, FastEthernet0/0

**********************************************************

RTR_B#show run
!
interface FastEthernet0/0
ip address 192.168.60.129 255.255.255.240
!
interface FastEthernet0/1
ip address 192.168.60.145 255.255.255.240
!
interface Serial0/1
ip address 192.168.60.26 255.255.255.252

!

router eigrp 212
network 192.168.60.0
!

RTR_B#show ip route
192.168.60.0/24 is variably subnetted, 5 subnets, 2 masks
C 192.168.60.24/30 is directly connected, Serial0/1
C 192.168.60.128/28 is directly connected, FastEthernet0/0
C 192.168.60.144/28 is directly connected, FastEthernet0/1
D 192.168.60.96/28 [ 90/21026560 ] via 192.168.60.25, 00:00:57, Serial 0/1
D 192.168.60.112/28 [ 90/21026560 ] via 192.168.60.25, 00:00:57, Serial 0/1
192.168.36.0/30 is subnetted, 1 subnets
D 192.168.36.12 [ 90/21026560 ] via 192.168.60.25, 00:00:57, Serial 0/1
D* 198.0.18.0 [ 90/21026560 ] via 192.168.60.25, 00:00:57, Serial 0/1

**************************************************************************


RTR_1#show run
!
!
interface FastEthernet0/0
ip address 192.168.77.33 255.255.255.252
!
interface Serial1/0
ip address 198.0.18.6 255.255.255.0
!
!
interface Serial0/0
ip address 192.168.36.13 255.255.255.252
clockrate 64000
!
interface Serial0/1
ip address 192.168.60.25 255.255.255.252
clockrate 64000
!
!

router eigrp 212
network 192.168.36.0
network 192.168.60.0
network 192.168.85.0
network 198.0.18.0
no auto-summary

ip classless
ip default-network 198.0.18.0
ip route 0.0.0.0 0.0.0.0 198.0.18.5
ip http server

RTR_1#show ip route
192.168.36.0/30 is subnetted, 1 subnets
C 192.168.36.12 is directly connected, Serial 0/0
192.168.60.0/24 is variably subnetted, 5 subnets, 2 masks
C 192.168.60.24/30 is directly connected, Serial0/1

D 192.168.60.128/28 [ 90/21026560 ] via 192.168.60.26, 00:00:57, Serial 0/1
D 192.168.60.144/28 [ 90/21026560 ] via 192.168.60.26, 00:00:57, Serial 0/1 
D 192.168.60.96/28 [ 90/21026560 ] via 192.168.36.14, 00:00:57, Serial 0/0
192.168.77.0/30 is subnetted, 1 subnets
C 192.168.77.32 is directly connected, FastEthernet0/0
C 192.0.18.0/24 is directly connected, Serial 1/0
*S 0.0.0.0 via 198.0.18.5


Explanation:

Step1:
Identify the faults in configuration on RTR_1 and RTR_2. As the SIM specifies all other inter connectivity and internet access for the existing locations of the company are working properly. 

Routing Protocols used in the SIM is EIGRP with AS 212 as provided by exhibit.
Faults Identified:

  1. Wrong AS (EIGRP 22) provided at RTR_2 (New router)
  2. RTR_1 does not advertise the new network between RTR_1 and RTR_2 into EIGRP.
We need to correct the above two configuration mistakes to have full connectivity
Step2: Correcting the EIGRP AS to 212
Wrong AS (EIGRP 22) provided at RTR_2 (New router)
All routers that want to exchange routes within EIGRP needs to be in same Autonomous System.

Step 2.1:
First we need to remove the current wrong EIGRP AS 22 from Router RTR_2
Click on Host-F to get CLI of RTR_2

RTR_2>enable
Password : cisco (Provided by SIM Q )
RTR_2#conf t
RTR_2(conf)#
Step 2.2:
Removing the wrong EIGRP routing process with AS 22
RTR_2(conf)#no router eigrp 22
The above statement removes all the EIGRP configuration configured for AS 22 .

