CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
https://fbcdn-sphotos-a-a.akamaihd.net/hphotos-ak-snc7/399572_152455921559296_1113756228_n.jpg
Hi guys, can anyone explain me this?
@LIGHT
The explanation is wrong, the answer right. C class has 254 usable addresses, you need 7 subnets, but you can subnet the net only with 1,2,4,8 and so on subnets. In this case you can have 8 subnets, so what you do is dividing 256/8 and you’ve got 32. Now as cisco says we can’t use 2 addresses ( one for subnetwork, one for broadcast so you ended up with 30
@yoy thanks!!!! i appreciate your comment
supub site
please send me the interview dumps.
zakilovedon@rediffmail.com
Pls can somebody send me the latest dump, i have exam this month,
my email is asholet98@hotmail.com
Thanks
Can someone send me the latest dump.My exam is in 2weeks timr.
My email : sharan_25@hotmail.com
Thanks in advance.
Can someone send me the latest dump.My exam is in 2weeks time.
My email : sharan_25@hotmail.com
Thanks in advance.
Hey 9tut, Q1 of the Quiz for Premium Members is missing the access list statemens
Where it is possible to buy the,
Thanks for sharing all the review for this page. I would just like to point out a simple “typo” error in question 1 concerning subnet # 192.168.15.32/29. with subnet mask of 255.255.255.240 with an increment of 16
Instead ….a /29 should have a mask of 255.255.255.248 with an increment of 8.
I hope the actual question does not reflect the typo error.
In connection with the above statement about the typo … I would think it’s best to look at and pay attention to the actual ACL statement, instead of the actual diagram.
I’m in the process of taking my exams soon and I hope this is not one the world famous Cisco exam tricks to confuse us …LOL
Take note that the ACL statement says …. access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
Calculating….. 255-15 = 240 which is our subnet mask of 255.255.255.240
Yeah, 192.168.15.40/29 is not even a subnet but is an actual host address of the 192.168.15.32/29 network
Better watch out since Cisco will be out there to trick you!
Number of Usable Addresses: 14
Network Address: 192.168.15.32
Broadcast Address: 192.168.15.47
First Host Address: 192.168.15.33
<<<<<our 192.168.15.40 is between these range
Last Host Address: 192.168.15.46
*Points to consider for question number 4 *
Four statements allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through, so we can summarize them as network 172.29.16.0/22.
To summarize it; think 22 = 4 (networks) then subtract from the original subnet mask the exponent of 2 which in this case is also 2
That is /24-2= /22 (which would equal the subnet mask of 255.255.252.0)
Then 255-252= 3 will produce the wildcard mask of 0.0.3.255
“question 7″
D is correct answer. But in the explanation “If we use the command “access-list 135 permit ip any any” at the end of this access list then the answer should be C – FTP traffic from 192.169.1.9 to any host will be denied.”
I think answer C will be correct if this ACL is applied inbound on E0 interface. Because E0 interface will check the traffic of LAN only if it is applied inbound. But in question it says that it is applied outbound. Please correct me and explain me if i am wrong.
in q8) i don’t get this point.can some on please explain it to me . how did you gt the wild card mask for 5.1.1.8/24 as 0.0.0.3 , since it’s in 24 bit format how the hell is that .252 came.
in q8) i don’t get this point.can some on please explain it to me . how did you gt the wild card mask for 5.1.1.8/24 as 0.0.0.3 , since it’s in 24 bit format how the hell is that .252 came.
Just cleared my exam with a perfect perfomance (1000/1000)…..GRATITUDES: First and foremost to the almighty God for everythng he has been since i started preparing for this exam abt a year ago! the Todd lamlle (6th edition), this book gave me the foundation i needed and i consider myself one of the fastest subnetting geek thanks to Todd’s chapter on subnetting…then seriously, who wud forget this guy (9tut) thanks alot man,i finished my exam 40 minutes before time thanks to the speed you gave me in simulations…examcollection, thanks alot guys i ddint see any qn that i hadnt met in the dumps before, then the CBT nuggets videos….they cleared (enhanced) all of the concepts i have learned from all of the materials i have already mentioned! thank you all so much…..i will DONATE when i get my credit card! keep the good work going 9tut
ABOUT MY EXAM:
I had total of 50 questions….
Had three simulations….ACL2, same as here at 9tut but modified as the third table of modifications above and i was dealing with host B plus different IP addresses, EIGRP almost the same as here, had to change the AS in router Home 2 from somethng 21 to 221 and add the appropriate networks also i had to delete and add some networks from router Home 1 (central router) and finaly the VTP…same as here just different question to follow the same procedures in resolving
NB: i ddnt see anythng that i had not come across before
for any other enquiries find me at ropamson@gmail.com …..best of luck for everybody working on CCNA
hey anonymous:
regarding question 1, there are TWO subnets attached to the router RTB on two separate interfaces, 192.168.15.32/29 and 192.168.15.40/29. You cannot have two interfaces on a router within the same subnet. The access list is designed to deny BOTH subnets telnet access out of the s0/0 interface. There is no typo.
I think the correct answer is D because the summary of these network 172.29.16.0 and subnet mask 255.255.240.0
9tut, in question 8 there is some confusion because there is router 1 lan mask is /24 but in access-list statement wildcard mask is incremented 4 /252.
@not_anonymous
Question 1
/29 = Incrument iS 8
.32 & .40 iS Two Subnets … i Guess That Solved iT.
