CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
@Shanks:
Thank you VERY much for the explanation of Q4. I kept on counting “common bits” set to 1 only. THANKS!
Kindly send me latest dumps and labs in my email mario_azucena@yahoo.com. Thanks a lot!
Can someone send me the most current dumps? Please send to ; robertomiranda123233@hotmail.com
Can someone send me the most current dumps? Please send to mjahanzaib@hotmail.com
This is for those who need latest dumps. This dumps and 9tut, its enough for you to pass exam. just remember me in your prayers. Best of luck…..
http://www.examcollection.com/cisco/Cisco.ActualTests.640-802.v2012-07-15.by.Sekhar.697q.vce.file.html
thanx Kashif
Q6 / Question 6
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer is “C”
I could apply “D” (ip access-group 101 out) on the serial interface of R1 going to R2 and it would still function. My question is, what hint in the question that I would choose or then best choice is “C”?
Hey @Artruo Pacardo Jr ,in Q6 he is talking about the LAN attached with R2 not to the LAN of R1. so ans. C is correct …
Hi there. Taking CCNA in a weeks. Can anyone send me latest dumps?
mariovalidzic1@gmail.com
has any one seen these questions in the real CCNA exam .help thank you in advance
thanks for your explaination
Hi everyone I am going to take my CCNA exam next month has anyone got the latest dump if you have please send it to me. email address zala93@yahoo.com
many thank you
hello
In question 4 i understand that the summary of networks is /20.
thanks
Hi my name is Eddy;
I will take my CCNA exam soon I have a question concerning the Q8. the answer are B,D Why?.
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Acording ur explication the range of packets to be filter is ‘ packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied’. and according to the question say: ‘Which of the following Telnet sessions will be blocked by this ACL?
really I don’t undertand Why the answer are B and D
If some body give me a explication I will be apreciated.
Thank you very much in advance
Eddy
To EDDY>>>
The answer is B & D because PC1 IP is: 5.1.1.8 255.255.255.0 & PC2 IP is: 5.1.1.10 255.255.255.0.
Now according to configured ACL, no PC holding IP from 5.1.1.8 to 5.1.1.11 can be connected via telnet to any host from 5.1.3.0 – 5.1.3.255 range.
As B & D says Destination host IP are 5.1.3.10 & 5.1.3.8 respectively so Telnet connection from PC1 & PC2 will be denied by ACL 101….
Thanks,
Question 1-I say only D is the answer; the increment would be 8 , not 16 and would not include the 192.168.15.40 network in the ACL.
192.168.15.32 0.0.0.15 means from 32 to the next fifteen ip addresses sequentially. so you have 32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47
Question 2 on CCNA 2nd try today
we hv config deny accses list on VSS L3 switch, where ABC belongs to vlan 34 ip accses-list extended ABC deny ip 172.17.34.0 0.0.0.255 172.30.31.0 0.0.0.255 deny ip 172.17.34.0 0.0.0.255 172.30.32.0 0.0.0.255 deny ip 172.17.34.0 0.0.0.255 172.30.35.0 0.0.0.255 permit ip any any than whn we config the vacl on this switch as below ( are all cmd right? ) Epi-VSS1(config)#Vlan acess-map VACL_VL34 Epi-VSS1(config-accses-map)#Match ip address ABC Epi-VSS1(config-accses-map)#action drop Epi-VSS1(config-accses-map)#exit Epi-VSS1(config)#Vlan acess-map VACL_VL34 Epi-VSS1(config-accses-map)#action forward cature Epi-VSS1(config-accses-map)#exit Epi-VSS1(config)#vlan filter VACL_VL34 vlan-list 34 for port capture we need to config the switch port capture cmd on same switch or the next switch connected to it?? little bit confuse in this interface gi1/1 switchport capture allowed vlan 34 switchport capture
A porvocatvie insight! Just what we need!
Slam dunkin like Shaqluile O’Neal, if he wrote informative articles.
Could anybody pleases send the latest CCNA Dumps to gauriwalinjkar@gmail.com
Exam in 2 weeks
Hi guys,
I will take my exam soon,please send me the latest CCNA dumps to takra_2000@hotmail.com
thanks very much.
I will take with in 3 weeks.
hello all people
I will take my exam in the next Sunday can anyone help me with the good question that i will see in real exam and send it to my email
rald201020@yahoo.com
Hello Guys I hope you will be fine there. I have CCNA (640-802) Vouchers on
special discount of 58% for World wide, with six months expiry date till you
purchase. Each voucher cost 60USD.
Details Required For CCNA Voucher For Discount Processing:
1-Full Name. 1st Name & Last Name (as you want to appear on certificate & documents)
2-Country.
3-City.
4-State.