Step 2.3:
Adding the correct EIGRP configuration
Start the EIGRP routing process with AS 212
RTR_2(conf)#router eigrp 212
Step 2.4:
Advertise the directly connected networks into EIGRP on RTR_2

Fa 0/0 - 192.168.77.34
Fa 1/0 - 192.168.60.81
Fa 0/1 - 192.168.60.65

RTR_2(config-router)#network 192.168.60.0
RTR_2(config-router)#network 192.168.77.0
RTR_2(config-router)#no auto-summary
RTR_2(config-router)#end

Step 2.5:

Important save the changes made to router RTR_2
RTR_2#copy run start

Step 3:



RTR_1 does not advertise the new network between RTR_1 and RTR_2 into EIGRP.
Click on Host-G to get CLI of RTR_1
The network 192.168.77.0 is used between RTR_1 Fa0/0 -RTR_2 Fa 0/0
This network needs to be advertise into EIGRP routing process atRTR_1
RTR_1>enable
Password : cisco (Provided by SIM Q )
RTR_1#conf t
RTR_1(conf)#
Step 3.1:
Enter EIGRP routing process for AS 212
RTR_1(conf)#router eigrp 212

Step 3.2:
The network 192.168.77.0 is used between RTR_1 Fa0/0 - RTR_2 Fa 0/0 . Advertise this network into EIGRP
RTR_1(config-router)#network 192.168.77.0
RTR_1(config-router)#end

Step 3.3:
Important save the changes made to router RTR_1
RTR_1#copy run start

Verification:

From RTR_2 CLI
ping RTR_1 Serial 1/0 IP address 198.0.18.6
RTR_2#ping 198.0.18.6
!!!!!
A successful ping shows the new RTR_2 will have full connectivity with other routers.

RIP V2 SIM (New)

LAB: RIP V2
Question#
Central Florida Widgets recently installed a new router in their office (NEW_RTR). Complete the network installation by performing the initial router configurations and configuring RIP V2 routing using the router Command Line Interface (CLI) on theNEW_RTR .

Click on image for larger picture
Configure the router per the following requirements:
1) Name of the router is NEW_RTR
2) Enable-secret password is cisco
3) The password to access user EXEC mode using the console isclass4) The password to allow telnet access to the router is class5) IPV4 addresses must be configured as follows:
5.1) Ethernet network 209.165.202.128 /27 – Router has the lastassignable host
address in subnet.
5.2) Serial Network is 192.0.2.16 /28 - Router has the lastassignable host
address in subnet.
6) Interfaces should be enabled.
7) Router protocol is RIPv2



Explanation:Step1:Click on the console host, you will get a pop-up screen CLI of Router.
Router>Configure the new router as per the requirements provided in Lab question
Requirement 1:
Name of the router is NEW_RTR
Step2:
To change the hostname of the router to NEW_RTR follow the below steps
Router>
Router>enable
Router# configure terminal
Router (config)# hostname NEW_RTR
NEW_RTR(config)#


Requirement 2:
Enable-secret password is cisco
Step3:
To set the enable secret password to cisco use the following command
NEW_RTR(config)#enable secret cisco

Requirement 3:The password to access user EXEC mode using the console is class
Step 4:

We need to configure the line console 0 with the password classAlso remember to type login command after setting up the password on line con 0 which allows router to accept logins via console.
NEW_RTR(config)# line con 0
NEW_RTR(config-line)#password class
NEW_RTR(config-line)#login
NEW_RTR(config-line)# exit
NEW_RTR(config)#


Requirement 4:The password to allow telnet access to the router is class
Step 5:
To allow telnet access we need to configure the vty lines 0 4 with the password classAlso remember to type login command after setting up the password on line vty 0 4 which allows router to accept logins via telnet.
NEW_RTR(config)# line vty 0 4
NEW_RTR(config-line)#password class
NEW_RTR(config-line)#login
NEW_RTR(config-line)# exit
NEW_RTR(config)#


Requirement 5:
5.1) Ethernet network 209.165.202.128 /27 – Router has the last assignable host
address in subnet.
5.2) Serial Network is 192.0.2.16 /28 - Router has the last assignable host
address in subnet.

Step 6:
Ethernet network 209.165.202.128 /27 – Router has the lastassignable host address in subnet.

Ethernet Interface on router NEW_RTR is Fast Ethernet 0/0 as per the exhibit
First we need to identify the subnet mask
Network: 209.165.202.128 /27
Subnet mask: /27: 27 bits = 8 + 8 + 8 + 3
=8(bits).8(bits).8(bits) .11100000 (3bits)
=255.255.255.11100000
=11100000 = 128+64+32+0+0+0+0+0
= 224
Subnet mask: 255.255.255.224

