CCNA Access List Sim
Question
An administrator is trying to ping and telnet from Switch to Router with the results shown below:
Switch>
Switch> ping 10.4.4.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds:
.U.U.U
Success rate is 0 percent (0/5)
Switch>
Switch> telnet 10.4.4.3
Trying 10.4.4.3 …
% Destination unreachable; gateway or host down
Switch>
Click the console connected to Router and issue the appropriate commands to answer the questions.
Answer and Explanation
Note: If you are not sure about Access-list, please read my Access-list tutorial. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_CCNA_Access_List_Sim.pkt
For this question we only need to use the show running-config command to answer all the questions below
Router>enable
Router#show running-config
Question 1:
Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?
A – Correctly assign an IP address to interface fa0/1
B – Change the ip access-group command on fa0/0 from “in” to “out”
C – Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D – Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E – Remove access-group 106 in from interface fa0/0 and add access-group 104 in
Answer: E
Explanation:
Let’s have a look at the access list 104:
The question does not ask about ftp traffic so we don’t care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line “access-list 104 deny icmp any any echo-reply” will not affect our icmp traffic because the “echo-reply” message will be sent over the outbound direction.
Question 2:
What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?
A – Attempts to telnet to the router would fail
B – It would allow all traffic from the 10.4.4.0 network
C – IP traffic would be passed through the interface but TCP and UDP traffic would not
D – Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface
Answer: B
Explanation:
From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network
Question 3:
What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?
A – No host could connect to Router through s0/0/1
B – Telnet and ping would work but routing updates would fail.
C – FTP, FTP-DATA, echo, and www would work but telnet would fail
D – Only traffic from the 10.4.4.0 network would pass through the interface
Answer: A
Explanation:
First let’s see what was configured on interface S0/0/1:
Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).
B is not correct because if telnet and ping can work then routing updates can, too.
D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.
But here raise a question…
The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router through s0/0/1” seems right…
But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!
Please comment if you have any idea for this sim!
Other lab-sims on this site:
Q3:
you people are saying that class B addresses will be allowed, but i think at last there will be ‘Deny all’ by default, so it will not allow other addresses..
let me know..
In Question 3 it will permit wichever ip address that the last octet be 1 thus X.X.X.1.
Extended IP access list 115
permit ip 0.0.0.0 255.255.255.0 any
The Se0/0/1 Internet address is 10.45.45.1/24
Allowed IPs will be x.x.x.0 (this is a valid IP for a host in some subnets) but there are no hosts with x.x.x.0 IPs on the 10.45.45.0/24 network so A is correct.
I don´t understand
The network 10.45.45.0/24 has hosts with x.x.x.0
10.45.45 => network part
.0 => host part
q 0onda lukin!
i just passed my ccna exam. please do any one know where i can get ccnp dump or what to use to help me prepare for ccnp exam. tnk
hi! guys gonna be taking my exam few hours from now, any pointers on what to look out for that might come out in the exam? thanks.
download latest dumps from
9 t u t . w e e b l y . c o m
I m having my exam on 26th sept, give me ur suggestion or tips for the exam.
Thank you
I have my exam on the 27 of sept please to 9tut and those who have already pass the exam any advise please
I am going to write ccna 640-802 exam tomorrow morning 11.30 am. so please any 1 can help me to pass this exam by giving your valuable suggestions.
hello please give me some suggestions for writing ccna exam
did any 1 write ccna exam recently then please tell me what are the frequent questions they are asked in exam?
what are the simulations that are going to come frequently surely in every time? give me 5 examples
OK.
access-list 115 permit ip 0.0.0.0 255.255.255.0 any
Awckward statement.
It may bring somebody to the idea that that “would be” such an ip address as 0.0.0.0 0.0.0.255, which is obviously stupid since subnet masks start filling bits with zeroes from right to left.
The explanation must be an other one, and it really is.
There is no link between a subnet mask and a wildcard, from a Cisco ACL point of view.
In an ACL, “0″ (zeroes) are “don’t care” or “don’t match” and “1″ (ones) are “care” or “match”.
So, rereading the wildcard means that the ACL is matching any ip address ending with a zero (x.y.z.0) as a source ip address.
In this world today where every operator is using VLSM/CIDR and is subnetting any larger subnet down to /24 or even smaller, the chances for a SOURCE ip address to end in “0″ is almost inexistant, since in a /24 or smaller subnet, an ip address ending in “0″ is a subnet address and therefore it cannot be the source for any legitimate traffic.
So, ACL 115 should be read: “Deny access for all source ip addresses that do not end in zero”, which is virtually all ip addresses.
