CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
Hi all, I am taking CCNA 640-802 exam first time on 30/05/2012. Could anyone please send me latest dumps which are valid for UK? My e-mail address is puneet_gill84@yahoo.co.uk. Many thanks.
Hi there,
Thanks alot 9tut, passed today with 894
This was my retake but was offered free of cost by Cisco & Pearson
as last time i reported an error and filed an online case.
Its an organisation that listens and i would urge ppl to persue such cases if they are pretty sure something went wrong in the examination.
I would recommend the Jericho 600+ dumps as they were DITTO in the exam.
The ACL Lab questions differ alot and what i think there is a reason to get a 0 in that lab is that maybe people use more than 3 statements or dont save it, that might have been the issue with my paper last time but its all over now.
Regards,
wasif
ok i now get it.tnx
Wasif pls can you tell me how you reprted your case i have similar case,though ve paid for another exam,i still need to make a report pls i ll apprc8 it my box:bola_unad@yahoo.co.uk
Give somebody the to a site about the,
Thank you,
So where it to find?,
So where it to find,
Your Site Is Great,
It’s so easy to pick the wrong answer on some of these tricky questions. For example, it’s easy to overlook that an access list statement is perfectly configured, except–it has the wrong access list type–standard vs extended. And it’s easy to forget about the implicit deny at the end of an access list. These practice tests are toughing me up to get ready to take the CCNA exams. Thanks fo much for putting the 9tut site up!
thanks a lot 9tut.
Hi can somebody send me latest dumps please, examcollection.com has 30th april 2012 as the latest, but can i get morre latest than this??
Hi can somebody send me latest dumps please, examcollection.com has 30th april 2012 as the latest, but can i get morre latest than this??, my email id basavarajpardi@gmail.com
can someone tell me the link for the 30th april 2012 dumps?
I PASSED CCNA EXAM TODAY THANKS TO ALL MIGHTY ALLAH
960/1000
Hi, Im Priya from Kerala(India).Im taking ccna exam on 30th June.Really im fed up.Can any one plz send me latest dumps to my email priya.ccna@yahoo.in Love you all .God Bless ..Thanks
priya
can you do thi for me, http://www.dafont.com/profile.php?user=485268 Best percocet, twtz,
Can any one plz send me latest dumps to my email afafbatti@gmail.com .God Bless ..Thanks
on question no 1 the increment should be 8 because it is 29 bits for network so we will have five bits on 1 from 128 to 8 all turn on to 1 and bit number 4, 2, and 1 will be zero the smallest number is the increment which is 8 and even the subnet mask should be 255.255.255.248 so the answer should be D only because thats the only ip reside in that network thanks
hi im sathish dudz ,,,,,, im planing take my ccna exam in 10 days… anyone help me to score good … send me latest dumps frnds….
my mail id sathish.so2006@gmail.com
help me
Can anyone help me with question N5.
I can’t see any differences btw answer A and D
For me both answers are corret
you cannot give extended access list no 1 it has to start from no 101 thats why A is the wright answer
Oh, yes sorry I did’nt see that. Thanks Muhammad
Question No.1,,, plz review it as it state /29 subetmask,, which mean 255.255.255.248 subnetmask,,,but in explanation wrong interpretation of 29 is done,,,
Q7
In this question,”Outbound” is fals.I think,it must be “Inbound”.
Am I right?
Thanks
@muhammed bhatti
.47 is the braodcast address for .40/29, so it exists in the network. But since broadcasts are not forwarded by the router (again, no vlans mentioned), the packets will notnever reach the S0 interface. correc t me if i misunderstood smthing..
@9tut
Q7
Why is that “Outbound” in this question,while all traffics come to Router?
@Morteza:
+The traffic entering router is called inbound traffic.
+ The traffic leaving router is called outbound traffic.
–(Inbound)–>Router–(Outbound)–>
@9tut
Thank you for your answer.
I know.That’s right,but in the question there is a source address in an extended Access-list that is in destination subnet.If it were outbound in guestion,that’s meaning,a rule with a source address to same network.It is impossible.