Different subnet networks and there valid first and last assignable host address range for above subnet mask are
Subnet Networks :::::: Valid Host address range :::::: Broadcast address
209.165.202.0 :::::: 209.165.202.1 - 209.165.202.30 ::::: 209.165.202.31
209.165.202.32 :::::: 209.165.202.33 - 209.165.202.62 ::::: 209.165.202.63
209.165.202.64 :::::: 209.165.202.65 - 209.165.202.94 :::::: 209.165.202.95
209.165.202.96 :::::: 209.165.202.97 - 209.165.202.126 :::::: 209.165.202.127
209.165.202.128 :::::: 209.165.202.129 - 209.165.202.158 :::::: 209.165.202.159
209.165.202.160 :::::: 209.165.202.161 - 209.165.202.190 :::::: 209.165.202.191
209.165.202.192 :::::: 209.165.202.193 - 209.165.202.222 :::::: 209.165.202.223
209.165.202.224 :::::: 209.165.202.225 - 209.165.202.254 :::::: 209.165.202.255
Use above table information for network 209.165.202.128 /27 to identify
First assignable host address: 209.165.202.129
Last assignable host address: 209.165.202.158
This IP address (209.165.202.158) which we need to configure on Fast Ethernet 0/0 of the router using the subnet mask 255.255.255.224

NEW_RTR(config)#interface fa 0/0
NEW_RTR(config-if)#ip address 209.165.202.158 255.255.255.224

Requirement 6: 

To enable interfaces
Use no shutdown command to enable interfaces
NEW_RTR(config-if)#no shutdown
NEW_RTR(config-if)#exit

Step 7:
Serial Network is 192.0.2.16 /28 - Router has the last assignable host address in subnet.
Serial Interface on NEW_RTR is Serial 0/0/0 as per the exhibit
First we need to identify the subnet mask
Network: 192.0.2.16 /28
Subnet mask: /28: 28bits = 8bits+8bits+8bits+4bits
=8(bits).8(bits).8(bits) .11110000 (4bits)
=255.255.255.11100000
=11100000 = 128+64+32+16+0+0+0+0
= 240
Subnet mask: 255.255.255.240
Different subnet networks and there valid first and last assignable host address range for above subnet mask are
Subnet Networks ::::: Valid Host address ::::::::::: Broadcast address
192.0.2.0 :::::: 192.0.2.1 - 192.0.2.14 ::::::: 192.0.2.15
192.0.2.16 ::::::: 192.0.2.17 - 192.0.2.30 ::::::: 192.0.2.31
192.0.2.32 :::::::: 192.0.2.33 - 192.0.2.46 :::::: 192.0.2.47
and so on ….

Use above table information for network 192.0.2.16 /28 to identify
First assignable host address: 192.0.2.17Last assignable host address: 192.0.2.30

We need to configure Last assignable host address (192.0.2.30) on serial 0/0/0 using the subnet mask 255.255.255.240

NEW_RTR(config)#interface serial 0/0/0
NEW_RTR(config-if)#ip address 192.0.2.30 255.255.255.240


Requirement 6:
To enable interfaces
Use no shutdown command to enable interfaces
NEW_RTR(config-if)#no shutdown
NEW_RTR(config-if)#exit


Requirement 7:Router protocol is RIPv2
Step 8:Need to enable RIPv2 on router and advertise its directly connected networks
NEW_RTR(config)#router rip
To enable RIP v2 routing protocol on router use the command version 2
NEW_RTR(config-router)#version 2Optional: no auto-summary (Since LAB networks do not have discontinuous networks)
RIP v2 is classless, and advertises routes including subnet masks, but it summarizes routes by default.
So the first things we need to do when configuring RIP v2 is turn off auto-summarization with the router command no auto-summary if you must perform routing between disconnected subnets.

NEW_RTR (config-router) # no auto-summary
Advertise the serial 0/0/0 and fast Ethernet 0/0 networks into RIP v2 using network command

NEW_RTR(config-router)#network 192.0.2.16
NEW_RTR(config-router)#network 209.165.202.128
NEW_RTR(config-router)#end

Step 9:
Important please do not forget to save your running-config to startup-config
NEW_RTR# copy run start
Any questions are welcomed on above LAB...

Hotspot 2: Topology Question

640-802 CCNA Hotspot Topology Exhibit





Question 1: 
Note: host 172.30.4.4 is wrongly given in Question the correct host must be 172.30.0.4



Answers: 702

Explanation:The destination layer 2 address is a DLCI for frame-relay network. The destination host packet address is 172.30.0.4 corresponding DLCI is 702.
This can be confirmed by looking at the show frame-relay mapoutput which shows the frame-relay map statements for layer 3 address to its corresponding layer 2 address IP 172.30.0.4 is mapped to DLCI 702 .