@Cracker
Access-List Gives u Option To Prevent Only The Addresses u Want…u Dont Have 2 Block The Whole Network From Telneting IN CASE u Have Only 1 Network & No Subnets.
Hello everyone,
Freinds i m doing preparation from this labs.Is this correct or not
Thanks and Regards
Ahmed*
I don’t get the answer to question 9..
Hi Sypho
The answer is A because 10.25.30.0 0.0.0.255 = 10.25.30.0/24
The effect of applying this is allowing any address in the 10.25.30.0/24 subnet to pass through the interface, and the invisible explicit deny all would block all the rest of the packets.
“A – permit all packets matching the first three octets of the source address to all destinations”
If an example IP, say 10.25.30.5 were to be checked, the first three octets match “10.25.30″ and we don’t care about the last octet “5″ – so this would be fine.
I almost got tripped up by looking at C as the answer, but this says HOST bits not NETWORK bits. If it said NETWORK bits it would be correct also.
B is wrong because the wildcard mask doesn’t match the answer given.
D is just outright wrong.
Cheers,
any on have vce ?
I’ll give CCNA exam in first week of November..
please contact me who recently passed CCNA exam or planning to give CCNA exam…
please tell me which dump is good and sims…
er.anita.annu@gmail.com
Guys did anyone get the book ‘How to master CCNA’ by Rene Molenaar?? Really good books i heard.. If anyone has purchased the book can u please send me?? I will exchange one of the ebooks i purchased by the same author in return.. trust me, the book is excellent.. my email id: inou.632@gmail.com
Hey guys, I’m confused with Q #7…Isn’t there an implicit permit ? Making answer “C” the correct answer regardless ? Please advice, thank u all !!!
Guys if you need the latest vce 3.0.1(patched) you can get it from here:
http://depositfiles.com/files/iiec8ti96
Good luck with your exam!
Hi 9tut
please re-look at the answer for Q 8. I think there is a mistake there.
very nice thank you for that little brain teaser just to add i noticed a slight oversight on the 1st question regarding the mask 248 and 240 it should be 248 not 240
Concerning about a VLAN ACL issue. please..
As we keep one sub-interface ( Like Fa0/0. 10) for one VLAN in a switch, Hence my question will I be able to apply ACL roles in sub-interfaces when trying to apply role among VLANs and can I apply role on the main interface ( Like Fa0/0) ??
@imran -> Yes you’re correct.. if the access list is applied inbound on the E0 interface then the correct answer is “C”. It doesn’t make sense applying the that kind of access list outbound on the E0 interface hehe..
Please help on the last issue..
any one with latest dump am going to do on Dec,plz send to mchomethegreat@gmail.com
can anyone send me the latest dumps on tshons@gmx.com
I passed exam icnd2 today I feel the questions were sooooo easy
No acl sim
No nat sim
No eigrp sim
No OSPF sim
No ipv6 choose ip add (I feel it hard)
There was ques vlsm about 3 question it in tut
I had a new question?
U have a sw all it’s ports are assigned to vlan2 what will happen if again assign the ports of this sw to another VLAN ?(one choice)
1-more bandwidth will be needed
2-increase the broadcasts domains
3-increase the efficient of physical ports
There was fourth choice but I don’t remember what it was
Absulatly I don’t know the answer can any on help
Hi Amir
Congratulation for passing the ICND 2. I am taking the same exam tomorrow.
I think the answer to this new Switch question is 2- Increase the broadcast domain b/c by creating and assigning some ports another vlan, then we are creating 2 broadcast domains and we will need a layer 3 device to route b/w the the vlans. If the question says we are assigning all the ports to another vlan, then in this case, we end up having all the ports assigned to two different vlans which does not make much sense.I think in this case, we will need more bandwidth as we will be trunking b/w the vlans and won’t need a layer 3 device since all the ports will have the same configuration.
This is what i think. I could be wrong
thanks for the post
What is the difference between wild card mask and subnet mask?
arulhai5@gmail.com
Hi friends…I cleared my ccna exam today …scored 960/1000..thanks 9tut,prepking,pass4sure….
hani_2012_rad@yahoo.com
in Q2
the question says only PC1 isn’t allowed to accessing Server1.. but when you configure
the access-list it will not allow the server to ping the PC1.. why?
we only need the PC1 not to access Server, but the Server have to access(ping) PC1
Jama, ping is being blocked because the reply packet is dropped. The first packet reaches PC1, when he responds, it’s blocked by the ACL. Remember you’re blocking IP, which includes ICMP, TCP, UDP, and I think OSPF? (although ICMP, TCP, UDP is what you need to know for CCNA).
Thanks Anonymous.. I understand now..
Hi
guys can somebody pliz help me on where to download VCE, i am writing my exam on the 7th Dec 2012. Exams from Sekhar and Brah cannot open without VCE. All of the links that i am using are said to trial versions thus they just open the first 5 questions only. email kevynjr001@gmail.com
Thanks in advance
can someone please send me the latest dump?
sc.rpion13@hotmail.com
Thanks so much 9tut for all these questions n answers…..I fully benefited from them and passed my exam yesterday with 960/1000…… All who are to take their exam must ensure they are fully conversant with this questions and answers in this site….. For the labs (EIGRP, VTP and Access-list), they were exactly as they are on this SIMs, very minimal changes but the concepts are exactly as they are……..SUCCESS to everyone