CCNA Access List Sim
Question
An administrator is trying to ping and telnet from Switch to Router with the results shown below:
Switch>
Switch> ping 10.4.4.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds:
.U.U.U
Success rate is 0 percent (0/5)
Switch>
Switch> telnet 10.4.4.3
Trying 10.4.4.3 …
% Destination unreachable; gateway or host down
Switch>
Click the console connected to Router and issue the appropriate commands to answer the questions.
Answer and Explanation
Note: If you are not sure about Access-list, please read my Access-list tutorial. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_CCNA_Access_List_Sim.pkt
For this question we only need to use the show running-config command to answer all the questions below
Router>enable
Router#show running-config
Question 1:
Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?
A – Correctly assign an IP address to interface fa0/1
B – Change the ip access-group command on fa0/0 from “in” to “out”
C – Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D – Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E – Remove access-group 106 in from interface fa0/0 and add access-group 104 in
Answer: E
Explanation:
Let’s have a look at the access list 104:
The question does not ask about ftp traffic so we don’t care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line “access-list 104 deny icmp any any echo-reply” will not affect our icmp traffic because the “echo-reply” message will be sent over the outbound direction.
Question 2:
What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?
A – Attempts to telnet to the router would fail
B – It would allow all traffic from the 10.4.4.0 network
C – IP traffic would be passed through the interface but TCP and UDP traffic would not
D – Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface
Answer: B
Explanation:
From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network
Question 3:
What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?
A – No host could connect to Router through s0/0/1
B – Telnet and ping would work but routing updates would fail.
C – FTP, FTP-DATA, echo, and www would work but telnet would fail
D – Only traffic from the 10.4.4.0 network would pass through the interface
Answer: A
Explanation:
First let’s see what was configured on interface S0/0/1:
Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).
B is not correct because if telnet and ping can work then routing updates can, too.
D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.
But here raise a question…
The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router through s0/0/1” seems right…
But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!
Please comment if you have any idea for this sim!
Other lab-sims on this site:
Has anyone noticed the answer for the first question can also be B? By changing the access-list from ‘in’ to ‘out’, all telnet traffic will still be blocked and only ICMP Echo Requests will be allowed to go out (which really doesn’t matter to us as we need Echo Replies to go out and they will). Is this something no one has seen or am I just being cuckoo??
@NotASalmanFan
I don’t think so! If the ACL 106 was outbound on interface fa0/0, the telnet wouldn’t be blocked.
The command “access-list 106 deny any any eq 23″ means that all traffic with destination port 23 is blocked. At this point, if you change 106 from inbound to outbound, you only blocked your telnet sessions to other via interface f0/0, but still allow ones from other.
Hope it help!
Hope it help!
In the exam should I only tip in these one line ? O_O???
Router>enable
Router#show running-config
and answer the questions?
@Thomas
Is Right! if the ACL 106 is applied outbound, sure any telnet traffic leaving “out” the applied interface would be denied. HOWEVER this does not apply to inbound traffic coming from different interfaces as the ACL rule is that it can only be applied one per interface, therefore that ACL will only work for Fa 0/0 . as Thomas said.
- Now I’m taking the exam tomorrow any modifications to this SIM ?
hello everyone…today at 10 july i passed my CCNA exma at last… i got 986 marks out of 1000…i prepared from watson, mathew and bilbeast…i prefered watson…its still valid 100%… and as far as about labs… they are same ACL1, ACL2 and EIGRP… and please one advice stay calm in exam no need to panic.. and when u do sims read it carefully… and i ACL modification ” permit ip any any” command should be applied…in the end thanks to Touseef Bhae, Zulqurnan my frend, 9tut and examcollection…
Hi friends, I wonder if CISCO always offers the exam 640-802
pls how does the exam look like? how many questions are been asked and the timing..
I have my exams on Monday 14th july
Hai ,please can anyone help me send the new dumps to vizli2118@gmail.com..
thk u ..
THERE WERE 51 QUESTIONS…. 140 MINS TIME LENGHT…. IN EXAM SIMULATOR ONCE U ANSWER A QUESTION AND CLICK NXT THEN U CANT GO BACK…
vizili i just snd u dump
hi Anonymous, can you please send me the dump too @ debashish9@yahoo.com
thanks in advance
Need new Dump carl.pierce10@gmail.com
need new dump dayahchan@gmail.com
please anyone with dumps pls send me as well to rangachisi@gmail.com. Thank you in advance
new dump please, tonzy517@gmail.com
Hey anyone with new dumps please? gustavolesterm@gmail.com…. It seems that watson is not the dump anymore
need dumps shahid913@hotmail.com THANKS in advance
hi, how can a run the dumps? please help me I need the software, where can I find it?
The answer to question # 3 is certainly the option to “Could not connect to host through S0/0/1 Router” it is impossible that anyone can connect as there is a bug in wildcard, 255.255.255.0 is not a correct wildcard
Hi there guys, I just wanna say congrats to all ya who have passed your CCNA exams. I am currently preparing to test. Please kindly assist me with some dumps. You can send to conquista1services@gmail.com Thank you
Hi,please can anyone help me send the new dumps to elshen.rehim@gmail.com
Hi guys, I will do the exam next week. I’m quite worried! Could you please send me the last dumps to drs_1900@yahoo.es THANKS IN ADVANCE!
