CCNA Interview Questions and Answers -11
1. What is ACL?
Access Control List is a packet filtering method that filters the IP packets based on source and destination address. It is a set of rules and conditions that permit or deny IP packets to exercise control over network traffic.
2. What are different Types of ACL?
3. Explain Standard Access List?
Standard Access List examines only the source IP address in an IP packet to permit or deny that packet. It cannot match other field in the IP packet. Standard Access List can be created using the access-list numbers 1-99 or in the expanded range of 1300-1999. Standard Access List must be applied close to destination. As we are filtering based only on source address, if we put the standard access-list close to the source host or network than nothing would be forwarded from source.
Example:-
R1(config)# access-list 10 deny host 192.168.1.1
R1(config)# int fa0/0
R1(config-if)# ip access-group 10 in
4. Explain Extended Access List?
Extended Access List filters the network traffic based on the Source IP address, Destination IP address, Protocol Field in the Network layer, Port number field at the Transport layer. Extended Access List ranges from 100 to 199, In expanded range 2000-2699. Extended Access List should be placed as close to source as possible. Since extended access list filters the traffic based on specific addresses (Source IP, Destination IP) and protocols we don’t want our traffic to traverse the entire network just to be denied wasting the bandwidth.
Example:-
R1(config)# access-list 110 deny tcp any host 192.168.1.1 eq 23
R1(config)# int fa0/0
R1(config-if)# ip access-group 110 in
5. Explain Named ACL and its advantages over Number ACL?
It is just another way of creating Standard and Extended ACL. In Named ACL names are given to identify access-list.
It has following advantage over Number ACL – In Name ACL we can give sequence number which means we can insert a new statement in middle of ACL.
Example:-
R1(config)# ip access-list extended CCNA
R1(config)# 15 permit tcp host 10.1.1.1 host 20.1.1.1 eq 23
R1(config)# exit
This will insert above statement at Line 15.
R1(config)# int fa0/0
R1(config-if)# ip access-group ccna in
6. What is Wildcard Mask?
Wildcard mask is used with ACL to specify an individual hosts, a network, or a range of network.
Whenever a zero is present, it indicates that octet in the address must match the corresponding reference exactly. Whenever a 255 is present, it indicates that octet need not to be evaluated.
Wildcard Mask is completely opposite to subnet mask.
Example:- For /24
Subnet Mask – 255.255.255.0
Wildcard Mask – 0.0.0.255
7. How to permit or deny specific Host in ACL?
1.Using a wildcard mask “0.0.0.0”
Example:- 192.168.1.1 0.0.0.0 or
2.Using keyword “Host”
Example:- Host 192.168.1.1
8. In which directions we can apply an Access List?
We can apply access list in two direction:-
IN – ip access-group 10 in
OUT – ip access-group 10 out
9. Difference between Inbound Access-list and Outbound Access-list?
When an access-list is applied to inbound packets on interface, those packets are first processed through ACL and than routed. Any packets that are denied won’t be routed. When an access-list is applied to outbound packets on interface, those packets are first routed to outbound interface and than processed through ACL.
10. Difference between #sh access-list command and #sh run access-list command?
#sh access-list shows number of Hit Counts.
#sh run access-list does not show number of Hit Counts.
11. How many Access Lists can be applied to an interface on a Cisco router?
We can assign only one access list per interface per protocol per direction which means that when creating an IP access lists, we can have only one inbound access list and one outbound access list per interface. Multiple access lists are permitted per interface, but they must be for a different protocol.
12. How Access Lists are processed?
Access lists are processed in sequential, logical order, evaluating packets from the top down, one statement at a time. As soon as a match is made, the permit or deny option is applied, and the packet is not evaluated against any more access list statements. Because of this, the order of the statements within any access list is significant. There is an implicit “deny” at the end of each access list which means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded.
13. What is at the end of each Access List?
At the end of each access list, there is an implicit deny statement denying any packet for which the match has not been found in the access list.
Key Information
– Any access list applied to an interface without an access list being created will not filter traffic.
– Access lists only filters traffic that is going through the router. They will not filter the traffic that has originated from the router.
– If we will remove one line from an access list, entire access-list will be removed.
– Every Access list should have at least one permit statement or it will deny all traffic
14. What is NAT?
Network Address Translation translates the private addresses into public addresses before packets are routed to public network. It allows a network device such as Router to translate addresses between the private and public network.
15. What are the Situations where NAT is required?
– When we need to connect to internet and our hosts doesn’t have globally unique IP addresses.
– When we want to hide internal IP addresses from outside for security purpose.
– A company is going to merge in another company which uses same address space.
16. What are the advantages of Nat?
– It conserves legally registered IP addresses.
– It prevents address overlapping.
– Provides security by hiding internal (private) IP addresses.
– Eliminates address renumbering as a network evolves.
17. What are different types of NAT?
There are mainly three types of NAT:-
– Static NAT
– Dynamic NAT
– Port Address Translation (Overloading)
18. What is Static NAT?
Static NAT allows for one to one mapping that is it translates one Private IP address to one Public IP address.
