CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
any body tell how my %age required to pass ccna exam i m confused about it is 80% or 85%
?
I going through 1st time my CCNA Exam. Do I have to write “Router# config t or config terminal? and what is best study material to take?
@ Rauf…you need an 825 / 1000 to pass..so in the middle of your two guesses…
@ Salim…no..you dont. The prompt will be there, just like a real router..you can use the shorter “Conf t” or write out configure terminal and both will achieve the same effact on exam day :) Good luck..I test tomorrow!
Thanks, Dr. Arubix
Went through my exam and failed with 782. I am going to do it again in 2 weeks.
My major problem was time and lack of preperation.
The only question I hadn’t seen before was one regarding why is WPA better than WEP ?
Anybody doing this should do Lab after Lab. As the time it takes you to work out what there looking for in a Lab is time consuming. (It killed me !)
good site guys…keep it up. helped a lot in my preparation
passed today :) i suggest you do good background reading, attempt all questions from this site and the latest exam collection file. All the sims from here,
EIGRP, VTP, ACL2 – with only differences the host and ip addresses. Do practise on these using packet tracer.
Good luck people.
Hello,
I will be writing my exam next week. Please can somebody send me the latest dumps at zahabia_d@hotmail.com Thanks in advance.
HELLO GUYS!!
I just want to clarify regarding the simulations exam specifically to the ACL2.
Prior to your example, host C is only allowed to access the server..my question is:
If ever the question is to allow host A,B,C and D to access the server, how will i execute the command?
What i did is execute the command:
rouer2 (config)#access-list 100 permit tcp 192.168.33.1 0.0.0.3 host 172.22.242.23 eq 80
rouer2 (config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
router2(config)#access-list 100 permit ip any any
rouer2(config)#int fa0/1
ip access-group 100 out
What happened is that when i used to enter the “sh run”, it shows the alowed ip adds are from 192.168.33.0 – 192.168.33.3 instead of 192.168.33.1-192.168.33.4…
Please answer this..Thank You very much…
Hi Frds
I m giving exam within 2 weeks
can you plz send me latest dump……………….
nilesh_ccna@rediffmail.com
Dear Juan Million,
Here is the answer:
If ever the question is to allow host A,B,C and D to access the server, how will i execute the command?
rouer2 (config)#access-list 100 permit tcp 192.168.33.0 0.0.0.4 host 172.22.242.23 eq 80
rouer2 (config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
router2(config)#access-list 100 permit ip any any
rouer2(config)#int fa0/1
rouer2(config)#ip access-group 100 out
rouer2(config)#end
rouer2#copy run start
rouer2#
This will only allow the 1st four address of network 192.168.33.0/24 to access the server:
i.e the address range of 192.168.33.1 – 192.168.33.4
The wild card mask is the selection parameter, so learn how to use it.
HI GUYS !!!
I am doing my CCNA exam in 2 weeks ..
Please help me with the latest dumps MOHAMEDD11@HOTMAIL.COM
HI GUYS !!!
I am doing my CCNA exam in 15 feb .
Please help me with the latest dumps a_ghashami02@yahoo.com
hi everyone to giv my ccna exam this month..can anyone pls share the link for the latest dumps with me bcoz the one i downloaded didnt open with my acrobat..
Hi. I am doing my exam in a couple of days. I have been working with telecome network design and implementation…not exactly with Cisco router, but other vendors. I can do all the theoretical questions in the website, but I am really worried about the questions which require Cisco commands. I am not sure I can pass.
Can anyone send me the latest dumps? zengmingsophie@hotmail.com
thanks!!!!
Hi Guys!
My name is Amit and i am doing CCNA.
ANd next week i am going to give my CCNA exam so can you help me out and provide me some dumps for preperation.
Hi Guys!
My name is Amit and i am doing CCNA.
ANd next week i am going to give my CCNA exam so can you help me out and provide me some dumps for preperation. My email id amitkumar51@indiabulls.com
Hi Guys,
I am giving my Exam today, wish me luck…
hi guys i m going to give exam tomorrow morrow morning.
wish me gud luck.
and plz send me any useful tips you have for me
thank u.
@Genia & Rauf :
Thanx 4 ur complement guys..
9tut, please explain #6. Why is it C and not A? I simply don’t understand the difference between Access-list and Access-Group.
