CCNA Access List Sim

Want to become a CCNA trainer in Bangalore, India with a good salary; contact sumukhashruthi@gmail.com

Hey quick question. For this Sim do we need to make and configuration changes or is it just to answer the questions.

can anybody explain what this command does please..

deny icmp any any echo-reply

@panget in case of ICMP which is ping and its have a few options, see below

Router(config)#access-list 100 permit icmp any any ?
type-num
echo Echo (ping)
echo-reply Echo reply
host-unreachable Host unreachable
net-unreachable Net unreachable
port-unreachable Port unreachable
protocol-unreachable Protocol unreachable
ttl-exceeded TTL exceeded
unreachable All unreachables

echo is a packet going from source to a destination, echo-reply is packet going back from destination to the source (where ping command was issued)

so command “deny icmp any any echo-reply” applied inwards to the fa0/0 of the router will allow to ping the router from the switch as echo-reply is only blocked as if it was going into the router from the switch, that would be situation if you tried to ping the switch from the router and echo-reply packet then on its way back to the router would be blocked

I hope I made some sense here

Guys,

Just a question relevant to ACL2. Sorry for posting it here..

Since we learn that all the permit statement should be first What if we apply the acl in the following order?

access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 permit ip any any
access-list 100 deny tcp any host 172.22.242.23 eq 80

All other traffic is permitted. Would appreciate your answers either here or on the ACL2 page….

We_rock:
If you introduce that ACL, all traffic will be permited.
When the ACL finds a match, it denyes or permits.
In this case, the first sentence is a permission, and the pakets that don’t match that rule, will match the next one, wich permits all traffic. So no denyes will affect in this case.
i hope that help.
sorry for my english.
greetings.

@we rock
remember that acl works form top to the botton

with this statement this acl will never process the last line as per line two you already permitted all traffic, including www traffic specified in the 3rd line

access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 permit ip any any
access-list 100 deny tcp any host 172.22.242.23 eq 80

I hope that helped

CCNA EIGRP LAB Question

https://www.youtube.com/watch?v=-NmNOedFchA

CCNA VTP SIM Question BY Mr.Mast

http://www.youtube.com/watch?v=1oGnkqr5-iE

Thank.

CCNA VTP SIM Question
http://www.youtube.com/watch?v=1oGnkqr5-iE

Q3
in my opinion, q3 would be answer B.
If i got the IP 10.10.10.0/16, my network address is 10.10.0.0/16, so 10.10.10.0 is a valid IP addres for host.
Then, with that IP i can telnet and ping to the router, because de ACL permits it.
Then, routing updates are send by broadcast, or multicast address, and that kind of address are not allwed to pass through S0/0/1.
So answer B wolud be right.

I try this Cisco Packet Tracer , Ping and Telnet work

oups didnt work sorry

What does that U.U.U mean in the question after the ping command?

@Rose

refer to this: http://packetlife.net/blog/2008/may/27/dissecting-unreachable-ping-response/

solution q3 ACL :

1. wildcard mask of access-list 115 is 255.255.255.0. – permit all networks xxx.xxx.xxx….
2. Interface s0/0/1 ip and mask 10.45.45.1 255.255.255.0 so network is xxx.xxx.xxx……

You cannot get lower mask for host because it will be in diffirent network – A is correct
example:
router 10.45.45.1 255.255.255.0 – network 10.45.45
host 10.45.45.2 255.255.0.0 – network 10.45.

is there’s another labs for acl and what acl 2

Understanding wildcard masks is little confusing! If we have subnet mask 255.255.255.0 , the relevant wildcard mask is 0.0.0.255 !!

I may be nuts, but doesn’t ACL 115 block permit only hosts with addresses 0.0.0.1-254? Since all those addresses are illegal, the deny all at the bottom of the list will crush all connections.

Hi,
Can someone help me with these please,
I was practicing the questions in Sim and entered correct command for Q1 when I tested the switch it pings but Telnet doesn’t work, what could have gone wrong?
With Questions 2&3 do we enter the commands in Sim (if yes how and what commands) or we just select the correct answer in the exam… thanks for helping

Q1
Both B & E Works whic is the right one

could you please answer this questions for me Please!!
1) In the sims after I put copy running-config startup – config do you hit enter or space bar to save it. please answer clearly.
2)I hear lot of comments about the tab key. Is this to auto complete the commands in labs?
If I use is it ok or will the take points off?
3) What is the ? for in lab sims and when is it necessary to use it
please answer

Regarding q3 – telnet is not an ip packet so if we want to allow telnet shouldn’t it be permin tcp any any eq telnet?

think that answer B is not correct

Regarding Q1.

B is wrong!

Remember ACL only filter traffic passing through the router! not originating from the router.

If you choose B there will be no “IN” filtering of any kind and because the responses to telnet and ping will originate from the router they will not be filtered on out by ACL 106 out such that both TELNET and PING will work. This is not requested by the question!

Regarding Q3.

The question is complex and it involves a lot of variables.

If we only consider the configuration given, we assume that the config does not contain the “no ip routing” configuration such that the “ip default-gateway 10.1.1.2″ has no effect. This is an important thing!

Applying the ACL 115 in would allow as 9tut said only hosts with x.x.x.0 as an Ip address.
1.That mean that definitely no routing protocol traffic could be accepted because there’s no multicast in this format x.x.x.0.
That means the router could only communicate with directly connected networks!
(because we also don’t have a default route anywhere)

2. There could be a host behind the 10.45.45.0/24 network with IP in x.x.x.0
format but because the router is limited to only directly connected networks it cannot reply even if such a host would reach it.

