CCNA Access List Sim

About Q3 , first of all we must agree that there is nothing called current topology and later topology , Access-lists are made for any current or coming topology , it’s access-lists for this router no matter what are connecting it .

So if we agree with that , “A” , “C” & “D” answers are wrong . “A” fails with sub-netting and non /24 networks . “C” & “D” obviously fails .

“B” consists of 2 parts , one of them “but routing updates would fail. ” that’s right as [Vnpro(nbh)] said , and the part “Telnet and ping would work” Depends on what if “would” is literally meant , if it was then the answer is correct so no all IPs could telnet or ping , if not so this part is wrong also .

Seems there is no perfect answer but “B” is the most relativity correct answer .

waiting for your replies .

i didn’t come across this question on pass4sure. did any1 get this question on their real exam?

today i have a test so guyz plz pray for me !!!

i also have my test today so wish me luck guys :)

Hey, Neetu – How was the exam?

Guyz plz Tell me the LABS u got on XAm…?? :)

About Question 3:

The reason A is correct is because by default at the end of every access list (unless specifically specified otherwise) is an explicit deny.

Please please please, can someone send me the packet tracer sim for this particular question, have exam on 17th of march. Thanks for helping me out email== markdganish@yahoo.com

Great site, folks! Really great. And can try it all out for just $1 for 7 days too!
http://www.howtonetwork.net/public/2663.cfm

go to @tomiccell, i have sent you packet tracer v5.3 check your email

Dheeraj, i wrote exam on 8th april….out of 53 questions around 10-18 questions are new questions those questions r not in 17.14…simulation was same EIGRp,VTP,access list..but in access list little change…1 pc should access finance server but that pc should not access any other server..remember this ..i did mistake in this ..so be clear in config ….Its better to wait n give the exam…hope within this month questions wil be out…

@ babu: Thanks a lot man….frm whr in India did u giv the xam????

Thankx verymuch @tyrone

Hello all
Thank you all for your cooperation
I will offer the exam tomorrow .. Please you got any change to the questions

plz who any one send me the full configuration of ACL plz plz.

question 3 aswer a :

acl uses a wild card mask so:

255.255.255.255
- 255. 255.255.0 —/ its mask s0/0/1
——————————————–
0 . 0 . 0 . 255 <- thats the correct contingous mask
why the ios get incorrect mask?

I think for Q3 Answer (A) is correct, because this is pertaining to the Given Lab sim and the Sh run explains that all the Subnets are /24. so I think none of the Hosts will be able to access….. Please correct me if I am wrong!!!!!!!!

Can any one help me which dump is still valid. post me. I thing testinside v17.14 is still valid or not?

regarding Q3
ACL are using wild card mask so
255.255.255.0 equals to 0.0.0.255 normal mask and this is wrong.
so here is the questions:
1. Why this mask was applied?

Any way the answer is A cause oher doesn’t match

Q3#
Ans:
checked it by applying acl 115 on RC and nothing is working so by seeing the options A is correct

Hi Guys,

I am standing near to exam , can u pls tell me which is acceptable answer for q-3

Hi I am planning to take exam by end of this month. Can anyone tell me if the dump v17.14 is still valid. Also, are the lab ques EIGRP, VTP and ACL same as per this site?? Or should I have to look into some more lab exercises?? Did you try with a mock test first before appearing t the actual exam?

i dont under stand q1 plz anyone help me……….thnx

Yes renu…that would be enough cuz the questions from 17.14 contains q from acme,Test inside and Prep.king

so That would be enough

by—-Avinash

I would like to confirm the difference between the ‘permit icmp any any echo’ and ‘deny icmp any any echo-reply’ statements in ACL 104. In the first case, it is permitting a reply to a ping orignating on a local network. In the second case, it is denying the local host’s reply to a ping from outside the local network; i.e., the Internet.
Can someone confirm this!

i’ll be taking my exam tomorrow so wish me luck guys..thanks so much 9tut 4 sharing everything!!

Atten Mike : I agree your statment’s are correct only. It’s based on how you applying the ACL in interfaces’s.

In question 1, why is B not correct? Pings from the switch will come in (no acl in) and echo reply would be allowed (acl out).

Ok. Regarding Q1 “why B is wrong?” I now get it. The answer from CBTNugget-fan is correct.

@Tomtom:-
For Q1 B is incorrect.As the option explicitly didn’t specify which access-list needs to be applied outbound.If we assume 106 access-list to apply outbound B would become correct.However there is another best option E which is correct.