FYI, you could have a wildcard mask usage in an ACL like:
access-list 115 permit ip 192.168.110.0 255.255.255.246 any
would translate in:
“accept only the following ip addresses:
192.168.110.1
192.168.110.8
192.168.110.9
”
I was curious and wrote this ACL into a 6513 Catalyst and applied it to an interface. It worked like a charm!
Good luck ACL-ing!
Having written the earlier comment, I wish to see again a statement:
“D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.”
Well…ACL115 speaks about the traffic originating from any ip address ending in 0, so in fact it talks also about the traffic from 10.4.4.0
BUT
ACL115 would allow traffic from ONLY 10.4.4.0 ip address, not from the whole network.
Since 10.4.4.0 has a subnet mask of 255.255.255.0, the network address is 10.4.4.0 and it cannot source traffic. The rest of the hosts in 10.4.4.0/24 subnet will be denied traffic (because of the implicit deny all at the end of the ACL), so in fact all 10.4.4.0 subnet will be denied traffic.
All this lead to the right answer being “A”
@Sanos … Close, very Close! You pointed out very well the “don’t care” and “match exactly”, which got me thinking. The very strange ACL statement of:
access-list 115 permit ip 0.0.0.0 255.255.255.0 any
really means, as you say, in Binary:
access-list 115 permit ip 00000000.00000000.00000000.00000000 11111111.11111111.11111111.00000000 any
So, we have a Wildcard Mask of “match exactly” in the first three octets, and “don’t care” in the last octet. This spells out a source IP network whose first three octets MUST be zeros, and a fourth octet which may range from 0 to 255, or a range of network addresses from 0.0.0.0, 0.0.0.1, 0.0.0.2, and so on, through 0.0.0.255.
While this is an allowable range for IPv4 Class A addresses, we have none of those in our Internetwork. So, I believe the best answer to be A.
download latest dumps from
9 t u t . w e e b l y . c o m
guys check my comment at eigrp comments.. I hope it Very help ful for those who wana take exams today ..take care and good luck
Wonder how often the above ACL appears on the exam???
can anyone confirm!!!!
oh n would there be only them 3 Q’s????
I have failed the 640-802 exam today with a 801 score. The retake date I have is on 02-oct-13 .
Anyone know if there would be a different currriculum to study if I take the exam nearest the rd??? can I take the exam only still studying what I have been studying? (ICDN 1 and ICDN2 books)
guys w.c.m 0.0.0.0
0 in w.c.m meant fixed number
255 in w.c.m meant varriable number
when we use acl 115
any host with class a or b ip address works well because a.b.c.x
w.c.m 255.255.255.0
octet a b &c no problem to changes in numbers in first 3 octets numbers but x should be fixed 0
so class a&b ip works well
but here we use class c in that network
so the last octet number 4 >>with 255.255.255.0 w.c.m fixed
impossible any ip class c works with that acl 115
so q3 answer a
i hope everyone understanding my idea
I might be wrong, but to me the ACL 115 means “I really don’t care what the first three octets are, I just care that the last octet is zero; and if so, I’ll permit any such ip packet”. In classful addressing, this would mean all network addresses for Class A, B, and C. In CIDR, this would mean the subnet addresses for subnets. Since the ACL is an inbound one, then it should allow routing protocol updates into the router. This makes option D tricky, but the wordings “from” the network invalidates this as a possible answer. Option A looks likely based on this explanation, but I wouldn’t go 100% for it.
But hey, this might be one of the beta unscored questions, so I’ll just leave a comment in the question and go for the nearest answer.
Has anyone taken this question on the exam and came across this question?
for question 3, that means the only ips that will be able to communicate with s0/0/1 are in the form of 0.0.0.x which is invalid, cisco routers take the access list but the access reject rejects all possible traffic… resp A is correct
Hi, friends..writing my ccna exam in 2 hours. Passing with the score 970 / 1000. Thank you Jesus
I found it on gns3 forum. I must say, awesome lab manuals.
World’s most simple and advance form of lab manuals / practical guides pertaining to CISCO (CCNA, CCNP, CCIE) certifications.
JUST HELPING YOU……….
