Home > CCNA – Access List Questions

CCNA – Access List Questions

May 1st, 2011 Go to comments

Here you will find answers to CCNA Access list questions

Note: If you are not sure about how to use Access list, please read my Access list tutorial

Question 1

Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)

accesslist1

access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any

A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23

 

Answer: D E

Explanation

First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.

The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.

Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47

-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.

Question 2

Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)

accesslist2

A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any

 

Answer: B C

 

Question 3

Refer to the exhibit. Why would the network administrator configure RA in this manner?

accesslist3

A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network

 

Answer: B

Explanation

Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.

This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.

C is not correct as this access list allows administrators to access the console of RA.

F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.

(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)

Question 4

An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?

accesslist4

A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255

 

Answer: C

Explanation

Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.

/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.

A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255

Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.

Question 5

A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?

A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any

 

Answer: A

Explanation:

First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.

Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect

In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.

Question 6

As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?

accesslist_blocktraffic

 

A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out

 

Answer: C

Question 7

The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:

access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any

How will the above access lists affect traffic?

A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied

 

Answer: D

Explanation:

There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.

Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.

Question 8

The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)

accesslist

A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8

 

Answer: B D

Explanation

Below is the simple syntax of an extended access list:

access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]

Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:

Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.

Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered

Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.

Question 9

The following configuration line was added to router R1

Access-list 101 permit ip 10.25.30.0 0.0.0.255 any

What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations

 

Answer: A

Comments
Comment pages
1 18 19 20 21 22 61
  1. Lemoi
    January 29th, 2013

    @Shanks:
    Thank you VERY much for the explanation of Q4. I kept on counting “common bits” set to 1 only. THANKS!

  2. Anonymous
    February 2nd, 2013

    Kindly send me latest dumps and labs in my email mario_azucena@yahoo.com. Thanks a lot!

  3. Osito
    February 16th, 2013

    Can someone send me the most current dumps? Please send to ; robertomiranda123233@hotmail.com

  4. Jazz
    February 20th, 2013

    Can someone send me the most current dumps? Please send to mjahanzaib@hotmail.com

  5. kashif
    February 21st, 2013

    This is for those who need latest dumps. This dumps and 9tut, its enough for you to pass exam. just remember me in your prayers. Best of luck…..
    http://www.examcollection.com/cisco/Cisco.ActualTests.640-802.v2012-07-15.by.Sekhar.697q.vce.file.html

  6. Lucifar
    February 21st, 2013

    thanx Kashif

  7. Arturo Pacardo Jr.
    February 24th, 2013

    Q6 / Question 6

    A – access-list 101 in
    B – access-list 101 out
    C – ip access-group 101 in
    D – ip access-group 101 out

    Answer is “C”

    I could apply “D” (ip access-group 101 out) on the serial interface of R1 going to R2 and it would still function. My question is, what hint in the question that I would choose or then best choice is “C”?

  8. Manoj
    February 27th, 2013

    Hey @Artruo Pacardo Jr ,in Q6 he is talking about the LAN attached with R2 not to the LAN of R1. so ans. C is correct …

  9. Mario
    February 28th, 2013

    Hi there. Taking CCNA in a weeks. Can anyone send me latest dumps?
    mariovalidzic1@gmail.com

  10. The Slave of Gad
    March 6th, 2013

    has any one seen these questions in the real CCNA exam .help thank you in advance

  11. raamia
    March 7th, 2013

    thanks for your explaination

  12. The Slave of Gad
    March 7th, 2013

    Hi everyone I am going to take my CCNA exam next month has anyone got the latest dump if you have please send it to me. email address zala93@yahoo.com

    many thank you

  13. andrilo
    March 8th, 2013

    hello
    In question 4 i understand that the summary of networks is /20.

    thanks

  14. Eddy
    March 15th, 2013

    Hi my name is Eddy;

    I will take my CCNA exam soon I have a question concerning the Q8. the answer are B,D Why?.

    A – from host PC1 to host 5.1.1.10
    B – from host PC1 to host 5.1.3.10
    C – from host PC2 to host 5.1.2.10
    D – from host PC2 to host 5.1.3.8

    Acording ur explication the range of packets to be filter is ‘ packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied’. and according to the question say: ‘Which of the following Telnet sessions will be blocked by this ACL?

    really I don’t undertand Why the answer are B and D

    If some body give me a explication I will be apreciated.

    Thank you very much in advance

    Eddy

  15. Shabbir
    March 18th, 2013

    To EDDY>>>

    The answer is B & D because PC1 IP is: 5.1.1.8 255.255.255.0 & PC2 IP is: 5.1.1.10 255.255.255.0.

    Now according to configured ACL, no PC holding IP from 5.1.1.8 to 5.1.1.11 can be connected via telnet to any host from 5.1.3.0 – 5.1.3.255 range.

