CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
can someone pls help me with Q7
I understand that the answer is D because of deny all command but I don’t understand explanation in case permit ip any any command is applied
ACL is applied outbound meaning it’s filtering traffic going out of E0.
Since hosts with addresses 192.169.1.8/29 are on the other side (they are coming IN the interface E0) there wont be any matching and all traffic will be permitted.
I think explanation would be correct if access list was applied inbound OR if ACL is:
access-list 135 deny tcp any 192.169.1.8 0.0.0.7 eq 20
access-list 135 deny tcp any 192.169.1.8 0.0.0.7 eq 21
Please correct me if I’m wrong
@maja: I think in this case IP address router interface E0 should be in the subnet 192.169.1.8/29 too. So any ftp-connection from router to ftp-server in subnet 192.169.1.8/29 will be blocked.
HI
Q1:
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
at the diagram the net is 192.168.15.32/29
CIDR is /29 =248 =1111 1000 that leads to WCM =0000 0111= 7 NOT 15
Please correct me if I’m wrong
thank u 9tut
@DimS: IP address of interface E0 is in the subnet 192.168.1.8/29, there’s no doubt but interface E0 is not the one who’s initiating ftp-connection meaning the source IP address is not E0 IP address or any address from the subnet 192.168.1.8/29. That’s why there wont be any matching (bare in mind that ACL is applied outbound on int E0)
We’re not lawbreakers! Plagiarized issue is a crime. I always try to avoid plagiarized stuff. Thus, plagiarism detection aids very much.
@Ahmed: on RTB you have two networks: 192.168.15.32/29 and 192.168.15.40/29 so with command “access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet” you include both networks
@xallax
thanks man for sharing so many ideas with us here i appreciate that,am sitting for my exam next week so please if you have latest dumps please help me i need to pass this exam for sure,thanks in advance and may God bless you in your studies
my email address is canvarlp2p@yo.co.zw
After fliping through this theme I determine a lot on how to draw up articles. As a graduate, I have neverbreak up one prevalent paper and always use dissertation writing. What a shame! But now I have cool in writing. Thank you.
This is very self-explanatory. Thanks is my way of showing appreciation.
hi guys just wanted to ask how many questions come from access list?and can i just passs my ccna exam with the help of dumps????
can someone pls help me with Q7
I understand that the answer is D because of deny all command but I don’t understand explanation in case permit ip any any command is applied
ACL is applied outbound meaning it’s filtering traffic going out of E0.
Since hosts with addresses 192.169.1.8/29 are on the other side (they are coming IN the interface E0) there wont be any matching and all traffic will be permitted.
I think explanation would be correct if access list was applied inbound OR if ACL is:
access-list 135 deny tcp any 192.169.1.8 0.0.0.7 eq 20
access-list 135 deny tcp any 192.169.1.8 0.0.0.7 eq 21
Please correct me if I’m wrong
@maja
Q7.
Q7.
The above statement is incomplete without the third line, regardless of which interface access-list is applied on, IN or OUT.
A single-entry ACL with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked. “Implicit deny all”.
Option D seem like the most suitable solution. Thanks.
@Koffy
I understand that answer is D, that’s clear but I think that statement below isn’t right:
“If we use the command “access-list 135 permit ip any any” at the end of this access list then the answer should be C – FTP traffic from 192.169.1.9 to any host will be denied.”
As I wrote above there wont any matching and and all traffic will be permitted because of permit ip any any command
Thanks for comment
today my exam of ccna
Hey can we permit only certain host from a network to access the other network
@Sunny
That is entirely up to you bro……….But, surely, is possible.
@ Koffy say I have to permit only 5 random IPs of the 10 pcs from anetwork using standard acl. please give me the cmd, consider the network has IP from 192.168.0.1-10.