Final OBS.
— A. is the correct answer! there’s no host in x.x.x.0 format belonging to networks directly connected
— B. is false. telnet and ping will not work not because they are blocked but because the router doesn’t know where to reply and indeed routing updates are blocked because there’s no protocol to communicate on x.x.x.0 format.

(for testing I added a default route and pings+ telnets from remote hosts in format x.x.x.0 work just fine, but routing updates don’t.)

PS. wasted more hours on this question, visited and revisited, tested on GNS3 and packet tracer and this seems to be the answer.

Will take the exam in 2 days! Good luck everybody!

@Alex: Great explanation of Q3!!!

Some further observations/explanation:

a) Telnet won’t work anyway configured like this:
line vty 0 4
login
!
!
end

There is no password set, but login command has been issued requiring one!!!
But even, if there was one, again it would failed because there is no directly connected host having the x.x.x.0 format.

b) Ping won’t work as there is no directly connected host with the x.x.x.0 format.

I wish I could explain that more clearly, but this is my current level of understanding things right now!!! :-)

On exam are you able to click on the router to configure it or you need to do it from PC? If from than what command will do the trick?

And do you need to apply the commands or just pick the right answer since there is no example of how to do it…

Q3
Why B is not correct?

B – Telnet and ping would work but routing updates would fail.

Routing updates would fail, because when it comes to for example OSPF, it uses multicast address of 224.0.0.5 for updates, so applying a wildcard mask of 255.255.255.0 means that I don’t care about the first three octets, but I care about the fourth octet which should be 0, so since there’s no line following permit ip any any as the last line the invisible “implicit deny all” would stop routing updates. Please advise,

Q3.

The explanation should be:
Answer D seems correct, but the wildcard mask indicates that the last octet must be 0.
Subnet mask for s0/0/0 is 255.255.255.0, so the last octet must be 1-254.

No host connected through s0/0/1 will pass this ACL –> answer A is correct!

Everyone is so smart here but can’t answer simple question that have been asked like 6 times here with no answer still…
_______________________________________________________________________________
On exam are you able to click on the router to configure it or you need to do it from the PC? If from the PC than what command will do the trick?

And do you need to apply the ACL commands or just to pick the right answer since there is no example of how to do it…

@Elias: In the exam you do not click on the router you want to configure directly, you have to click on the PC attached to that router via a dashed line (console line).

And it depends on each sim you need to apply the commands or not. Sims like EIGRP and ACL2 you have to type configuration commands but VTP sim you are only allowed to use “show …” commands to find out the correct answers.

@9tut: Thanks for clarifying my questions!

Hi,

Do we in the exam type configuration for NAT 1 & 2 and ACL1..?

@9tut I am scared now. I was using packet tracer and clicking on the Router that needs to be configured. Example for the EIGRP lab. I click on R3 and on R1 and used the CLI to input commands. So for the EIGRP example, are you saying we click on PC-G to configure R1 and click on PC-C to configure R3? I tried that but where do I type in my commands. There is no CLI. Please clarify. Thank you.

@CiscoER

yes that is correct. but you click on the terminal to configure the router for eigrp.
click on the pc -> desktop -> click on terminal and you go from there.

For this sim are we supposed to enter commands or just select the correct one – can someone drop a line plz

http://www.orbitco-ccna-pastquestions.com/CCNA-Access-List-Exam-Question-and-Answers.php

for some explanation open the link above :)

@gorgie

For this question we only need to use the show (running-config) command to answer all the questions below; no configuration just try to find the correct answer.

@Chompiras

In Access-lists we deal with wild card masks so in case of 255.255.255.0 the last octet should remain 0 as 255 says “I don’t care what comes after” and 0 means “match”.

But I still have confusion about answer A. Please someone explain in plain english why is answer A. Thank you.

hello everybody..
Is it enough to do ACL,EIGRP,ACL2 and VTP sims .. ? or i have to do every sim on this website ?

Do you need configurations for this sim? Or multiple choice questions?

Hi

In Access-lists we deal with wild card masks so in case of 255.255.255.0 the last octet should remain 0 as 255 says “I don’t care what comes after” and 0 means “match”.

Answer A is correct in two ways.

i) Wildcard mask is 255.255.255.0 means Subnet is 0.0.0.255. ACL 115 says that it will allow all ip packets from the subnet 0.0.0.255. No ip address belongs to this subnet bze this is an Invalid subnet.

ii) Also the serial interface se0/0/1 is admin down. So obviously we could not connect any host to that nterface.

I heard that syllabus is changed now. But i don’t know the latest dumps. Please help me…

@Raj —

I don’t think the “syllabus” change that you are speaking of happens until after Sept 30th.

passed with a score of 986 today, study eigrp, access lists, vtp and dumbs from examcollection and tut. this is enough to pass this exam even if you don’t have any book. having said that this exam is a piece of cake if you are serious with your preparation.

passed with a score of 986 today, study eigrp, extended access lists, vtp and dumbs from examcollection and tut. this is enough to pass this exam even if you don’t have any book. having said that this exam is a piece of cake if you are serious with your preparation. good luck to all of you guys.

regarding Q3.
Notice that not the whole configuration is shown there. There can be static routes configured. In this case connection from hosts like 3.2.1.0/16 will be possible.

Can I say something easier?

The answer D can not possible simply because the wilcard mask in access-list 115 is wrong, it´s written “255.255.255.0″ and this is a normal mask, shoul be “0.0.0.255″

Is right my meaning??

I don´t understand why the network address is 0.0.0.0 and the wilcard is 255.255.255.0

Can someone explain me please?