CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
hello good morning to all ccna guys! I can`t access composite quiz it is because i`m a new member if some one can help send me the procedure i will be greatefull
my e-mail elishamaka@rocketmail.com
Q8 I don’t understand if the the increment is 4,
5.1.1.8 0.0.0.3 which means 5.1.1.8/ 255.255.255.252
5.1.1.12
host assignable IP range should be 5.1.1.9-5.1.1.11
How it has allocated subnet ID on a host?
I am confused. Can this be done? Can someone explain to me?
Q8. Oh no. I have confused in the network diagram it is /24 then it comes to Access list only 0.0.0.3 . Interesting. Is this means you can block just 4 hosts out of 254 host here?
It is a good practice to apply the ACL on the interface closest to the source of the traffic. According to cisco`http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
`
Question 7
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
–the syntax is wrong.. eq 20 shud be after any..
or am i wrong? does it still work?
Hi PK,
Dont forget, you have a broadcast addres as well, so if you have a range of four addresses, then you practically only have two assignable ip.
Put it in an example: 192.168.1.4/30
so you have 192.168.1.4, which is the network address
192.168.1.5, 192.168.1.6, usable host addresses
192.168.1.7 this is the broadcast address, so you cant assign this address.
Dear Pk,
I think i know what you are concerned about.In q8 the access-list denies the 5.1.1.8/30 ip range, so those two pc’s on that subnet cant access telnet.
The access list does not want to block the whole /24 range but only those pc’s.
question 1 ..its in the exhibit /29 .. but in the explanation increments as it is /28
Hi All
can someone tell how the increment in q1 is 16 when it is /29 ?
Hey 9Tut,
First I have to say “Thank you” for all your work and dedication to helping others with their paths along Cisco certification. I plan on taking my test in the next few weeks and am VERY glad I found this site!
OK, onto the question: This comes from the ACL questions 1 section. I had an issue with one of the answers of the questions that I have put below. Thank you for your assistance.
A network administrator wants to add a line to an access list that will block only telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task.
Correct Answer: Access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
Incorrect Answer: Access-list 101 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list permit ip any any
Why is the second option incorrect when the destination is a single address?
@CCNA noob: The answer “Access-list 101 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23″ is correct and it is the same as the “Access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23″ command. But the second statement of the incorrect answer (access-list permit ip any any) is missing the acl number 101.
@9Tut,
I can’t believe I missed the access list number! I even wrote that in by hand! GRRRRRR.
Thank you for spotting it! I need to pay closer attention. :)
All,
Can anyone make me clear about q.1 – Increment: 16? How the Increment works out like this.
Look forward to hearing from you expert guys soon.
Thanks
Failed with 801 score some questions were new. But alot from here…
@ccnamob question #5 also remeber acl number 1-99 are standard access list and you can only filter on source address. 100-199 are extended access list that is why folling answer is wrong” D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any”
801 oh my gosh, only 1 or 2 more questions.
this is an excellent site, although I failed my test. I know I will pass the next time. Most of the questions I saw were from here.
Hi everyone,
I am going to take my ccna exam on july first week. plz, send the latest dumps to email pratheepk02@gmail.com. Thanks for your help.
hi… i’m planning to take the ccna exam on August, please send the latest dumps to mawee1223@gmail.com. Thanks a lot for the help.
I am going to take my ccna exam on next week. can anyone send the latest dumps to my email… agminshad@gmail.com
Q2.
Answer is surely wrong! I think it should be B and D???
No way DG.
D is wrong answer for Q2 :
– 172.16.161.150 0.0.0.255 represent the network 172.16.161.0 not PC1 ip address
So B and C are correct answer for Q2
Dumps are good tools to review for the exam, but be certain that the answers are correct. I came across this question, and don’t agree with the answer. Any one have any thoughts on this?
A network administrator has configured access list 173 to prevent Telnet and ICMP traffic from reaching a server with the address of 192.168.13.26. Which commands can the administrator issue to verify that the access list is working properly? (Choose three)
A. Router# ping 192.168.13.26
B. Router# debug access-list 173
C. Router# show open ports 192.168.13.26
D. Router# show access-lists
E. Router# show ip interface
The answers that are stated correct are (A), (D), (E). By performing (D) and (E), you’re looking at the configuration. But by performing (A), you’re not really testing the access list because your pinging locally from the router. The access list will not deny outbound traffic that is generated locally. How does this assist you in ensuring the ACL is working properly?
Thanks for these…… very helpful…..
A very good one. Thank you.
first i noticed
q1 the all these ip range are same is it possible the all ip range equal like 192.168.15.255
the exiting router pord e0/1 and s1/0 are given same range ip address
Hey 9ut
the question 1 say CID is 29 means subnet is 248 but in explaination it was 240 can kindly tel me as my exam is in abt 2 days
ALHUMDOLILLAH
Thanks GOD I pass today. I recommend spike dump, 9tut, and for Urdu students urduitacademy.com. All questions came from spike dump and labs from 9tut. Thanks spike, 9tut and Mr. Kashif from urduitacademy…any query —> ks_jafry@yahoo.com
hello ! 9tut Guys, thenx so much for ur awesome and unquantifiably biulful materials,GLORY TO GOD FOR UR EXISTENCE, I passed yesterday with 881/1000, all questions were from 9tut and spike dumps, with approximately minor modifications.
simulations were : ACCESS-LIST2, VTP, AND EIGRP-
(EIGRP sim had alot of problems in configurations, the second router was not responding during confinguration so i decided to leave it),
If anyone want VCE player for MAC contact me mario8890@outlook.com
hello 9tut,
Thanks for your most valuable tutorials which was very helpful for me to cleared MY CCNA exam yesterday….
