CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
@ rico re: Quest 2 “confused bout ip access-group in or ip access-group out“
When using stndrd acl, u want 2 kip it close 2 d destination as possible thus the “OUTs“( stnd acl filters only based on src ip with out flexibility of protocols, so kipin it 2 d source may just imply a shutdwn of d router intrfce) with ext acls, u shld kip it close d source as possible(u dont want d packet 2 travel tru your netwk muching delicious bandwidth only 2 b denied by an outbound acl close 2 the destination. ) thus u gona be getting more “INs“ here.
Amends!!! Pls 4 d stnd acl i meant a deny condition
question 1 is totally wrong …..
Q8.
This is confused me a little bit :)
Don’t get me wrong.
deny tcp 5.1.1.8 0.0.0.3 5.1.3.0 0.0.0.255 eq telnet
OK, I got destination part CLEAR. it’s subnet 5.1.3.0/24 (ip from 5.1.3.1 to 5.1.3.254)
By this answers A,C can not be correct, OK.
But first part 5.1.1.8 0.0.0.3 means that this ACL should block any Telnet from network:
5.1.1.8/32 (ip 5.1.1.9 and 5.1.1.10)
Should ip 5.1.1.8 be Network address and 5.1.8.11 Broadcast?
For my point of view only D answer is correct.
???
@Vinayak:
Thanks for Dumps
Appreciate
in q1 dia show the switch give add 192.168.15.32/29
but sentence of acclist is access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
/29 means 248 then wild card bits should be 0.0.0.7
explain pls
Q.8
GmcD March 13th, 2012, I think, he is right
I also chose variant – only D.
pls explain q1
@icy
telnet port=23, so options a, b, c are not correct
the subnet in use has this range of address space= 192.168.15.32 – 192.168.15.47 => source ip addresses
Option F is out of the way. So you are left with D and E
I hope this could be of help
@ Odoms thnks for explanation
i know that think
but in diagram cidr value is /29 means subnet mask is 255.255.255.248
means wild card beats is 0.0.0.7
and see acc-list they give wb is 0.0.0.15
in 0.0.0.7 the option D, E is correct
because 1> 192.168.15.32/29
netword add : 192.168.15.32
broad add : 192.168.15.40 …… so D is correct
2> 192.168.15.40/29
net add : 192.168.15.40
drod add:192.168.15.48…………….So E is correct
This is the best site for tutorials, if I had known about this site I will have passed on my first sitting. Thanks 9tut. Anyone with the latest dump or info please e-mail mhitsa_monya@yahoo.com
please if someone can share latest dump, merio888@gmail.com
hope to pass next week
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
THE ANSWER IS DIS QUESTION IS RIGHT !!! BUT LOOK AT THE CIDR VALUE IT’s /29 THEN THE SUBNET MASK SHOULD BE (248) NOT 240.. BLOCK SIZE /MAGIC NO- IS 8 NOT 16.. AND WILDCARD MASK WOULD BE 255-248=7 0.0.0.7
I HOPE I M RIGHT!!
could anyone pls help me with the latest ccna dumps. (speaktomithilesh@gmail.com)
@9tut: If I read only 9tut all questions and its three specific simulations(EIGRP,ACCESS LIST,VTP VLAN) then I can pass the exam???
IN addition,I wanna attend exam in 10th April 2012
Plz give me a suggestion
@David, CCNA exams are not joke! you need to use all avenues at your disposal. The answer is yes you can pass with the help of this web site 9tut.com but you must still understand the concept from from a wider perspective, like reading CCNA text books for example CCNA STUDY GUIDE by Lammle Todd, EXAM PREP by Cioara, and other online materials which include this web site. I came to understand the materials after having read so much and many different text books, in addition the You-tube videos are of great help. But you must try to go through many of them to really get to know the good ones. This is my last advise to you David, do not attempt the CCNA exam before you really get to understand the concept! And give yourself a target when to do your exam. For me I will be doing mine in the first week of April. I took my time since Dec. to March and I think I have done enough to attempt the exam. Be ready to be confident by the time of your exam, so that you can not panic and I think passing can be easy. Good luck David and similer people like David.
Thanks johny…..
@JOHNY: HAVE U ANY IDEA ABOUT “Cisco.Acme.640-802.v2011-07-09.by.Collisio.486q.vce”?
@David also use GNS3 to practice, it will help you so much.
@David I did not use Cisco.Acme in my readings, but according to all students of CCNA I read on 9tut, it seems they use it and it works for them. You can try it if it’s not too late for you before your exams.
I would like to thank the owners of this web site, 9tut.com for the great opportunity they gave me and others. This web site is the only one that made me feel pride and comfortable with the will and drive to better prepare myself for CCNA exam. The explainations on the answers they choose from all questions and the way they organized the questions, sims and notice are so great for any reader. I am sure I will pass it by next week.
Thanks 9tut :)
any one has the latest dump? send please to my email ansam_sammour@hotmail.com
Thanks in advance!
@Johny..thanks again…can you please give me the name of the websites of GNS3. I was found that this website is not free to all like 9tut……..then it will be quiet difficult for me to study from here..
The following commands were entered on a router:
Router(config)# access-list 2 deny 172.16.5.24
Router(config)# access-list 2 permit any
The ACL is correctly applied to an interface. What can be concluded about this set of commands?
@Hary.. for these two commands, Router(config)# access-list 2 deny 172.16.5.24 is missing a wildcard mask, so it can not work. Also when creating ACL, allow first before denying, all else it will deny every one. (Implicit deny all at the bottom).