Question 2:


Answers: frame-relay map ip 172.30.0.3 196 broadcast
Explanation:
The show frame-relay map command above output provides the dynamic mapping for S-AMER (.3 as per topology the complete address is 172.30.0.3) to DLCI 196.
To create a static frame-relay map on dubai router to S-AMER we use the following command
Syntax: frame-relay map protocol protocol-address dlci [broadcast]
frame-relay map ip 172.30.0.3 196 broadcast
Question 3:
Answers: The serial connection to the MidEast branch office
Explanation:
By seeing the partial running config provided for Dubai router ... We can identify what encapuslation type is configured on each interface
Interface serial 1/0 : encapsulation frame-relay
Interface serial 1/2 and serial 1/3 : Both have encapsulation ppp
Interaface serial 1/1: Has no config info on encapsulation type this determines the default encapsulation (HDLC) is not changed on this interface.
Serial 1/1 is connection to MidEast branch office from Dubai router which has the default encapsulation.
Question 4:
Answers: No password is required.
Explanation: The serial connection between the mideast and Dubai router is having the default WAN encapsulation of HDLC. Since, HDLC requires no password to be set for connection establishment, "no password is required" is the correct answer.

Implement, verify, and troubleshoot NAT and ACLs

CCNA (640-802) exam topic Implement, verify, and troubleshoot NAT and ACLs in a medium-size Enterprise branch office network .

Question1:
What are two reasons that a network administrator would use access lists? (Choose two.)
A:to control vty access into a router
B:to control broadcast traffic through a router
C:to filter traffic as it passes through a router
D:to filter traffic that originates from the router
E:to replace passwords as a line of defense against security incursions

Answers: A, C


Question 2:
Refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two.)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any


A:source ip address: 192.168.15.5; destination port: 21
B:source ip address:, 192.168.15.37 destination port: 21
C:source ip address:, 192.168.15.41 destination port: 21
D:source ip address:, 192.168.15.36 destination port: 23
E:source ip address: 192.168.15.46; destination port: 23
F:source ip address:, 192.168.15.49 destination port: 23

Answers: D, E

Explanation:
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
The above two access-list statements are configured on RTB router and placed in outbound direction on S 0/0 interface.

First ACL statement denies all telnet ( port 23) connections from source address range 192.168.15.32 - 192.168.15.47 to any destination hosts.

Since we need to find the two packets that will be denied when routed outside s 0/0 interface .
source ip address:, 192.168.15.36 destination port: 23 this matches the ACL statement so this packet is denied.

source ip address: 192.168.15.46; destination port: 23 also matches the ACL statment so this packet is denied.

Question 3:
Refer to the exhibit. Why would the network administrator configure RA in this manner?


A: to give students access to the Internet
B: to prevent students from accessing the command prompt of RA
C: to prevent administrators from accessing the console of RA
D: to give administrators access to the Internet
E: to prevent students from accessing the Internet
F: to prevent students from accessing the Admin network

Answers: B

Explanation:
The above config entered on RA by administrator is to allow only Admin people (10.1.1.0) to access RA command prompt using telnet . Since there is an implicit deny any statement at the end of access-list 2, so rest all (students) are prevented from accessing command prompt of RA using telnet.

Question 4:
What is the function of the Cisco IOS command ip nat inside source static 10.1.1.5 172.35.16.5?
A: It creates a global address pool for all outside NAT transactions.
B: It establishes a dynamic address pool for an inside static address.
C: It creates dynamic source translations for all inside local PAT transactions.
D: It creates a one-to-one mapping between an inside local address and an inside global address. E: It maps one inside source address to a range of outside global addresses.

Answers: D

Explanation:
This command creates a static NAT translation entry for inside local address(10.1.1.5) to inside global address(172.35.16.5) .

Question 5:
What is the effect of the following access list condition?

access-list 101 permit ip 10.25.30.0 0.0.0.255 any

A: permit all packets matching the first three octets of the source address to all destinations
B: permit all packets matching the last octet of the destination address and accept all source addresses
C: permit all packets from the third subnet of the network address to all destinations
D: permit all packets matching the host bits in the source address to all destinations
E: permit all packets to destinations matching the first three octets in the destination address

Answers: A

Explanation:
The wild card mask (0.0.0.255) " 0's in wildcard mask needs a definite match" .

So for the above access-list wildcard mask specifies that it need to match first three octets of source address.

Destination address for the ACL is any so it permits all packets that matches the first three octets of source address to all destinations

Question 6:
What does the "Inside Global" address represent in the configuration of NAT?

A: the summarized address for all of the internal subnetted addresses
B: the MAC address of the router used by inside hosts to connect to the Internet
C: a globally unique, private IP address assigned to a host on the inside network
D: a registered address that represents an inside host to an outside network

Answers: D

Explanation:
Inside global address— A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.

