CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
am having ccna exam on thursday any help an send it 2 amatkebbeh11@yahoo.com
@Raja
for Question 9.
10.25.30.0 0.0.0.255 is same to 10.25.30.0 255.255.255.0 or 10.25.30.0/24.
permit ip 10.25.30.0 0.0.0.255 is permit the source address 10.25.30.0/24 to any destination..
the correct answer is A – permit all packets matching the first three octets of the source address to all destinations, does it mean you must matching the first three octet /24
I just took ccna. ACL had 2 routers, 2 servers, 3 switches — how do I simpllify—
Make a drawing?? rename everything with a simple name??
please send me the latest dums. emil id:murugan21_cs@yahoo.com i am planinig to take tha exam this month septemper. hops that helps! many thanks
Q.
What combination of IP address and wildcard mask should be used to specify only the last 8 address in the subnet 192.168.3.32/28?
a. 192.168.3.32 0.0.0.7
b. 192.168.3.32 0.0.0.15
c. 192.168.3.40 0.0.0.7
d. 192.168.3.40 0.0.0.15
Answer is option C.
Am leaning towards optionD. Anyone care to elaborate on this? Thanks.
Thanks 9tut.I have cleared the CCNA exam today.3 simulators came in the wxam.
VTP
ACL sim 2
EIGRP.
Q. i am preparing for ccna exam next Tuesday, need advice on what to be aware of when answering Drag and Drop questions. noticed during my practices , answers drag into the boxes have to be in specific orders even if they are in the correct categories. Need advice please
EXAMPLE:
ANSWERS from ACME
Crossover cable
PC to router Fa0/0
switch1 port Fa0/1 to switch2 port Fa0/1
Straight-through
router to hub
PC to switch Fa0/1
Rollover
PC serial port to switch console port
my answers which was marked wrong as follow:
Crossover cable
PC to router Fa0/0
switch1 port Fa0/1 to switch2 port Fa0/1
Straight-through
PC to switch Fa0/1
router to hub
Rollover
PC serial port to switch console port
What combination of IP address and wildcard mask should be used to specify only the last 8 address in the subnet 192.168.3.32/28?
a. 192.168.3.32 0.0.0.7
b. 192.168.3.32 0.0.0.15
c. 192.168.3.40 0.0.0.7
d. 192.168.3.40 0.0.0.15
Answer is option C.
Am leaning towards optionD. Anyone care to elaborate or share some light on this? Thanks.
@ Osman
with rfr to qs numbr 1,
in the diagrm /29 is given, but look at the acl statements, the wild card mask is 0.0.0.15.
so according to the calculation the mask will be 255.255.255.240 . (255-15)
hi guys i just passed my ccna got 950 want to say a big thanks to 9tut.com u guys are doing a great job got 9 wan questions 4 nat question 1 drag and drop and i was given a really difficult access-list question at first i was panicking when i stated but i managed to gain confidence almost immediately i got a vtp sim and also an eigrp sim most of all i thank GOD 4 given me success in the exam praise the name of the lord
Hello Koffy,
If you haven’t got a solution, here follows my explanation why it should be C….
There are 2 choices here….
Choice 1 is: The last 8 addresses are 40, 41, 42, 43, 44, 45, 46, 47. (including Broadc.addre)
Choice 2 is: The last 8 addresses are 39, 40, 41, 42, 43, 44, 45, 46. (Without BC address)
If we use choice 1 then C will perfectly fit since in all of the addresses the 4th will be set to one, but if we take choice 2 then C is not right. But d isn’t correct since it would take more than eight addresses.
What do you say about that? since I didn’t read the original question, I am not sure.
can any body send me latest updated dumps ,i have 2 to 3 types dont know which was updated,thanks
e mail : qasiimi_noori@yahoo.com
pls dear i need dumps for ccna ,
yongtillblisz@yahoo.com
please send me latest dupms for ccna…thanks @ melmaj_may2183@yahoo.com
@koffy @bruno
for /28 the range would be 192.168.3.32 to 192.168.3.47 which has the increment of 16 in this case the wildcard should be 0.0.0.15. could you please explain how the wildcard become 0.0.0.7 seems the answer given is C?
@xallax
Regarding Q6.
ip access-group 101 in
Suppose you are instructed to out a policy and apply it.