NO CHARGES……………… 100% Free
Visit: www dot inetstudies dot com
Congrats 2 u all for making it in the CCNA Old Syllabus. Please could anyone direct me to a site similar to 9tut for CCNP exams. Thanks and my Appreciations
hi bros on 30 oct my ccna exam 200-120 plz give me suggestion how to prepare for exam and which one dumps use for 200-120 exam
thanksss
Some one who finished this exam recently verify the new question in the below like are valid.
http://www.examcollection.com/cisco/Cisco.Actualtests.200-120.v2013-10-01.by.examtut.278q.vce.file.html
Hi friends….
am Gopikrishnan, hope u all fine. am scared about CCNA EXAM and i don’t know what is
the current version of valid dumbs… mail me the link or dumbs please gopimanees@gmail.com.
download latest dumps from
9
t
u
t
.
c
o
m
x
a
.
c
o
m
write all your certification exam like CCNA, CCNP, ORACLE at a discounted price in Lagos Nigeria call 08037550385 0r 07040993634
address Font-IT International 162 Ikorodu Road, Onipanu Lagos state Nigeria
i try to apply with packet tracert sim the acl 115 in on the interface, then connect another router on s0/0/1 with another /24 ip.
so we have s0/0/1 on router C 10.45.45.1 /24
the other link 10.45.45.2 /24
the i put another router and usa another /24 address on 2 link. classic 192.168.1.0/24 network.
at the and of the 3rd router i use tin the fa0/0 an class b address wich use the last 0 like an valid ip address.
i use an 10.45.45.0 /16 on fa0/0 and a 10.45.45.1/16 on an single pc attached via switch.
SO here the trik:
IF we ping the 10.45.45.1 interface s0/0/1 of router c from the host 10.45.45.1 /16 we succesfully,
if we try to do a telnet conncection we can’t
so the only way to permit a ping is to use an /16 class on any host, if we use any other ip addres that not have .0 on the last octet we failed the ping.
SO in the practical way we can ping from an host that have .0 on last octet but we cannot telnet the router because there is not in the same subnet, if u remember to telnet someone we need to be on the same subnet, or we have to telnet hop by hop if we try to telnet directly from another sub we cant.
So we can ping, we can conncet if we came from the x.x.x.0 address, but we cant telnet, because the last link the s0/0/1 of router c to s0/0/1 to new addedd router are not from the x.x.x.0 network, so the acl 115 refuse us the connection.
SO THE RIGHT ANSWER MAYBE IS :
C – FTP, FTP-DATA, echo, and www would work but telnet would fail
but only from a x.x.x.0 client with an /16
Is it valid ip o.o.o.o 255.255.255.0 ? While creating an ACL ? 0.0.0.0 don’t care bit on network portion ! And wildcard bit 255.255.255.0 ? What is it? I think it should be different than this , like o.o.o. OR o.o.o.255 , I don’t really get this concept / anyone plz explain clearly ? I m going to get test following week
I won with 958….this question is involved….
Dear I am unable to open these dumps in my Visual Cert Exam Suite 3.1.2 version. Please guide me where to open this. If anyone has Visual Cert 3.3 version please share that with me. My Exam is on 27th November 2013.
http://www.examcollection.com/cisco/Cisco.Actualtests.200-120.v2013-10-01.by.examtut.278q.vce.file.html
So i can only expect 3 multiple choice questions in this sim?
Why it is possible to issue another access-list “ip access-group 114 in to the fa0/0 interface” in question 2 but not in question 3?
“Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. ” ????????
I passed new CCNA – (200-120) today with score: 972. EIGRP, Access list sim 1 and 2.
Many thanks 9tut.
RouterC#sh ip route :
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
C 10.4.4.0 is directly connected, FastEthernet0/0
C 10.145.145.0 is directly connected, Loopback2
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.4.0 is directly connected, Loopback1
- From here we can see that given subnet is a class C type “/24″.. the notion “255.255.255.0″ wildcard would prevent any type C, so then “D” is not correct.. But if there is a class A or B subnet in the given, then “A” would not be true.
:)
Hey there..
I am interested in knowing, which of these simulations are on new exam, and which one are discarded from 640-802 exam?
The Questions here are correct
Today Pass CCNA LAB : ACL2 ACL EIGRP
ACL 2 :
Permit D to Web Server
Deny All to Web Server
Permit all to public server
Thanks and good Luck
Just passed CCNA now,now. (93% )
-Sims:ALC,ACL1, EIGRP.
-Only got two drag and drop Q’s.
ACL2-Permit D to Web Server
-Deny All to Web Server
-Permit all to public server
Good luck, CCNA’ans.
just passed CCNA (100%) , thank you very much 9tut
-sims ALC , ACL1 , EIGRP
ACL is wonderful in CCNA study.
I think the answer “no host could connect to s0/0/1″ is correct because in this case we have to look at the subnetmask configured on the interface as well? I too thought that an IP address of 10.5.5.0 / 8 for example would work on the interface, plus it is of the form x.x.x.0, but if you consider the configured mask of 255.255.255.0 than no host can connect. :-)
whether the above ACL is ACL1 at ccna sim,pls clear the doubt
download free latest dumps from
9
t
u
t
.
w
e
b
s
.
c
o
m