CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
Hey,
Glad to read you just had the rules backwards :) Happy to help!
You are correct if it were a standard ACL but this is only best practice to place ACL’s in their respective directions, STD – closest to destination and EXT – closest to source. There could be an instance where you would apply an ACL in either in/out direction regardless of type of ACL, but that’s not to worry about now. Though keep that in mind for future possibilities. It’s all about the traffic that needs to be controlled, to determine where your ACL is applied.
Now, if it were an extended ACL that required port or protocol control, you would need an extended ACL anyway. In the example for question number 2, the protocol is IP, which is what a standard ACL permits or deny(s). Though in this case the ACL requires a source and destination address, where the standard ACL doesn’t specify a destination, only source. If that helps your understanding anymore.
Anyway, good luck to you all :)
Sean
@SeaninWA
Thanks so much :) My confidence in passing this test just shot up. For some reason my weakness has always been ACL.
Q1
how come this is denied?
D. source ip address:, 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
you just put this ACL statement right? so everything can be permitted?
“access-list 101 permit ip any any”
@wangwang
b/c of this ACL statement;
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
It denies port 23 (telnet port) for those 2 addresses you asked about b/c they are in the range identified by this ACL statement here; network 192.168.15.32 with a mask of 0.0.0.15 includes a range of usable addresses as 192.168.15.33 through 192.168.15.46 (.47 is broadcast for this network). Clearly your questions answers are included in this denied range, therefore denied.
You should understand this well if you plan to be CCNA :)
hey guys i need help plz…….. my exam was last week and am faild and thats fisrt time visit this website and the exam was almost like this questions soo i wana ask if i took my exam next week will change all question or there is any other ideas for questions ??????? need help plz
i studied the book very well and i got 700 of 1000 and the reason was troubleshoting which was first time i see it soo any boady tell me what i have to do ??????
hey guys i need help plz…….. my exam was last week and am faild and thats fisrt time visit this website and the exam was almost like this questions soo i wana ask if i took my exam next week will change all question or there is any other ideas for questions ??????? need help plz
i studied the book very well and i got 700 of 1000 and the reason was troubleshoting which was first time i see it soo any boady tell me what i have to do ??????
Hi, i have given exam today and scored 987 out of 1000 :) My labs were VTP simulation, EIGRP and Access-List. Thanks to 9tut for having such a nice lab questions escepially for VTP lab. I have no hesitation to say, i may not score so well if didn’t visit this site. It took me just 2 days to grasp the concept as i already spent 4 months on books.
@ Haytham Fahmy
Dear, wish you all the best of luck this time. You should do VTP, EIGRP and Access-List labs with open eyes. Do pay attention to VTP simulation. 9tut has explained all steps so nicely that you will do ur exam very well. IF you need any help during practice, let us know.
hay guys is this questions come in the exams. in the acme and masti ,the acl questions are deferent from these questions … plese tel me thanks
i got my exam yesterday and passed with 974. especial thanks for the 9tut. pass4sure & testinside dumps are still valid. sims are eigrp,vtp & access-list only the ip addresses are changed. in access-list the the pc also changed. again thanks for the 9tut and all of the contributors
if any one need a help from me pls email to
hasy_001@yahoo.com
hi guys i took my ccna exam yesterday and passed with 872 to tell you the truth 9tut is really great website do all 9tut questions deeply thanks 9tut a lot thank uuuuuuuuuu
would anyone pleas explain Q8 in more details cause its not clear enough to me,the source part?
Hi to all,
Preparing to give my examination in a day or two. All is done except ACL and VTP sims. As far as ACL2 is concerned, there is no problem. BUT the problem is with ACL and VTP only. Please help me. What type of questions are asked in the sims of ACL — I read the questions – do we have to answer all the questions? Are the commands the same as mentioned in the above. And how many questions are asked in the SIMS of ACL? What happens when you can not do 1 sim out of 3 asked and the multiple choice questions are all correct? How do they marks the sims?? Please help and guide me.
Thanks.
Wanted to know whether the questions asked in ACL are the same or are they changed? Do they change the IP address too? Iknow in the other sims like EIGRP/ACL2 the ip addresses and names of the switches/routers are changed. Plz. help, giving my exam very very shortly.
from where i could get those mashti and acme dumps? plz help me
hi saloni..you can get it under examcollections.com
Please help question #1
where do they come up with this # on D questions
D) 192.168.15.32/29 (the increment is 8)
where is 32/29 come from.