Thank you in advance!
hi guys, i am going to write my exam very soon.Plz can any one send me the latest dump on mickelzychi85@yahoo.com
@Stuntluke: The access-list command is used to create an access list while the ip access-group command is used to apply an access list to an interface.
Aalhamdulillah,
Hi Everyone,
I M Just here to say thank u so much to 9tut and all who post there valuable comment on this website.
I took mah Exm on 4th Feb’11 and I hv pass d Exm with scoring 923.
All d best to u all who is gonna be appeare dr exm.
Plz can any one send me the latest dump at manpueblo@lycos.com
Thanks
haiiiiiii machans,,,,,,,,plz can any one help me……..,,,,i’m having exams within 2 weeks.
Hello guys
i am planning to take exam on feb 17th. Can any one help me in providing with new dumps.
Here is my id.. rohan_bharadwaj4all@yahoo.co.in
I have Totaly Deression Becouse Many Person Can Say Sim Host & Ip Add. Will Be Changed.
But Our Many Friend Clear The Examm So Please Give me Any Suggetion Becouse Our Exam Is 14 Th Feb, If Any Suggetion So Forword Massage s_gupta1988@yahoo.com
same confusion also going with me boss smartysaadi@hotmail.com
Please, can anyone send me the latest dump at barbarians148@hotmail.com
Thanks
im taking my exam on the 22nd february. can anyone send me the latest dump
im taking my exam on the 22nd february. can anyone send me the latest dump at semak18@hotmail.com
Hi Friends
Has any1 done the CCNA exam since yesterday… Please give latest updates… Which labs came on the exam… Thanks in advance
i will take CCNA exam next week.. can anyone send me the latest dumps..pls
Email: Idrees233@yahoo.com
HI GUYS !!!
I am doing my CCNA exam in 120 feb .
Please help me with the latest dumps mohamali04@yahoo.com
HI GUYS !!!
I am doing my CCNA exam in 20 feb .
Please help me with the latest dumps mohamali04@yahoo.com
Thanks
Guys I can see EIGRP and VTP.. But when you mean ACL sim2 which one is it? because I see only “CCNA – Access List Questions “. I am preparing for the exam can someone pls clarify…????
I am doing ccna course and wants latest dumps please help
Hi guys,
I’m doing my CCNA today 11:30am wish me luck.. Thanks
going to take exam next week.any advice??
hi its me again. Alhamdullih.. I’m pass with flying colour just now 1000/1000 – 100% question from 356 and simulation VTP,ACL and EIGRP.. Good Luck ; )
Hi guys,
Am new here, i will be writing my CCNA exam in 3weeks can anyone send me the latest dumps to help me for my preparation to paspeters@yahoo.com. I will be looking forward to receiving the dumps.
9tut: Thanks for a well done job here
@Zahari: Congrats om joining the league of CCNA Associates, can u please tell what are the latest questions like, are there any serious changes and what are the areas in your own opinion you think anyone about to write the exam should concentrate on for studying?
Expecting your response, once again congrats!
i m going to take exam this week.any advice??
can any body send me the latest dumps on e-mail at goldenhoney19@hotmail.com
Hello dears ,
Check out this site for CCNA exam dumps
http://www.examcollection.com/640-802.html
Good luck for all of you ;-)
Hi crabla , all
Pick this one it is very good ” Cisco CertifyMe 640-802 v2011-01-20 by Gaahl 368q.vce ” from the http://www.examcollection.com/640-802.html
sabry hello! this is just the dump from which I have studied! but if you read the comments below say that most of the questions have changed! you?
thank you very much
you wlkm my dear , i am not sure but i felt this is a good dump
Good luck crabla ;-)
Thanks ya all. Please am taking my exam in 2 weeks , please could anyone send me
all important sites and dumpS.
gbad589@yahoo.com
THANKS
can any one tell sim EIGRP, VTP, ACL2. I knw EIGRP VTP but wat is Acl2 sim..i m confused its 2 sim question of ACL ? please clear if i m wrong
hey its me feroz khan, i will pas the ccna 640-802 exam yesturday 925 marks and i m real Happppyyyyyyyyyy. in exam there was 3 simulations ACL2,EIGRP, and VTP so plz prepare these simulation inshaullah u will be succededd keep studying…………………………..