R1(config)# ip nat inside source static 10.1.1.1 15.36.2.1
R1(config)# int fa0/0
R1(config-if)# ip nat inside (It identifies this interface as inside interface)
R1(config)# int fa0/1
R1(config-if)# ip nat outside (It identifies this interface as outside interface)
In ip nat inside source command we can see that the command is referencing the inside interface as source or starting point of the translation.
19. What is Dynamic NAT?
It maps an unregistred IP address to a registered IP address from out of a pool of registered Ip addresses.
R1(config)# ip nat pool CCNA 190.1.1.5 190.1.1.254 netmask 255.255.255.0
R1(config)# ip nat inside source list 10 pool CCNA
R1(config)# int fa0/0
R1(config-if)# ip nat inside (It identifies this interface as inside interface)
R1(config)# int fa0/1
R1(config-if)# ip nat outside (It identifies this interface as outside interface)
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255 (To specify which unregistered addresses needs to be translated)
20. What is Port Address Translation (Overloading)?
It maps multiple unregistred IP address to single registered IP address using different port numbers. PAT allows thousands of users to connect to internet using one pulic address only.
R1(config)# ip nat pool CCNA 190.1.1.5 190.1.1.254 netmask 255.255.255.0
R1(config)# ip nat inside source list 10 pool CCNA overload
R1(config)# int fa0/0
R1(config-if)# ip nat inside (It identifies this interface as inside interface)
R1(config)# int fa0/1
R1(config-if)# ip nat outside (It identifies this interface as outside interface)
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255 (To specify which unregistered addresses needs to be translated)
21. What are Inside Local, Inside Global, Outside Local, Outside Global address?
– Inside local address is an IP address of Host before translation.
– Inside Global address is the public IP address of Host after translation.
– Outside Local address is the address of router interface connected to ISP.
– Outside Global address is the address of outside destination (ultimate destination).
22. What is DHCP?
Dynamic Host Configuration Protocol (DHCP) assigns IP addresses to hosts dynamically. It allows easier administration and works well in small as well as very large network environments. All types of hardware can be used as a DHCP server including a Cisco router.
23. What information a DHCP server can provide to a host?
DHCP server can provide following information –
– IP address
– Subnet mask
– Default gateway
– Domain Name Server
– WINS information
24. How DHCP Works?
DHCP works on DORA Process (DISCOVER – OFFER – REQUEST – ACKNOWLEDGEMENT).
1.When a Client needs an IP configuration, it tries to locate a DHCP server by sending a broadcast called a DHCP DISCOVER. This message will have a Destination IP of 255.255.255.255 and Destination MAC of ff:ff:ff:ff:ff:ff.
[Source IP – 0.0.0.0 , Destination IP – 255.255.255.255, Source Mac – Mac address of Host, Destination Mac – FF:FF:FF:FF:FF:FF]
2.On Receiving DHCP Discover, Server sends a DHCP OFFER message to the client. The DHCPOFFER is a proposed configuration that may include IP address, DNS server address, and lease time. This message will be unicast and have the destination mac address of DHCP client’s mac address. The source mac address will be that of the DHCP server.
[S.Mac – Mac address of Server , D.Mac – Mac address of Host]
3.If the Client finds the Offer agreeable, it sends DHCP REQUEST Message requesting those particular IP parameters. This message will be a Broadcast message.
[Source Mac – Mac address of Host, Destination Mac – FF:FF:FF:FF:FF:FF]
4.The Server on receiving the DHCP REQUEST makes the configuration official by sending a unicast DHCP ACK acknowledgment.
[Source Mac – Mac address of Server, Destination Mac – Mac address of Host]
25. What is the reason for getting APIPA address?
With APIPA, DHCP clients can automatically self-configure an IP address and subnetmask when a DHCP server is not available. When DHCP client boots up, it first looks for a DHCP server in order to obtain an IP address and subnet mask.
A client uses the self-configured IP address until a DHCP server becomes available. The APIPA service also checks regularly for the presence of a DHCP server. If it detects a DHCP server on the network, APIPA stops and the DHCP server replaces the APIPA networking addresses with dynamically assigned addresses.
26. What is the range of APIPA address?
The IP address range is 169.254.0.1 through 169.254.255.254. The client also configures itself with a default Class B subnet mask of 255.255.0.0.
27. What is the purpose of relay agent?
A DHCP relay agent is any host that forwards DHCP packets between clients and servers if server is not on the same physical subnet. Relay agents are used to forward requests and replies between clients and servers when they are not on the same physical subnet. DHCP relay agent can be configured using the ip helper-address command.
28. What is DHCP decline message?
It is Sent by Client to server indicating network address is already in use (already assigned to another device).
29. What is DHCPNAK message?
If the Server is unable to satisfy the DHCPREQUEST message (The requested network address has been allocated) the Server Should sent DHCPNAK message to client. It can also be Sent if client’s notion of network address is incorrect (Client has moved to new subnet) or client’s lease expired.
30. What is TCP?
Transmission Control Protocol is a connection oriented protocol. This means that before any data transfer can take place , Certain Parameters has to be negotiated in order to establish the connection.