    As B & D says Destination host IP are 5.1.3.10 & 5.1.3.8 respectively so Telnet connection from PC1 & PC2 will be denied by ACL 101….

    Thanks,

  16. Mark Terrell
    March 18th, 2013

    Question 1-I say only D is the answer; the increment would be 8 , not 16 and would not include the 192.168.15.40 network in the ACL.

  17. Kemi
    March 20th, 2013

    192.168.15.32 0.0.0.15 means from 32 to the next fifteen ip addresses sequentially. so you have 32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47

  18. Me too
    March 21st, 2013

    Question 2 on CCNA 2nd try today

  19. Hugo
    March 21st, 2013

    we hv config deny accses list on VSS L3 switch, where ABC belongs to vlan 34 ip accses-list extended ABC deny ip 172.17.34.0 0.0.0.255 172.30.31.0 0.0.0.255 deny ip 172.17.34.0 0.0.0.255 172.30.32.0 0.0.0.255 deny ip 172.17.34.0 0.0.0.255 172.30.35.0 0.0.0.255 permit ip any any than whn we config the vacl on this switch as below ( are all cmd right? ) Epi-VSS1(config)#Vlan acess-map VACL_VL34 Epi-VSS1(config-accses-map)#Match ip address ABC Epi-VSS1(config-accses-map)#action drop Epi-VSS1(config-accses-map)#exit Epi-VSS1(config)#Vlan acess-map VACL_VL34 Epi-VSS1(config-accses-map)#action forward cature Epi-VSS1(config-accses-map)#exit Epi-VSS1(config)#vlan filter VACL_VL34 vlan-list 34 for port capture we need to config the switch port capture cmd on same switch or the next switch connected to it?? little bit confuse in this interface gi1/1 switchport capture allowed vlan 34 switchport capture

  20. Cheyenne
    March 21st, 2013

    A porvocatvie insight! Just what we need!

  21. Deandra
    March 21st, 2013

    Slam dunkin like Shaqluile O’Neal, if he wrote informative articles.

  22. Anonymous
    March 23rd, 2013

    Could anybody pleases send the latest CCNA Dumps to gauriwalinjkar@gmail.com
    Exam in 2 weeks

  23. sAM
    March 24th, 2013

    Hi guys,
    I will take my exam soon,please send me the latest CCNA dumps to takra_2000@hotmail.com
    thanks very much.
    I will take with in 3 weeks.

  24. SAEED El Gharabawy
    March 25th, 2013

    hello all people
    I will take my exam in the next Sunday can anyone help me with the good question that i will see in real exam and send it to my email

    rald201020@yahoo.com

  25. Adeel
    March 26th, 2013

    Hello Guys I hope you will be fine there. I have CCNA (640-802) Vouchers on
    special discount of 58% for World wide, with six months expiry date till you
    purchase. Each voucher cost 60USD.
    Details Required For CCNA Voucher For Discount Processing:
    1-Full Name. 1st Name & Last Name (as you want to appear on certificate & documents)
    2-Country.
    3-City.
    4-State.
    5-Pin Code (or Area Code)
    6-Residential Address (or where you can collect your Certificate or further correspondence
    can be received)
    Add me on Skype through this information which is written below:
    Skype Name: rockon660
    you can also email me at this email address which is written below:
    madeelqaiser@gmail.com
    If you have any Questions feel free to contact me.
    Thanks,
    Best regards,
    Adeel

  26. Oahu20
    March 27th, 2013

    Question 1-D and E would be correct; the increment is 8 /29, not 16 and so both networks 15.32 & 15.40 outbound would include host ip’s 15.36 & 15.46 should be correct for the ACL.
    Thoughts?

  27. Oahu20
    March 27th, 2013

    Q-4 Feedback on answer as C?

    C. access-list 10 permit 172.29.16.0 0.0.3.255 Would only allow 2 useable .17 & .18
    D. access-list 10 permit 172.29.16.0 0.0.15.255. Question would summarize to /20. which would allow .17 – .30.
    Why wouldn’t the answer in this case be E. access-list 10 permit 172.29.0.0 0.0.255.255 ?
    Thx in advance.

  28. Q6
    April 1st, 2013

    The traffic is being came from R1 to R2 and this goes to R2 lan . I think that I am R2 to solve the problem. traffic is exited from me (R2) so Is right answer to be D for this idea? Can anybody explain this question to me ?

  29. Ashutosh B.
    April 3rd, 2013

    Hey guys, passed my CCNA exam today (920/1000)……sims were same, EIGRP, VTP and Access list….but there was a slight difference in the Access list:

    Allow host D to access the Finance Server through a web browser
    Deny the other hosts and and router to access the Finance Server
    Allow all other hosts to Access Public Server

    So in case of Public Server, though IP Address is given but you will still use “Permit ip host any any” as only three statements are allowed according to the question….

