CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
@Jim That’s right, u can find subnet mask by converting all bit “0″ to “1″ and all bit “1″ to “0″, or u can take 255.255.255.255 – (minus) wild card mask, ex: wild card mask: 0.0.0.15 so subnet mask is 255.255.255.255 – 0.0.0.15 -> 255.255.255.240 (/28), that’s my way, and it’s effective…
salam & hello everybody
I’m preparing my ccna exam and wish get at it in 2 weeks.
So please can Anybody send me the latest dumps?
So grateful !!!
It’s kind of weird without my email address: sifer55@gmail.com
Thanks by advance :)
may i knw 192.168.15.32/29,why increment is 16, why is not 8?
borrow 5 bits, left 3 bits , suppose is increment by 8?
@Dung Thanks. It works. For Qn1, things start to be clearer now. It’s that the WM used does not necessarily refer to the subnet range as in the diagram /29. It’s that the ACL takes a specific range other than the subnet range derived from /29.
For question#9 – isn’t choice A and C the same?… A – permit packets matching the first three octets of the source and C – Permit packets matching the host bits of the source. Since the mask is 255.255.255.0 so the first three octets and the host portion of the source is the same.
Hi im planning to take my CCNA exam on the 10th.. kindly send me the latest dump at malooze48@gmail.com
thank you in advance.
hey AJ, first three octets are the network portion, not the host.
@muhammad bhatti
the answer it correct, he just make a shortcut on subnetting. taking increment 16 is wise bec.
the 1st 3 octet are the same they just divided by /29 (which is increment 8)
hiiiiiii……i will pass ccna today al hamdo llah. thanks for god ..thanks for my family.. thanks 9tut. i got 920.
guys thanks for this great site… i am planning on taking my ccna soon. can someone send me the latest dumps to waiszak@gmail.com
thank you
hi 9tut,kindly explain question 1 because im getting 248 instead of 240
@AJ
I think widcard mask is 0.0.0.255,so it match first thress octet,and last octect,it ignore!!!
thank you!!!!
someone should please help me send the latest ccna dumps into my box, my email address is busayomi5@gmail.com. thank you
HI,
request to my all friends who passed their CCNA Please send me some latest ccna dumps and guidence . farhanm73@hotmail.com thanks in advance
guys thanks for this great site… i am planning on taking my ccna soon. can someone send me the latest dumps to ptshiaba@gmail.com
I did not understand the Q4 becase if you summarize the 172.29.16.0/24 i found the following results.
128 – 64 – 32 – 16 – 8 – 4 – 2 -1
0 0 0 1 0 0 0 0->16
0 0 0 1 0 0 0 1->17
0 0 0 1 0 0 1 0->18
0 0 0 1 0 0 1 1->19
Considering we dealing with the 3rd octect should it be a /19 or yet a 224 subnet mask ?
Meaning the summarized address would be 172.29.16.0/19 or 255.255.224.0 and then when subtracting 255.255.255.255 -255.255.224.0= 31. Then we should have 172.29.16.0 0.0.31.255 can someone please help me understand the Q4 ?
Todd lammle havent spoken anythng about ssh configuration….is it a CCNP topic?
how do i access the router/switch via ssh…after having completed all the configs?
@hadduken
Your demonstration above is perfect bt you seem to be missing one concept….when summerizing addresses, as you have shown above for .16, .17, .18 u pick all columns that have uniform bits (i.e they MUST all be either turned on OR turned off), u seem to have stopped counting when u met the turned on (1) bit i.e the fourth bit from left….that doesnt matter, so long as the fourth bit is turned on for all addresses u keep counting till u find un-uniformity in the column, which in this case the trend of uniformity stops at the sixth bit, making the 3rd octet /22 or 252 subnet mask
4 Ropam.
Thank’s for sharing your knowloadge, now I have it clear.
Hello Guys,
Could someone please educate me on number acl commands.I messed up my ccna exam,due to not being able to apply it,wasted alot doing what I tot was how to do it and what will happen with this?
(config)#line vty 0 4
(config-line)#password 770keepscret
(config-line)#login
(config-line)#ssh
thanks 9tut…..
this site helped me alot
this is a great site…am taking my exam tomorrow…thanks 9tut and everyone for all your help! :)
q8 answers are wrong
only answer c is right
upss sorry people read this question wrong :)
Beautiful site,
really great sites, thank you,
I like your work!,
can you do thi for me,
What is it,
Is it so important?,
Excellent site. It was pleasant to me.,
Good Job,
Very interesting sites.,
Dear all,
can anybody put right access-list for this request, please?
Host C needed to get web (HTTP) access to the Finance server
No other traffic from Host C should be allowed to the finance server
No traffic from the LAN or core should be allowed to the finance server
All hosts in the core and LAN should be able to access the Public web server (did not state protocol)
Please notice that IP address of Public Server is unknown.
Thank you.
Great site. Keep doing.,
Best Wishes,
I have the same.,
Incredible site!,
Dear Friends ,Pls send me the latest dumps for the ccna……………………….on my mail id-shs1310@gmail.com…………………………………………………………
\
Layer 13
Access list 101 permit tcpHOST C Finance Server eq 80
this line cover your first 3 sentences
Access list 101 permit tcp CORE/LAN networks Public Web Server eq 80
i assumed we all know the address and mask
remember deny ip any any implicitly at the end of ACL
Let me know if i am wrong. i dont read topology
Hi Xallax and 9tute
I believe there is something wrong with this question and answer
The following access-list below was applied on the E0 interface connected to the 192.169.1.8/29 LAN
Access-list 130 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
Access-list 130 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
A.FTP Traffic from 192.169.1.9 to any host will be denied
B.All Traffic exiting E0 will be denied
Ans is B. but i chose A. The ACL only deny host from .8 to .15 so the ans could not be ALL Traffic
@DNT
as 9tut very well pointed out, there is an implied “deny any any” at the end of any ACL.
on this example, the ACL 130 has 2 lines that deny traffic and a implied 3rd that denies all other traffic. no traffic is permitted at all.
Your Site Is Great!, http://practicalmum.com/members/coachpurses First coach purses, 59946,
Great info! Now my ACL knowledge is better than before.
Great site!
Please send me the latest dumps if anyone has them. ryan-byrne@live.com
i answered all of the question successfully and am great thankful to you and if any one wants dumps kindly send me a mail gautambk1990@gmail.com