Question 7:
What three pieces of information can be used in an extended access list to filter traffic? (Choose three.)

A:protocol
B:VLAN number
C:TCP or UDP port numbers
D:source switch port number
E:source IP address and destination IP address
F:source MAC address and destination MAC address

Answers: A, C, E

Question 8:
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?

A: access-list 10 permit 172.29.16.0 0.0.0.255
B: access-list 10 permit 172.29.16.0 0.0.1.255
C: access-list 10 permit 172.29.16.0 0.0.3.255
D: access-list 10 permit 172.29.16.0 0.0.15.255
E: access-list 10 permit 172.29.0.0 0.0.255.255

Answers: C

Explanation:
To combine all four ACL statements into one ACL statement with same effect we need new network that matches all 4 statements network statement and new wildcard mask for the new network we will use.

New Network for the ACL statement: AND operation needs to be perform on all four statements.
AND operation: (AND: The output is true only when both inputs A and B are true.)

A - B = Output
0 -0 = 00-1 = 0 ; 1-0 = 01-11
Following above AND operations procedure
172.29.16.0 = 10101100.00011101.00010000.00000000
172.29.17.0 = 10101100.00011101.00010001.00000000
172.29.18.0 = 10101100.00011101.00010010.00000000
172.29.19.0 = 10101100.00011101.00010011.00000000
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
172.29.16.0 = 10101100.00011101.00010000.00000000
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

new network after AND operation is 172.29.16.0

Now to find out Wildcard mask to match all four networks we need to perform XOR operations.

XOR operation: (XOR: The output is true when either inputs A or B are true, but not if both A and B are true.)

A - B = Output
0 - 0 = 0 ; 0 - 1 = 1 ; 1-0 = 1 - 1 = 0

Following above XOR operations procedure
172.29.16.x = 10101100.00011101.00010000.x
172.29.17.x = 10101100.00011101.00010001.x
172.29.18.x = 10101100.00011101.00010010.x
172.29.19.x = 10101100.00011101.00010011.x
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
0.0.3.x = 00000000.00000000.00000011.x
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Since we are only concern about first three octets the last octet can be 255 so the new wildcard mask is 0.0.3.255

The complete single acl statement with new network and wildcard mask that matches all four networks is
access-list 10 permit 172.29.16.0 0.0.3.255

Question 9:
An inbound access list has been configured on a serial interface to deny packet entry for TCP and UDP ports 21, 23 and 25. What types of packets will be permitted by this ACL? (Choose three.)

A:FTP
B:Telnet
C:SMTP
D:DNS
E:HTTP
F:POP3

Answers: D, E, F

Explanation:
Ports 21, 23 and 25 are denied by ACL.
21 = FTP ; 23= Telnet ; 25= SMTP
Remaining ports are permited so DNS, HTTP and POP3 ports are permitted by ACL.

Quesstion 10: 
Refer to the exhibit. The FMJ manufacturing company is concerned about unauthorized access to the Payroll Server. The Accounting1, CEO, Mgr1, and Mgr2 workstations should be the only computers with access to the Payroll Server. What two technologies should be implemented to help prevent unauthorized access to the server? (Choose two.)



A:access lists
B:encrypted router passwords
C:STP
D:VLANs
E:VTP
F:wireless LANs

Answers: A, D

Explanation:
Access-lists are created to permit only Accounting1, CEO, Mgr1, and Mgr2 workstations to Payroll server.
VLAN can be created which creates a separate Broadcast domain with vlan members only Accounting1, CEO, Mgr1, and Mgr2 workstations including Payroll server.

Question 11:
A network administrator would like to implement NAT in the network shown in the graphic to allow inside hosts to use a private addressing scheme. Where should NAT be configured?



A: Corporate router
B: Engineering router
C: Sales router
D: all routers
E: all routers and switches

Answers: A

Question 12:
An access list has been designed to prevent HTTP traffic from the Accounting Department from reaching the HR server attached to the Holyoke router. Which of the following access lists will accomplish this task when grouped with the e0 interface on the Chicopee router?




A: permit ip any any
deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80
B: permit ip any any
deny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 80
C: deny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 80
permit ip any any
D: deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80
permit ip any any

Answers: D

Explanation:.
We need to create a ACL which denies Account department network from accessing HTTP on HR server.

Source address is account department network: 172.16.16.0 mask 255.255.255.0
Destination address is HR server : 172.17.17.252
Port number for HTTP traffic on destination addresss : 80

First create deny statement
access-list 100 deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 80

Since there is a implicit deny any any statement at the end of ACL we need to permit remaining traffic.
access-list 100 permit ip any any