Thanks and what section of Cisco can i learn this ??????
plz provide me the link to download the dums of CCNA
samajh he nae ata kuch..ma ki phudi ciscoo waloon ki
Cisco Certified Network Associate CCNA
Pass4sure 640-802 Exam
Questions and Answers: 430 Q & A
Updated: Dec 21, 2010
pleas mail me zulfiqarsoomro@yahoo.com
this update version of p4s
Can any one explain how they figure out the answer to question 1..how the ip adresses were chosen which will only be able to pass the router RBT..thanks
ans to Q1:
see two switchesconnected to router RTB fa0/1 and fa0/0 both have mask of /29 means a block size of 8 as /29=255.255.255.248 ; 256-248=8 , hence valid host rage is
192.168.15.32-38, broadcast address 15.39 and 15.40 is next subnet (for fa0/0 lan)
similarly for fa0/1 lan:
192.168.15.40-46 is valid host address range. 15.47is brdcast address.
hence option F is eliminated.
i really hope i don’t hv to tell you y A, B and C where eliminated.
thanks miz 0 ..i got it sorted …very well explained
Hi 9tut,
Please post all the LABs you have for EIGRP, VTP and ACLs. I would be very thankful
Regards,
Muhammad Younas
@Muhammad Younas: You can find all the labs here: http://www.9tut.com/category/ccna-lab-sim
HII frndss….. 2day i hav completed my exam n i got 982 marks!!!!
it so simple 2 right dis ccna exam………………… it just required only 4days to right dis exam!!!!!like i have done nothing more than dat..
day-1 study acme qs perfectly.
day-2 study 9tut qs except lab qs.
day-3 practice dat 3 lab qs (acl-2, vtp, eigrp{23}) fm 9tut!!! just remember dat concept ip address will b chainging…
day-4 revise every thing u hav prep n practice 3labs as much as u can…
finally right da exam u can clear it ……….. its so simple…………
all da best fr u r exam guyzzzz nn happy new year in advance.
Hi……….Frnds……
I have complete the exam just today…… i got 974 marks………..
all the best …………… and ……….. Happy New Year………….
hey guyz do switch simulation well…
Thx zubai…. m appearing for the certification nxt week
@sahil ma pleasure……n best of luck 4 the exam……be prepare 4 it
I fully agree with this above mention, the world-wide-web is with a doubt growing in the weighty important medium of communication across the globe in addition to its due headed for sites like this that ideas are spreading so quickly.
I’m sitting my CCNA next week and am wondering if the simulation questions detailed on 9tut will be asked on my exam. i.e. have Cisco changed the sim’s for 2011?
to dileep
which dumps did u prepare for exam . have u prepared pass4sure dumps
Thanks for your insight for the great posting. I am glad I have taken the time to see this.
Thanks much for the great document. I am glad I’ve taken the time to learn this.
Thanks for your insight for the great posting. I am glad I have taken the time to see this.
Thanks for your insight for the great posting. I am glad I have taken the time to see this.
Kudos for the great piece of writing. I am glad I have taken the time to read this.
Appreciation for the great blog post. I am glad I have taken the time to learn this.
Thanks for your insight for the great written piece. I am glad I have taken the time to read this.
Just pass the cisco exam with 947 marks….
SORRY MISS PRINT>…974 marks
The ip subnet zero command is not configured on a router. What would be the IP address of Ethernet
0/0 using the first available address from the sixth subnet of the network 192.168.8.0/29?
A. 192.168.8.25
B. 192.168.8.41
C. 192.168.8.49
D. 192.168.8.113
Answer: C
kindly explain
@Zulfiqar
When IP Subnet Zero is not cofigured, it means you cannot use the first subnet IPs. In this case is 192.168.8.0—-192.168.8.7. You have to skip it…..Now count six subnest each of 8 addresses….simply count a table of 8. so first subnet will be form 9-15, 2nd from 16-23, 3rd from 24-31, 4th from 32-39, 5th wil be from 40-47….Now your sixth subnet starts from 48 i.e 192.168.8.48….it is the subnet address right?….Since we have to use the first usable IP address. so that will be 192.168.8.49…..Hopefully you would have got it….
Regards
Muhammad Younas
I took my ccna exam today , passed it with score 1000 , Thank you 9tut.com
9tut & testinside Version 21 are valid 100% in the exam , but here are some notes : the new vtp sim ” sw-ac3 is the local updater for vtp advertisements & also switchx has a lower revision number . Thanks again 9tut
Hello,
anybody please send me latest dumps on the mail managerscc@hotmail.com
thank you
Ahmed,
Kindly assist me with the link so that i can download 9tut & testinside Version 21.am doing my exam on 31st.
I cleared CCNA Exam with 898/1000 . I got three simulation CCNA VTP SIM Question and Access List Sim 2 ( they have changed Host C-> Host D) and EIGRP simulation ( The one whose ASN is 221 )
Acme , Mashti and Winget Dumps are 95 % Valid….
I could not answer one question.
Q ) Where is UDP protocol used amongs following :( Select three )
1. HTTP
2. TFTP.
3. SNMP.
4. SMTP
5. DNS
Last but not the least.. Please go through the questions and simulations from 9tut. All the best 2 you….
Regards,
Prashant
am writing tomorow, my prayer is 2 clear all my papers,1000/1000
tank God 4 success
@Prashant
HTTP- TCP
TFTP- UDP
SNMP- UDP
SMTP- TCP
DNS – UDP
Congrats fot the CCNA !
Congratulation Parshant….. happy to hear about ur ccna i am going to apear on 31 jan, i really got help from your comments about sim
thanx again