Router(config)#access-list 101 deny ip 192.168.45.0 0.0.0.255 192.168.46.0 0.0.0.0
Router(config)#access-list 101 deny ip 172.17.0.0 0.0.255.255 192.168.46.0 0.0.0.0
Router(config)# int se0/0 (assumming serial interface is 0/0)
Router(config-if)#ip access-group 101 in
Router(config-if)#end
Router#copy run start
Would this policy be appropriate? Please correct me. Thanks
@koffy
Router(config)#access-list 101 deny ip 192.168.45.0 0.0.0.255 192.168.46.0 0.0.0.0
never! you are denying traffic to the network ID…
Router(config)#access-list 101 deny ip 172.17.0.0 0.0.255.255 192.168.46.0 0.0.0.0
once again, you are denying traffic to 192.168.46.0 0.0.0.0
i see no “permit any any” at the end of your access list, this will result in a complete incoming traffic denial.
Bahuth acha hi!
Q6.
I meant suppose you are instructed to write out a policy and apply it.
@ xallax
Thanks buddy.
Meaning the third line should be……
Router(config)access-list 101 permit ip any any
“Implicit deny all” at the end of all ACL would take priority without the third line permit any any……….Is policy otherwise well written out? Thanks again.
@koffy
Router(config)#access-list 101 deny ip 192.168.45.0 0.0.0.255 192.168.46.0 0.0.0.255
Router(config)#access-list 101 deny ip 172.17.0.0 0.0.255.255 192.168.46.0 0.0.0.255
look at the destination wildcards that i’ve used.
you want to deny access to that full network so you specify it.
you must master the wildcard concept.
Q8.
@xallax
A. From host PC1 to host 5.1.1.10…..Doesn’t apply- not a tcp connection
B. From host PC1 to host 5.1.3.10…..Would be filtered-a tcp connection (Telnet session)
C. From host PC2 to host 5.1.2.10….Doesn’t apply-not a tcp connection
D. From host PC2 to host 5.1.3.8…..Would be filtered-a tcp connection (Telnet session)
Are these basically one the reasons option B&D the correct answers, inrespect to given explanations above. Please, advice. Thanks
@ xallax
Thanks very much. I will be working on wildcard concept.
@koffy
about Q8
the answer is in the wildcard masks yet again.
it blocks anything from the logical subnet of 5.1.1.8/30 to the logical subnet of 5.1.3.0/24.
i want to emphasize the word “logical subnet” because those are not actual subnets, they are just how the router sees them after reading the arguments of the access list.
so…
deny tcp 5.1.1.8 _ 0.0.0.3 ___ 5.1.3.0 _ 0.0.0.255 eq telnet
is equal to saying
do not allow any TCP traffic
from 5.1.1.8/30
to 5.1.3.0/24
is the destination port is equal to the telnet port (23)
@xallax
Q5.
A. access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
192.168.1.128/28 is a block of 16 (255.255.255.240)(wildcard 0.0.0.15)
128+16=144, host deny. Or 16 host denied.
Unused add space=96, therefore 144+96=240…./28
240+15=255……a whole block of /24 add. space.
I’m just trying to figure out the math behind the whole ACL concept. Please, correct me if am wrong. Thanks.
i took the exam and got 801. failed by one question.. forgot to do the command copy run start for access list.. how cruel life can be. i even realised it midway. but our great cisco rule of cant go back made sure i missed it by 24 marks.. all the sims.. access list. eigrp, and vtp were totally ambush questions……… by totally changing the questions even though the diagram was same.. i am feeling very low.. good luck to everyone else…
@koffy
A. access-list 101 deny tcp 192.168.1.128 _ 0.0.0.15 __ 192.168.1.5 _ 0.0.0.0 eq 23
192.168.1.128 _ 0.0.0.15
from .128 to .(128+15=143)
192.168.1.5 _ 0.0.0.0
from .5 to .(5+0=5)
wildcards are simple :)
if Q7 add ” access-list135 permit ip any any”, why C is correct ? (as explanation stated)
“If we use the command “access-list 135 permit ip any any” at the end of this access list then the answer should be C – FTP traffic from 192.169.1.9 to any host will be denied.
how to grasp inbound and outbound ?”
If i understand the question correctly, draw a picture like this “router”—e0 (outbound)—192.169.1.8 /29″
so option ” C :FTP traffic from host 192.169.1.9 to any host ” would consider as INBound from the router standpoint, but the access-list apply to Outbound, should not affect 192.169.1.9 ftp to any host. (assume telnet to any host on the left side of the router), then it would be inbound traffic.
Do I miss something here ?