Hello,
I want to enlighthen in question no. 5. Why we assumed that network 172.29.16.0 to 19 is /24? And why it was summarized them as network 172.29.16.0 as /22?
From what I know, below are the range:
1-126 = /8
128-191 = /16
192-223 = /24
Please help me understand. Thank you!
Q2
While the answer C is correct, it is incomplete. You would need the host or 0.0.0.0 at the end of the statement or it returns an error
@anonymous
The syntax is correct, if you have multiple services running on a single device you would only want to filter some of them, you can limit the source port as well as the destination port.
so if I do
access-list 101 deny tcp 10.1.1.10 host eq21 10.1.1.20 host
access-list 101 permit any any
it limits the source IP from FTP data from the server
access-list 101 deny tcp 10.1.1.10 host 10.1.1.20 host eq21
access-list 101 permit any any
Limits the Server from sending FTP data back to the source address
Q.3
ACL would be
access-list 2 deny 10.1.1.0 0.0.0.255
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
accesslist2
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
please help : why B C not A C
q 2 explain
Hi hh86, the answer A is wrong because the traffic to server is entering (in) to router accross interface fa0/0
Hi Redwan, the command line access-list 2 deny 10.1.1.0 0.0.0.255 (it would deny all traffic due implicit deny any)
hi
this is bhargav i am ccna certify
with cost of 10000
i will send
ccna power point study notes
ccna lab manuals
ccna command guide book
Pass CCNA thanks 9tut
Dear 9tut,
I think the answer to Question 8 is wrong..It should be C and D..
Reason: 5.1.1.8 0.0.0.3 means –> blah blah blah 00001000 / ‘I care’ ‘I care’ ‘I care’ 00000011
The last 2 bits ’11′ says Don’t care which means it does not care what the last 2 bits are..So only .9 and .10 would be blocked.. .8 is 0000 1000..
Correct me if I am wrong.
Q2 Why are the answers BC and not AC. I always get confused between inbound and outbound.
Can someone please explain the difference or why it should be inbound and not outbound?
PLS somebody help me with the latest dump CCNA. i want to write it next week. keltronicss@yahoo.com
thanks
AC ,VTP,EIGRP r the questions asked in version 2 of ccna exams also?
Can some one explain Q 4 please
Q2 Answer is B not A You want inbound since it is an extended ACL 100-199 in this case 101. Rem for Extended ACL you want to use the port closest to the source. For Standard you want to use the port closest to the destination. Since 101 is Extended, use fa0/0 which is closest to the source (PC1) I think I got that right now i need this emblazoned in my brains
**It’s a Rubicon**
Q2 Why are the answers BC and not AC. I always get confused between inbound and outbound.
Can someone please explain the difference or why it should be inbound and not outbound?
Q4 The configuration tells the router to start at n/w 172.29.16.0 Sounds like it is requiring block sizes of 4 So… 172.29.16.0 172.29.17.0 172.29.18.0 172.29.19.0 We match the first 2 octet with 0 0 and the last with 255 (we don’t care about last so all set to 1′s) so we have 0.0.#.255 Since block size of 4 just minus 1 from 4. Answer is C – with mask 0.0.3.255 . Well I think so lol
**It’s a Rubicon**
With due respect question #1 is wrong, specifically the indicated mask of 255.255.255.248 or /29. This is due to the fact that the two indicated “correct” answers of 192.168.15.36 and 192.168.15.46 end up being on two different subnets when using the /29 mask (i.e., an increment/block size of 8) indicated on the graphic, with the former answer falling into the 192.168.15.32/29 network and the latter answer into the 192.168.15.40/29 network, which is obviously not going to work. The access list’s wildcard mask of 0.0.0.15 says that.
If you WANT those two answers TO work then you must change the indicated mask to a /28 or an increment/block size of 16, which would THEN allow the two indicated answers to fall into the 192.168.15.32/28 network, which then would be congruent with the indicated wildcard mask of 0.0.0.15. Again, block size, in this case 16, being paramount.
This shows that you have to read things CAREFULLY. If you don’t, then you’ll hang yourself. No offense to the web site editor. We all make mistakes–and Heaven only knows that I’ve made my share of networking boo boos. By the way, I sit for my CCNA on Sept. 3. GULP. “Pray” for me.
Study more. You are mixing apples and pears. The wildcard 0.0.0.15 in the access list and the subnet mask of the to lans (192.168.15.32/29 and 192.168.15.40/29) have nothing in common. The best way for you to verify the answers are correct is to simulate it. And you’ll see…