    I thank 9tut.com for all its support and valuable feedback from all the users….cheers…

  30. guest
    April 3rd, 2013

    For question 4 check the matching bits in the 3rd octet. Mark the matching bits with 0. There is an exellent discription here:

    http://ieoc.com/forums/p/14918/129445.aspx

    0 0 0 1 0 0 0 0 = 16

    0 0 0 1 0 0 1 1 = 19

    0 0 0 0 0 0 1 1 = 3

  31. mazhar husssain
    April 5th, 2013

    for Q-1

    access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet

    access-list 101 permit ip any any

    this acl block ip hosts of two sub-networks which are 190.468.15.32 & 192.168.15.40, they

    both r conected vd RTB.

    NID:192.168.15.32 ,BID: 192.168.15.39,mask :255.255.255.248,incrment is 8 (/29 = 248)

    valid host of this sub net r 33-38 which r blocked by acl and second sub net is

    NID: 192.168.15.40 ,mask :255.255.255.248, BID: 192.168.15.47,sam as above increment

    is 8 (256-248=8) valid hosts are 41-46 so the host whic r blocked by this acl r 33-38 and

    41-36 v focus on acl (deny tcp 192.168.15.32 0.0.0.15) not on /29 of any sub-net .

  32. !!!Rem!!!
    April 15th, 2013

    !!!

    Hi everyone I am going to take my CCNA exam next month has anyone got the latest dump if you have please send it to me. email address renancisco1@gmail.com

    !!!

  33. Tajushile
    April 17th, 2013

    Hello Everybody

    I’m taking CCNA next Week, wich dump do you recommend please ????

    Thanks in advance.

  34. Joe
    April 19th, 2013

    I suck at this :( Needs some moral!!!

  35. Faizan
    April 22nd, 2013

    Explanation

    First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.

    The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 [it's 255.255.255.248 not 240] (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.

    Increment: 16
    Network address: 192.168.15.32
    Broadcast address: 192.168.15.47

    -> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.

  36. mrigen sane
    April 25th, 2013

    Hi there. Taking CCNA in a weeks. Can anyone send me latest dumps?

    spymrigen@gmail.com

  37. TOSIN
    April 28th, 2013

    Hi GUYS. Taking CCNA on Saturday 4th of may . Can anyone send me latest dumps?

    tosinxx@yahoo.co.uk

  38. Ahmed wahas
    May 4th, 2013

    Hi there. Taking CCNA in a weeks. can they help me in simlation

  39. ryhoof
    May 5th, 2013

    Hey guys,

    I’m taking ccna next week.. can anyone send me latest dumps please?
    Here is my email address: med.laatabi@gmail.com

  40. Anisetti.sureshbabu
    May 7th, 2013

    hi all,

    can any one explain the sysntax of answer “ip access-group 101 in” what it means?

    As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?

    accesslist_blocktraffic

    A – access-list 101 in
    B – access-list 101 out
    C – ip access-group 101 in
    D – ip access-group 101 out

    Answer: C

  41. Devang Shah
    May 7th, 2013

    The command “ip access-group 101 in ”
    means the interface should be using the access-list number 101 for incoming packets
    “access-group” a command to use an access-list
    “101″ the number for extended ACL number ( extended ACL 100 – 199 & 2000 – 2699 )
    “IN” means to apply the access-list for all the traffic coming inside

  42. shihnas
    May 7th, 2013

    plz any one send me latest dumps
    iflyuk@live.com

  43. benj lopez
    May 8th, 2013

    hi question2. why letter B its (in), should it be letter a (out)
    Q:only PC1 from accessing Server1 while allowing all other traffic to flow normally? should it be going out instead of going in? Should the answer be
    A – Router(config)# interface fa0/0
    Router(config-if)# ip access-group 101 out
    instead of B.

  44. ciscopa
    May 9th, 2013

    yes, I agree that question2. should it be letter A (out)

  45. C2
    May 13th, 2013

    Did anyone take the exam this May 2013? any suggestion?

  46. Mike
    May 14th, 2013

    Guys I am taking the CCNA next week. Can someone please send me the latest Dumps ?

  47. Mike
    May 14th, 2013

    Guys I am taking the CCNA next week. Can someone please send me the latest Dumps ? doncasta8@yahoo.com

  48. Anonymous
    May 16th, 2013

    Hey Pple am taking my ccna exam next week , can someone please send me d latest dumps? Debbytutu2002@gmail.com

  49. Geoffrey
    May 17th, 2013

    Please i want to take my CCNA next two weeks.Can someone help me out with latest Dumps?Pls!! I will appreciate.geolinks2002@yahoo.com

  50. Geoffrey
    May 17th, 2013

    Please i want to take my CCNA next two weeks.Can someone help me out with latest Dumps? I will appreciate.geolinks2002@yahoo.com

Comment pages
1 18 19 20 21 22 61
  1. No trackbacks yet.
Add a Comment