Hi 9tut
Can you please help me with this:
You need to place Fa0 interface in xRouter; that will deny access to all host within the range
192.168.160.0 to 192.168.191.0 Hosts in the 192.168.1.195.0
the answer is:
access-list 1 deny 192.168.160.0 0.0.31.255
How you work it out to that answer? Is that mean 192.168.160.0 mask 255.255.224.0?
Thank you
Hi 9tut
Can you please help me with this:
which IP address and wildcard mask would you us in your ACL to block all the host in the subnet 192.168.16.43/28
the answer is 192.168.16.32 0.0.0.15
Why do they have 192.168.16.32??
I know that 28=255.255.255.240 wildcard=0.0.0.15
@cp
first questions
block the classful networks of 192.168.160.0 to 192.168.191.0
that means block everything from 192.168.160.0 to 192.168.191.255
if you were to put all those IPs in one huge subnetwork on a classless subnetwork which subnetwork would that be?
192.168.160.0 255.255.224.0
now get the wildcard out of the subnet mask
255.255.255.255 –
255.255.224.000
———————-
000.000.031.255
so, the answer is 192.168.160.0 0.0.31.255
this is my short and fast answer.
notice that this is also a convenient scenario…
second question
you are given the IP “192.168.16.43/28″. you have to block that entire subnet
192.168.16.43 255.255.255.240 is part of which subnet?
the increment is 256 minus the last incomplete octet, 240.
256 – 240 = 16
the subnets are
192.168.16.0 ~ 192.168.16.15
192.168.16.16 ~ .31
192.168.16.32 ~ .47
and so on
we’re interested in the .32 ~ .47 network.
if you were to block the entire subnetwork of 192.168.16.32 ~ .47 what entry would you use?
access-list 123 deny ip 192.168.16.32 0.0.0.15 DESTINATION
Hi xallax
Thank you so much now I get it !!! All the best
I got you e-mail too . Thank you
Hi all.
Please correct me if I’m wrong.
@Q7, do you think those two lines of access-lists will have a match? What I mean is, will there be any packets coming out of E0 that have a source IP of 192.169.1.8/29 (192.169.1.9 – 192.169.1.14)?
thanks All!
@jj
forget evrything on the question….and just check the acl statements..
first is deny, second is deny…and this ACL has been applied, so if you apply this ACL to a router..
Any packet hitting the ACL, wil be dienied becasue of the implicit deny all….at the end of evry ACL
each and evry ACL should have a permit statement..q.7, is not permitting anything.
can some body send me some dumps on my email address so that i can pass my ccna exams.
nitinstu@yahoo.co.in
can anyone please send me some dumps on my email address so as for me to pass my ccna exams will will take place on feb27 2012.
yemo2006@yahoo.com
Hi 9tut… Hi Guys! Can you please help me… I will take exam this Feb. Please send me latest dump so that I will have an idea for the exam.. rico.blake@ymail.com
Thanks Guys!
According to me question number 1 answher is wrong. According to me Incremental value is 8 (256-248 = 8 ) ; In this question we are using another 5 bits for network part so anwher should be d only. Please reply because i am 100% sure.
could anyone pls help me with the latest ccna dumps.
exams.net1985@gmail.com
This website is very educational. we learn alot whether we pass the exame or not
I have exame next monday in KOENIG can someone send me the updates dumps.
my E-mail is: zakir_hamdard@yahoo.com
Quiz 1 is tricky pliz xplain if conversant with it.
Thanks.
@9tut
Please, take a second look at Q1.
192.168.15.32/29 is 255.255.255.248. Wildcard 0.0.0.7. You have it as 255.255.255.240. Wildcard 0.0.0.15
Could this be an oversight. If it is, it changes everything. Thanks.
@Koffy: There is nothing wrong with Q1. The question wants to test your subneting skill by giving a bigger network (192.168.15.32 0.0.0.15) than the network 192.168.15.32/29 so some hosts on the right-side LAN can’t telnet.