Has anyone recently gave ccna exam and encountered Q3 in this sim?

I would give ccna in next few weeks and i would like to know should we choose option A ,B or D for Q3?

About question 3. This is a very tricky one.
First of all I agree about that the router will only accept 1 access-group and overwrite the current one for the one we are issuing.
Second, to me wildcard 255.255.255.0 means a 24 bits mask, and network 0.0.0.0 could be an any or maybe a network in the form “0.0.0.x”, then we know that there is no network in that form, so A would be the right question, nevertheless what if the “permit ip 0.0.0.0″ means any network with a 24 bit mask, then A would be incorrect, I´m not sure, I was looking for the right network forms for access-list but didn´t find anything worth it, we know that a wildcard 0.0.0.0 means a host but how would that zeroes work when we are talking about network prefix in access-list ?? ,, any more ideas ??

Here’s the explanation for Question #1.
A – is wrong because interface fa0/1 is not configured and no device connected.
B – it says change the command from “in” to “out” , not to remove “in”.
**Note that we can have one inbound access list and one outbound access list per interface.
**Inbound ACLs are checked before routing table. Outbound ACLs are checked after routing table.
So the interface will have one “in” and one “out” for access-group 106. Knowing that, the router will filter inbound traffic as access-list 106 denying telnet and icmp echo. (icmp echo is denied because of the implicit deny at the end of the access-list 106.) Access list for outbound interface is not considered by the router because the traffic has originated from the router.
**Access lists are only valid for traffic that is going through the router, they don’t filter traffic that is locally generated by the router.
For above reasons, B is wrong. (if we remove the “in”and apply “out”, the answer is right)
C – is wrong. Wildcard bits don’t match the switch’s ip address 10.4.4.1. (x.x.x.0 ≠ x.x.x.1)
So any ip traffic from switch will be denied by default. (implicit deny at the end)
D – is obviously wrong. interface s0/0/0 doesn’t need to be considered.
E – access-group 104 is applied to inbound traffic coming to interface f0/0. (old inbound access-group is overwrited and automatically removed (we can only have one “in” AND one “out” per interface.)
icmp traffic is allowed because the packets matches “permit icmp any any echo” at the 4th line of the access-group 104. (Don’t confuse with the “deny icmp any any echo-reply” at the 5th line. This means that router can send echo request to switch but the ping will not be successful because echo-reply came back from switch is denied at the interface f0/0.)
telnet from switch is denied due to the “deny tcp any any eq telnet” of the access-group 104.
So finally we met the criteria that says “allow ONLY ping to work while keeping telnet disabled.”

I’m sorry if anything wrong in my english. Not a native speaker :) \m/

Does anyone know how the qusetions are weighted? As there is no clear answer for q3 I am wondering how many marks I will likely drop for getting this Q wrong?

Has anyone seen this sim on an exam? For question 3, I tend to agree with Vnpro(nbh)’s thinking that B is the correct answer. If the only IP addresses permitted are x.x.x.0, then how can routing updates be sent? I’m taking the test in 2 days and would like to get some clarification on this.

In first question the right answer is B. Just change the direction of ACL and thats all. Try PT and you’ll see.

Sorry, In question 1 B is incorrect. E is correct.

Its necesary to study this sim for the exam? I think the good lab is the other acl lab, or not?

Question 3 = A – No host could connect to Router through s0/0/1

if one router link resides in the network x.x.x.1-254 with a mask of 255.255.255.0 it follows that the remote link ip address should reside in the same range of x.x.x.1-254. If an access list is denying inbound traffic in the range of x.x.x.1-254 on either interface then at best you’d only get one-way ip traffic between routers. no end to end ip connection, no routing through that link either. Might as well stop chasing your tail right there.

And if you change the interface on the other end to 10.45.45.0 255.255.0.0 like the guy suggests it could work, then you can forget the 115 ACL altogether. Because you’re not going to get ip connectivity between those two interfaces, period. With or without the 115 ACL. No pings, no telnet, no routing updates.

Sure, if the router 10.45.45.1 /24 sends a ping to 10.45.45.0 /16, then 10.45.45.0 would get the ping but its reply will be ignored by 10.45.45.1. And it follows that 10.45.45.0 would get routing updates from 10.45.45.1, but 10.45.45.1 would never get routing updates from 10.45.45.0

Now before the lot of you run to packet tracer to test it out let me add that PT is broken. it’s no substitute for knowledge and hands-on real hardware..