However, Router(config)# access-list 2 permit any
Remember that “any” represent 0.0.0.0 0.0.0.0
@Hary.. correction : any represent 0.0.0.0 255.255.255.255
@9tut
Just wondering whether wildcard masks are obligatory. This is because there is non on 9tut simms.
Regards
@Ngoroko, Johny and Hary
Wildcard masks are NOT obligatory when composing Standard Access List. No wild-card mask will imply a mask of 0.0.0.0 (i.e. the source exact IP). This is the same as writing ‘host x.x.x.x’, or ‘x.x.x.x 0.0.0.0′
For Extended Access Lists, wild card mask has to be used OR you can add the word ‘host’ prior to an IP to signify a specific IP address.
for que 5, D is also the correct option??
I think Question 6 need explanation.
All in one Bundle
CCNA 2012 latest Dumps ( PDF + VCE format )
Cracked Visual CertExam Suite.
http://www.tipu.vze.com/
так блокирует acl block dtadomsin блаблаю.com ,а из списка dtadomsin блокирует только сайты если их в адресной строке написать без www. достаточно подставить www. чтобы обойти список. у меня squid 2.7 может в этом проблема?
When you are troubleshooting an ACL issue on a router, which command
a. Show interface
b. Show ip interface
c. Show ip access-list
In dumps is c. I think is b ask a
In your site for Q5 say:
Question 5
Which command shows if an access list is assigned to an interface?
A. show ip interface [interface] access-lists
B. show ip access-lists interface [interface]
C. show ip interface [interface]
D. show ip access-lists [interface]
Answer: C
Can you please expalin
@9tut
with regards to the question 7 explanation.
i get the correct answer because of the implicit deny.
But the statement
“If we use the command “access-list 135 permit ip any any” at the end of this access list then the answer should be C – FTP traffic from 192.169.1.9 to any host will be denied.” i don’t think this is correct. If there was a permit ip any any command,i think the answer should be “E – All FTP traffic to network 192.169.1.9/29 will be denied” not C, because the ACL is applied outbound of the interface connected to the 192.169.1.8/29 LAN.
@intrach:
When saying “If we use the command “access-list 135 permit ip any any” at the end of this access list then the answer should be C – FTP traffic from 192.169.1.9 to any host will be denied”, I mean:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
access-list 135 permit ip any any
-> The two first commands will block FTP traffic from 192.169.1.9 to any host while the last command allows all other traffic.
can we apply access-list to sub intererfaces???
hello. can somebody help me in this question http://s1163.photobucket.com/albums/q558/asabata12/?action=view¤t=12.jpg
my answer is letter A because172.16.1.0/24 network is entering router A so the it should be ip access-group 10 in but the answer was letter D access-group 10 out
Hi all of you !!!
I have had a very strange question on my Exam about CCNA-ACL whcih I’ve never seen on
9TUT.com or any where else before? C Class 192.168.46.0 —— 192.168.49.0 what will be the Subnetmask: 255.255.255.0: 255.255.0.0: 0.0.255.255 : 0.0.0.255 I have answered 0.0.0.255 and still I’ve failed. Any one up there had a this question or knows what’s the right ans then please do advise. Kind Regards, Ali
HI BMW
the question ask as u say : what will be the Subnetmask ?
so : 0.0.255.255 0.0.0.255 are not true because they are wildcard mask not subnetmask ..
255.255.255.0 is not correct because the third octet of the range (46-47-48-49) no constant
so the answer is 255.255.0.0 (maby u ask class C have the three first octet in default subnet mask 255, that is true but here we have subernetting )
subernetting is the reverse of subnetting (taking bits from network bits and assigning them to hosts )
Dear all,
you may also want to check below site for some useful resources. Good luck to all of us!
careercert.info
is it enough to study ACL from this website ? because i find the questions here easy but in the dumps so many questions and too complicated !! plz reply
Please I need more explanation on how 0.0.0.15 was reached in Q1.thank you all
@NEL Many thanks, Has any one come a cross with this question on the Exam?
I have failed just because of ACL that was a tricky or BUGGED question if any one remembers it please do bring it here! C Classs ACL asking for correct SM.
@killerbee
since the access-list in question is a standard access-list, it should be applies as close to the ‘destination’ as possible as mentioned in the tutorial by 9tut.
if we the given access-list on f0/0 of Ra inbound, den the lan hosts will not be able to access 172.15.5.0/24 network either, which would be wrong.
Hope that helps!
CHeers!
@Killerbee
for network 172.16.1.0 to get to network 172.16.4.0, it comes INTO router B through s0/1 and OUT fa0/0 and for network 172.16.4.0 to get to 172.16.1.0 comes INTO the router b through fa0/0 and OUT s0/1.
hope this helps
hi could you send me the latest dumps. Im taking my ccna by June. thank you. bobiksnavarro@yahoo.com more power to you guys.
Q 3.
port number of router is not mentioned in the graphic where acl is applied, suppose acl is applied at port which is connecting admin to router while students are connected with router through different port. i think this acl will affects only pcs at admin side (only allows telnet, nothing else)
students can access everywhere in the network except admin lan because acl will deny the packets which are coming back from admin to students (or to anywhere) as acl is applied inside to router.
i think answer may be A or F
kindly guide me if i am wrong
thnx
can anyone throw more light on Q9.i dont think i get it
@bola,
The statement “Access-list 101 permit ip 10.25.30.0 0.0.0.255 any” means permit ip traffic coming from subnet 10.25.30.0/24 (all ip addresses 10.25.30.1 to 10.25.30.254) to any other ip address so answer A is the only one that matches the above.
“A – permit all packets matching the first three octets of the source address to all destinations” – means permit ip traffic coming from subnet 10.25.30.0/24 (all ip addresses 10.25.30.1 to 10.25.30.254) to any other ip address