HELP PLEASE!! i am going to take ccna exam in august..will watson,examtut,9tut,mathew dumps will be valid ? i mean to say for how many months are ccna dumps valid and they wont change the pool of questions?
if any one one needs dumps contact me on game.rose@hotmail.com
is this the exact questions for the ACL1 during the exam?
a lot of people says that this came out in the exam but didnt mentioned that this are exactly the same questions they got
Hello, i am looking for CCNA(200-120) dumps and cracked VCE file. Please help me. My email ID is shahsaurabh_25@yahoo.co.in
hi my friends , i have scheduled my exam for next week, i have a question in this acl sim do we have to configure it or just to choose the right answer and click next and one more thing what about vtp and nat are they going to come in the exam too? please reply thanx
Hi 9tut, for Question 3 where ACL115 will be applied but having wrong subnet mask. Actually, it will be skippped, and ACL statement that has a wrong wildcard mask will be skip,
Hence for that question, since it will be skipped, thus the implicit deny statement will kick in thus not allowing traffic. To add, ACL statements can begin with any IP BUT the wildcard should be correct and not discontiguous, if it is wrong, yes the statement will be accepted by the device, but it wont work :))
-based on: experience & reading
hey guys i need new dumps for ccna 200-120.i have exam on august 16th, any one send me the new dumps to akashiyer08@gmail.com.
thanks
Hi Guys,
I also think that B is a valid answer for Q1. If ACL 106 is applied outbound, only TCP and ICMP reply traffic will be allowed from Router to Switch. Please notice that the ACL does NOT have a permit ip any any at the end, so no other traffic will be allowed.
So if a telnet connection is started from the switch will arrive the router, but it will fail because the router will not reach the switch source tcp port. There is one pretty obfuscated exception: if the switch uses a FTP port as the source port for its telnet connection…
I’m missing anything?
hi, could you please send me the latest ccna dumps at iftikharjadoon@hotmail.com
HI Guys,
Looks, this is the best site for practise as well.
can anyone help me with latest CCNA dumps 200-120. if you have pls sent me at aanandunadkat4@gmail.com … Let me know, if any help is required.
Thanks,
Anand
Helo Guys,
This question was on today exam
i dont undastand dis acl1 at all its the only one am having issues wit i heard we don’t configure any tin we just answer d questions
please send me latest dumps for CCNA 200-120 to a_titanic_76@yahoo.com thanks
For Question 3′s explanation, why would any Telnet connection be accepted by changing the access lists? Wouldn’t the implicit “deny all” statement prevent that?
Passed 958/1000
Thanks 9tut! Exactly same EIGRP ACL ACL2 Sims…
also went through dumps really helped a lot!!!..
Whatson, Giilibeast, Jennie and Mathew Dumps (examcollection.com)
All 51 questions were from dumps…
even if u dont study book and only go though dumps a few times then you will pass easily…
just remember the answers given in dumps…
Hey guys I need new dumps for ccna 200-120. I have scheduled my exam on august 19th, any one send me the new dumps to avalenzuela8542@gmail.com.
Thanks!!!
Question 3, why is the Telnet connection accepted by changing the access list? Wouldn’t the implicit “deny all” statement block the telnet connection?
plez guys send me ACL2 page-link ,as i didn’t find it
to my mail asmra3@gmail.com
Hi there guys, I just wanna say congrats to all ya who have passed your CCNA exams. I am currently preparing to test. Please kindly assist me with some dumps. You can send to bassel_christian@hotmail.com
THANKS IN ADVANCE !!! :)
Hi, so what’s the deal with question 3 on the confusing acl sim?? Nobody seems sure?
Also is the latest Watson and 9tut dumps up to date for 200-120?
Cheers
Hi,please can anyone help me send the new dumps to hafiz@iraudhah.com
I passed today, got 1000/1000.
I had acl, acl2 and eigrp labs. Acl was the same as it is here.
Eigrp was also the same, simple changes (ip addresses and eigrp 2). Passive interface command was on R1 and ISP link. Don’t remove it!
I got acl2 modification 3 and as a last statement I used: permit ip any any! In server lan I had only public web server and finance web server. There was no dns server.
I used the following dumps from examcollection.com: watson, matthew, examtut and gillbeast, but I think that watson’s dump is the best and quite enough to pass. All questions were from dumps!
Hi, Pls send me the latest dump for CCNA 200-120.. email id is sujae802@hotmail.com
Hi, Pls send me the latest dump for CCNA 200-120.. email id is cavaliarz@gmail.com
Question 2 is kind of tricky because one can only apply one access list per interface per direction. Since 106 is already applied to fa0/0 and contains a statement that will deny telnet – shouldn’t A be the answer?
^ nevermind – I just found out the new will overwrite the previous.
I passed today, got 931/1000
I had acl, acl2 and eigrp labs
Eigrp was also the same, simple changes (ip addresses and eigrp 2). Passive interface command was on R1 and ISP link. Don’t remove it!
I got acl2 modification 3 and as a last statement I used: permit ip any any! In server lan I had only public web server and finance web server. There was no dns server.
I used the following dumps from examcollection.com: watson, matthew, examtut and gillbeast, but I think that watson’s dump is the best and quite enough to pass. All questions were from dumps!