5-Pin Code (or Area Code)
6-Residential Address (or where you can collect your Certificate or further correspondence
can be received)
Add me on Skype through this information which is written below:
Skype Name: rockon660
you can also email me at this email address which is written below:
madeelqaiser@gmail.com
If you have any Questions feel free to contact me.
Thanks,
Best regards,
Adeel
Question 1-D and E would be correct; the increment is 8 /29, not 16 and so both networks 15.32 & 15.40 outbound would include host ip’s 15.36 & 15.46 should be correct for the ACL.
Thoughts?
Q-4 Feedback on answer as C?
C. access-list 10 permit 172.29.16.0 0.0.3.255 Would only allow 2 useable .17 & .18
D. access-list 10 permit 172.29.16.0 0.0.15.255. Question would summarize to /20. which would allow .17 – .30.
Why wouldn’t the answer in this case be E. access-list 10 permit 172.29.0.0 0.0.255.255 ?
Thx in advance.
The traffic is being came from R1 to R2 and this goes to R2 lan . I think that I am R2 to solve the problem. traffic is exited from me (R2) so Is right answer to be D for this idea? Can anybody explain this question to me ?
Hey guys, passed my CCNA exam today (920/1000)……sims were same, EIGRP, VTP and Access list….but there was a slight difference in the Access list:
Allow host D to access the Finance Server through a web browser
Deny the other hosts and and router to access the Finance Server
Allow all other hosts to Access Public Server
So in case of Public Server, though IP Address is given but you will still use “Permit ip host any any” as only three statements are allowed according to the question….
I thank 9tut.com for all its support and valuable feedback from all the users….cheers…
For question 4 check the matching bits in the 3rd octet. Mark the matching bits with 0. There is an exellent discription here:
http://ieoc.com/forums/p/14918/129445.aspx
0 0 0 1 0 0 0 0 = 16
0 0 0 1 0 0 1 1 = 19
0 0 0 0 0 0 1 1 = 3
for Q-1
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
this acl block ip hosts of two sub-networks which are 190.468.15.32 & 192.168.15.40, they
both r conected vd RTB.
NID:192.168.15.32 ,BID: 192.168.15.39,mask :255.255.255.248,incrment is 8 (/29 = 248)
valid host of this sub net r 33-38 which r blocked by acl and second sub net is
NID: 192.168.15.40 ,mask :255.255.255.248, BID: 192.168.15.47,sam as above increment
is 8 (256-248=8) valid hosts are 41-46 so the host whic r blocked by this acl r 33-38 and
41-36 v focus on acl (deny tcp 192.168.15.32 0.0.0.15) not on /29 of any sub-net .
!!!
Hi everyone I am going to take my CCNA exam next month has anyone got the latest dump if you have please send it to me. email address renancisco1@gmail.com
!!!
Hello Everybody
I’m taking CCNA next Week, wich dump do you recommend please ????
Thanks in advance.
I suck at this :( Needs some moral!!!
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 [it's 255.255.255.248 not 240] (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Hi there. Taking CCNA in a weeks. Can anyone send me latest dumps?
spymrigen@gmail.com
Hi GUYS. Taking CCNA on Saturday 4th of may . Can anyone send me latest dumps?
tosinxx@yahoo.co.uk
Hi there. Taking CCNA in a weeks. can they help me in simlation
Hey guys,
I’m taking ccna next week.. can anyone send me latest dumps please?
Here is my email address: med.laatabi@gmail.com
hi all,
can any one explain the sysntax of answer “ip access-group 101 in” what it means?
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
accesslist_blocktraffic
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
The command “ip access-group 101 in ”
means the interface should be using the access-list number 101 for incoming packets
“access-group” a command to use an access-list
“101″ the number for extended ACL number ( extended ACL 100 – 199 & 2000 – 2699 )
“IN” means to apply the access-list for all the traffic coming inside
plz any one send me latest dumps
iflyuk@live.com
hi question2. why letter B its (in), should it be letter a (out)
Q:only PC1 from accessing Server1 while allowing all other traffic to flow normally? should it be going out instead of going in? Should the answer be
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
instead of B.
yes, I agree that question2. should it be letter A (out)
Did anyone take the exam this May 2013? any suggestion?
Guys I am taking the CCNA next week. Can someone please send me the latest Dumps ?
Guys I am taking the CCNA next week. Can someone please send me the latest Dumps ? doncasta8@yahoo.com
Hey Pple am taking my ccna exam next week , can someone please send me d latest dumps? Debbytutu2002@gmail.com
Please i want to take my CCNA next two weeks.Can someone help me out with latest Dumps?Pls!! I will appreciate.geolinks2002@yahoo.com
Please i want to take my CCNA next two weeks.Can someone help me out with latest Dumps? I will appreciate.geolinks2002@yahoo.com