Pls somebody should help me with latest ccna dumps.ann_sweet8@yahoo.com
latest dumps :-
http://www.examcollection.com/cisco/Cisco.PrepKing.640-802.v2012-01-03.by.DHARANI.615q.vce.file.html
&
http://www.examcollection.com/cisco/Cisco.Acme.640-802.v2011-07-09.by.Collisio.486q.vce.file.html
In Question 2
Why that the answer is B(ip access-group 101 “in”) instead of A(ip access-group 101 “out”)
Also in Question 6
Why “in” instead of “out”?
I’m still confused about “in” and “out” of ACL…Kindly assist. Thanks!
Hi guys
Please email me the latest dump of CCNA. I want to take CCNA exam ASAP.
Cheers
Jazz
Email: jazzyb60@hotmail.com
This is really helpful to me, thanks guys from 9tut.com
excuse me,can you recheck question4,for my view it would be D;access-list 10 permit 172.29.16.0 0.0.15.255 because the subnet mask was 255.255.240.0 its inverse is 0.0.15.255
@gideon mawenya
Option C is the right answer.
The idea is, which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
access-list 10 permit 172.29.16.0 0.0.3.255 will do the trick………….Combines 16, 17, 18 and 19/24…..into 172.29.16.0/22……… third octet wildcard mask .3=0, 1, 2, 3………./22=255.255.252.0 inverse 0.0.3.255
hi friends.
really very helpful and educationl sit 9tut for your ccna exam
. thanks 9tut
can you pleas Explain in bound and out bound
because every time i have mistake in this section
pleas very impotent
@narjis
Regarding in bound and out bound always follow the thumb rule.
Consider your self as router and now consider one of your hand as incoming port and one of your hand as outgoing port, according to the type of direction of that traffic (In which you want to implement ACL) being passed through your router.
This is very important to identify the traffic in which you want to implement ACL.
(ALWAYS KEEP IN MIND THAT ROUTER NEVER IMPLEMENT THE ACL ON THE TRAFFIC THAT IS ORIGINATED BY ROUTER ITSELF, APART FROM THIS ALL THE TRAFFIC PASSING “THROUGH’ THE ROUTER WILL COME IN THE PICTURE OF ACL IMPLEMENTATION)
Now if you want to implement inbound, then first of all check the direction of traffic in which you want to implement ACL. If traffic is entering from your incoming hand then implement “INBOUND ACL” here, because you want those traffic to get checked by your ACL whenever they enter in to your router through that port.
Now if you want to implement out bound, do the same thing as previous one. check at which outgoing port the traffic is being passed through your router. now that outgoing port is your outgoing hand, and implement “OUTBOUND ACL” here. because you want these outgoing traffic to be get checked whenever they pass through your router on that particular port.
Now do practice for some of the example like this….and after ample of example you have done, you will be master in this…..
good luck…
@ all
Those who wish to sit for CCNA and need the most recent dump, then please go through the site “www.examcollections.com”
You’ll get ample of dump out there…..but you need the registered software to run the full version, otherwise you won’t be able to access all the questions of the dump…
For any further help mail me “mrigendra21@gmail.com”
my mistake it’s “www.examcollection.com”
:)
@mrigendra
you can download full version
http://www.mediafire.com/?86n7q181bl73jfz
can someone help me with question 8? i can’t absorb it well pls
@anonymous
deny tcp 5.1.1.8 0.0.0.3 _ 5.1.3.0 0.0.0.255
deny any TCP (telnet included) traffic from these IPs:
5.1.1.8 ~ 5.1.1.11
towards these IPs:
5.1.3.0 ~ 5.1.3.255
only B and D satisfy this criterion
@anonymous
Source :
5.1.1.8 255.255.255.252
So its till 5.1.1.11
Any Ip from this network will be blocked for telnet service.
Destination.
5.1.3.0 255.255.255.0
Wanna crack it easy?..then check only destination ip from the multiple choices..
so its B and D.