If it were inbound in the question,that’s OK.A rule with a source address incoming to router and going to “any”.I think,it should be thus.
Please guide me if made a mistake.
Thank you for you fantastic website.
Hola! I am to take the ICND2 portion Thursday. I have lunked three times, last two times I made a 805 and needed 825 :( Can someone send me latest dumps so I can pass this time?! Thx! fishinnnc@yahoo.com
Hi, Im Flamur).Im taking CCNA exam on 25th June.Can any one plz send me latest dumps to my email: flamur.dinaj@hotmail.com ,
Hope somebody of you will help me :)
Hi
My name is seringe preparing tosit CCNA exams on 22nd of this month can some one help me with latest dump please.my e-mail : sas66_2007@yahoo.com.
Thanz in advance.
In the question 1 both subnetworks have been took into account: 192.168.15.32/29 and 192.168.15.40/29 . they are summarized together and give 192.168.15.32/28 and then the subnet mas will be 255.255.255.240 and then the wilcard is 0.0.0.15 and the increment is 16 . So next subnet will be 192.168.15.48
hosts are from 192.168.15.33 —46
Hope it was clear .
Dear All,
Kindly explain again how to summarize networks! i forgot my curriculum password that’s why i can’t access it. Help pleaseee! VLSM or not VLSM, please! please! im taking ccna next month and currenly reviewing, im stuck with the summarization. i need to have a solid foundation please.
thanks, pls email me at danzaaznad@gmail.com. appreciate also if you can send latest dumps. regards.
For question #1, you can just add the starting address (192.168.15.32) to the wildcard mask to get the entire range of allowed addresses:
192.168.15.32
+ 0 . 0 . 0 .15
——————
192.168.15.47
Hi alls
Please can you send me the last dump my examen will juily 14 th my mail is dpapus@hotmail.com.
Thanks.
I passed my ccna exam today Praise be to God! Thank you Jesus! and thanks to 9TUT for the tutorials and explanations, great site and thanks to xallax for your explanations to questions and thanks to http://www.examcollection.com for the dumps. Pls guys lets donate and help to keep this site up!
48 ques for exams including 3 simulation, I had EIGRP, Acesslist2 and VTP . Make sure you practice the simulation, use packet tracer or gns3. Best wishes to all!
PLEASE GUIDE ME ABOUT LABS HOW THEY LOOK LIKE??
CCNA LAB SIM IF I PRACTICE I WILL BE GOOD OR NOT?
great site
@ENG
BROTHER JUST DOWMLOAD PACKET TRACER 5
AND PRACTICE THERE
hi my name is Jay….im writting my ccna exam soon so any help will be appreciated ey.
touch base on jacobthepa@gmail.com
Hi, i’m Linda..i’m preparing for my ccna exam. pls can anyone send me the latest dumps pls. My email address is saintify2007@yahoo.com. Thanks
Can someone pls send me the latest dumps link to my email ID : abuthahir85@gmail.com
I am planning to attend CCNA exam on July 1st week…
Can someone explain about question 6?
pls explain question 2…
@9tut
Q1. /29 = 248 ….
so it will be 255.255.255.248 SM
and 0.0.0.7 WM
Please explain thanks.
can anyone send me the CCNA latest dumps to pmbinshad@gmail.com
Thanks in advance……….
@Abu.
Hi! Well, it`s easy one. Look, it`s asking us about the right command, A&B are dropped permanently, because there`re no such commands. And the task is about installing AL on R2 (because traffic enters it from R1), so it`d be ip access-group 101 in.
@WarFreak:
Where did you find /29? All you have to do is to find the range “192.168.15.32 0.0.0.15″.
0.0.0.15 WM = 255.255.255.240 SM. So 192.168.15.33-192.168.15.46 (without broadcast and subnet addresses). That`s it. From the answers only D&E are valid, considering protocol number 23.
For Qn1, can anyone explain why “find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask”? Is that a valid statement regarding ACL’s wildcard and SM?