The question rewrite like this :
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
access-list 135 permit ip any any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Q 7 I just build it in Packet tracer like this and test it
server–switch–router–switch—pc
server(202.106.16.100/24)—switch–{(202.106.16.1/24)f0/1 Router (f0/0 with 192.169.1.10)}–switch—PC (192.169.1.9)
apply access-list 135 to OUTbound on f0/0 (i.e. on PC side on the right)
try to ftp to server on the left side
result:
1) without access-list 135 permit ip any any, i cannot ftp to server on left side)
2) with access-list 135 permit ip any any, I can still ftp from PC on right to Server on left
Does this prove Outbound and Inbound theory ?
Do i miss anything ?
any one plz help. . if i don’t save my config’s in the test on my sims do i lose all my points ? can anyone tell me ?
@paul yes.. thats how i failed .. … i got 0% .. in access list for not saving the config.. this is cruel ..
I need some help to shed a light on ACLs for ICMP and FTP.
1. How do we configure if we want to deny/allow FTP? what port do we use?
2. How do we configure if we want to deny/allow PING? what port do we use?
All answers are wellcome!
@bruno
“eq ftp” or “eq 23″ for FTP
“eq icmp” for ping
Hi i m going for CCNA exam next friday,already done ma best 4 prep,its time to look at dumps to get an idea,can anybody please send me latest dumps.Thanks in advance.Gud luck to all.
email : waqasonline3@yahoo.com forgetting to write my e-mail adress in previous comment is as cruel as not saving running config……thank god this is not exam….hhaha…
could any one have idea about any website for ccna security
Upper arrow key question
I wonder anybody know “upper arrow key” is allow or not in in sim. I fail the test with 801 with my first attempt today. I got this ACL sim. There was 2 task 1)allow host B to access financial server via www 2)allow other to access web server.
Due to time pressure, I use the “upper arrow key” to repeat the the second statement and change permit to deny other traffic. I also think “permit ip any any” would take care of “access to to web server”, I do not need additional separate statement for access to web server.
The report shows they only reward 25% to that area. I can’t think of good reason why the score is so low. The only thing i can think of is they may not take the statement I use “upper arrow key” to modify, instead typing the whole statement. Do anybody know about this issue ?
I also come across many new questions new. Some question the language make it confusing like one IPV6 question with wording “one to many group, any to many group” I sense they talk about anycast, and send to closest location but language is horrible and confusing.
I lost 250 bucks. :( I see many folks ask for dump here, may I ask for it too, I sure would study and practice but just don’t want to waste another $250. appreciate that. send to
287north@gmail.com
ACL question: Refer to the exhibit. What will happen to HTTP traffic coming from the Internet that is destined for 172.16.12.10 if the traffic is processed by this ACL?
172.16.0.0 is a private address, so the traffic can’t come from that address. Am I wrong? Besides while line 30 reject the http traffic from the 172.16.0.0 network the implicit deny will reject from all sources. Line 40 allows all traffic including http traffic from 172.16.0.0 only, but the http traffic alreday refused by line 30. Then finally the cruel implicit deny will refuse everything. Correct me if I am wrong…
@xallax ,
Thanks for the response. The reason I am asking specifically about FTP and ICMP is that FTP has 2 ports and ICMP has both ECHO-REQUEST and ECHO-REPLY. And when I searched for some information on the web, the ACLs I found could contain different solutions, containing either both ports for FTP or one of them. For ICMP they could contain sometimes both, sometimes only on one direction. So I am a little bit confused what is accepted on the exam day. Thanks for all replies!!
@bruno
you shouldn’t worry on that. if you’re asked to deny/permit ping then just use ICMP
@ All,
Question 2,
Why * IP-Access Group 101 in ?
Why It Is Not * IP-Access Group 101 out ?
Thanx tut..
passed my ccna today, sims were really helpful…. i got 945.
hi 9tut ,please help me in this question .
While troubleshooting ACL issues which command will help to verify which interfaces are affected ?
show interface
show ip interface
sh ip access-Lists
Q5:I think both A & D are correct.
Just Passed my CCNA got 920/1000, SIMS where VTP, ACL2 and EIGRP
thank to 9tut….i have clear my ccna 2day with 960/1000…the unsolved question from my side is of vpn..
..for acl go for modification question in 9tut…..all the best for your exam……..
nowwwwwwwwwwwwww its time for ccnp………
I’m going to take my test for the ccna 640-802 @ the end of this mont, I need anything that will get me ready by then.
@xallax:
You wrote: “eq ftp” or “eq 23″ for FTP
“eq 23″ for telnet. not for FTP.
@sm:
show ip interface
@dims
yes, my bad
should’ve been eq 20 and eq 21