To the anonymous guy a few posts above who thinks 0.0.0.0 can’t be used. You can have a source of ip 0.0.0.0 in an ACL without probs. What’s wrong here is the source’s wildcard mask. Not the source ip.

With the wildcard of 255.255.255.0 in ACL 115 you’re allowing traffic from ip source 0.0.0.X only. But ip X.X.X.X is implicitly denied as the last statement and it follows that X.X.X.0-255 would be denied too.

For example I can change the ACL 115 to “permit ip 0.0.0.0 255.255.255.3 any” and change the interfaces’ subnet masks to 255.255.255.252 in both routers. This would allow end to end ip routing between routers in the network of 10.45.45.0 /30 But the ACL applied to that interface wouldn’t let inbound traffic from x.x.x.4-254 through it. A ping with the source ip 10.45.50.(6) will not get through that interface, but traffic inbound with a source IP 10.45.50.(2) will pass through just fine.

So yes, you can have a 0.0.0.0 as a source IP. In fact the keyword “any” used as a source ip/host in an access list is the equivalent of using 0.0.0.0 255.255.255.255 as the source host.

I would like to know that, in real exam just ensawing the questions or configuring the lab? like you did reply the questions there it will come in the real exam the same mood or need each question to configure at exam? please make it clear for me.

Sincerely,
Ahmad

For q3 I think that correct answer is A.

B couldn’t be as Vnpro said because this ACL block traffic based on source address, not destination, so we can’t compare routing updates with this.
Routing updates, as he said, goes to destination 255.255.255.255, 224.0.0.5…not from source 255.255.255.255. Source is host IP address.

D may be correct but because of that “Only” I wouldn’t choose that. :)

i had my exams 2day but unfortunately i failed with a score of 696, please can someone help me with explanations of the following details so that i will prepare for my next canna exams because this is the 2nd time for me taking the exams and it seems like is the same problem with the first one.
1. implement verify and troubleshoot NAT and ACLs in medium enterprise is 0%
2.implement and varify WAN kins 0%
please help me guys i really wana take the exams next week.

tips for sim: VTP, ACL and EIGRP similar to 9tut, thanks guy.

@Milan
Agreed. On Q3. The first time I looked at the problem I instinctively went for D, but I realized I was wrong since packets from other sources could pass through the router in the outbound direction. The other interfaces have ACLs that allow them to forward traffic to s0/0/1 (10.45.45.1). At least one routing protocol is going to form an adjacency or exchange a route table.
So saying that “only” traffic from 10.4.4.0 could pass through the s0/0/1 int seems wrong.

Hi I m here to tell the correct answer for question 3, the answer is A (absolutely correct).
According to ACL, wild card mask given is 255.255.255.0 for any 0.0.0.0. so the source ip address should be of the form x.x.x.0 .
The point every one forgot is the gateway address of the router whose subnet is 255.255.255.0 .

It says that any host which connects to the router should be class C address. But in class C, all the address which ends with a 0 like (y.y.y.0) is a network address.

Thus we have the answer no host can connect to the router. I accept that it was a very nice question to understand the importance of gateway address. Bye Bye.

Are these simulations enough for my ccna exam???
i am givin my ccna exam on 16th aug, if any body has the latest dumps please mail me at rashant_7@yahoo.com….

We focused on the question C. After reading the explanation of webmaster, i think that this shows several issues that are right!, but, i think that we need pay attention on the subnet address of the Serial0/0/1 interface on the router, this IP has relation with the wildcard mask of access-list 115, only in this case, anyone host would be sent traffic to another host in different subnet, even to the router.

I suggest that first check the IP address and mask in the interface where will configure the access-list, then see the answers access-list and determine the best answer for this specific case.

Question C = Question 3 for above comment.

@alberto if you mean to suggest that the answer for Q3 is C then you couldn’t possibly be wronger than that. If telnet fails, as it seems to suggest on answer C, so will ftp and everything else.
ACL 115 doesn’t even specify any port in particular.

How to verify the answer ?

Hey Guys,for the question 2,pass4sure dumps say option C is correct that tcp and udp traffic will not be allowed and ip traffic would be passed.here i see a different answer.i guess in todd’s book its mentioned tht if use ip first then u cant specify application layer protocol later.and access-list 115 uses ip only.so obviously u cant specify application layer protocol.so tcp and udp traffic will be dropped and only ip will be passed..thats y i think pass4sure has option C as the answer and not B as on 9tut. need feedback..????