CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
Hi Every one …
I am having exam on March 17 .Anybody please send me the latest dumb file for 640-802 .
Hi Everybody,
planning to ans exam 640-802 somewhere in the middle of next week, please send me latest dumb file …
hi Everybody ,
i am going to take exam this week
i need the latest dump on my email
thans
very good dump! thanks for the info!! I passed the exam with 987/1000!!
Hello,
I have my exam on Friday, can someone send me the latest dumps to peefrosch@gmx.de
Thanks to all that helps to support!
Hello..
I’m Planning to write CCNA exam on March-15th ,can anyone of u suggest me like on which topics i need to concentrate more?
Hi there , i’m going to have my Exam on 29/3/2001
Can anyone help with send the latest dumps to my mail
niv_newmail@hotmail.com
Good luck 4 all
Thank u to all,I passed CCNA with 961/1000 today,ACL,VTP,EIGRP sims,The ACL sim did correctly and i got the correct output but i lost the mark for ACL sim.
I prefer the dumps,”TestInside.640-802.v2010-05-23.by.Acme.356qq.vce.file.html” &”ActualTests.640-802.v2010-05-21.by.Mashti.354q.vce.file.html”
once again thanks to u all…………………
can anyone can explain the question no. 4 thanks thanks
Hi Guys,
Could any one explain question 3….. please..
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet plzzzzzzzzzzzzzz explain Q1 plzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
@Anonymous the protocol to match is telnet so port 23 and the wildcard mask to match is .15 (inverted 240). So the only answers that match are D and E. .49 is outside if the range (47 is the broadcast of that subnet).
This friday en my exam CCNA somebody have some tips to this exam … Tkns
This friday is my exam CCNA somebody have some tips for the exam, which topics are included in the exam…jevir10@hotmail.com …. Thanks alot
hi all, my name is tyrone, i am doing self study for ccna, i hear the exams now pretty tough, i was just wondering if we are allowed a few minutes before the exams to write things down on a peice of paper, before the exam actually starts, cos it will help to write down subnet mask block size, number of host, and etc so that if a question comes, you just look at your sheet this will save time. are we actually allowed? i know you can’t bring it in but can you write things to remeber down before the exam starts? someone please please respond. thanks
Dear..Balakrishnan……chennai, Please give me details I am doing study from only ACME also 9tut. only is it enough for exam. Please reply
1. Failed my exam last Saturday March 5th. Two questions from the VTP changed, no more multiple answers, if I’m not mistaken, the choices are the same but instead of multiple answers.. it only asked for one correct answer.
2. EIGRP the same, ACL the same.
3. Drag and drop, the same.
4. There are 4 to 5 new questions for multiple choices part, review your OSI.
If someone from this form encounter the same VTP questions as I did, please let me know, my email address is hello.zero6@yahoo.com
Thanks guys, and good luck to your exam : )
PEOPLE, Please don’t misguide anyone by your comments. If you cannot study the dumps, it’s your problem. Dumps and Sim’s are 100 % valid. Most of the dumps have same set of questions. Well, if you don’t know the answers for the questions, then you don’t know CCNA well and mugging them will not help. Rest Best of LucK
Thank you!! Studied for 2 weeks and used this site. Passed today in Florida with 898. VTP, EIGRP and Access list SIMS. Thanks again!!
Hi guys,
I’m sitting the exam next month, please send me latest dumps. (ptolemy007 at gmail dot com)
Dear all,
What is the total time duration for CCNA 640-802 certification exam ?
Is it 1 hour 45 minutes or 2 hours ?
Dear all,
Can someone pls explain answers to Question 3 and Question 4.
For Question 3, the syntax permits telnet access but the answer is B (deny students access to command prompt). Shouldn’t the answer be E (preventing access to internet) due to implicit deny ?
For Question 4, the access-list ip address and subnet-mask is what i dont understand. Because the answeR C, includes the network address as well. (access-list 10 permit 172.29.16.0 0.0.3.255). the ip add 172.29.16.0 is infact a host address. I think E would have been a better option 172.29.0.0 0.0.255.255.
@Maverick: I added the explanations for question 3 and 4, kindly check again.
please mail me latest ccna dumps @t londonangles@live.co.uk
Hello guys
i am planning to take exam on april please post new dumps and labs : mail me
@t londonangles@live.co.uk
hi,
this site is best for pratice……….wish me gud luck for xam. My xam is on 2 april…..
Good morning,
Can anyone send me please the last dump file to edu_steva@yahoo.com.br
I´m going to do my CCNA next week. Thanks!!!
HI,
Can anyone please be generous and send me the latest dumbs eltahir_86@hotmail.com
pls can sum 1 send d latest dumps to me….writing it next week….demex20022002@yahoo.com
Please,Dear all ONE love.i have written my CCNA and passed thanks to 9tut team.i want to write juniper exam ‘JNO 101′,can anyone help me with the link download latest dumps on that exam. donsello20@yahoo.com
I will be taking my exam tomorrow and have an Extended ACL question.
An Extended ACL basically has several fields, but they generally go like this
access-list 100 [permit|deny] [tcp|udp or various other protocols] [source ip address] [source wildcard mask] [destination ip address] [destination wildcard mask] eq [port number]
My problem is this….the usage of any and host for the source|destination info, i understand you can use any for the source and destination IP’s but how to use host, i have not been able for the life of me to find a clear cut explanation on how to use it.
i have seen various ACL’s use something like
access-list 100 permit tcp host 192.168.1.0 host 204.123.55.24 eq 80
in that scenario i don’t see what the meaning of host is, it’s coming before the IP addresses.
@Tunapiano: host 192.168.1.0 equals to 192.168.1.0 0.0.0.0 (“host” equals to 0.0.0.0) but it is put before the IP address.
We have a complete tutorial about access list, you can read at: http://www.9tut.com/access-list-tutorial
i am going to take CCNA exam in the next 2h40′. Say good luck to me :), i’ll update my result soon (i’ve been trying pass4sure 7.73 with 463 Qs&As, update v3.0 with 146 new Qs&As, and test inside 17.14 with 356Qs&As, lab sim on 9tut).
to all who is looking for latest dumps for CCNA exam, please visit: http://www.careercert.info, a useful site for you.
hi anyone pls send the latest dumps… email id uvaraja_rj@yahoo.com
My paper is tmmrw…….just pray 4 me, dat i clear my xam
Shruti i will pray for you , but make note what simulations you have seen in exam ? and acme dumps testsinside 17.14 are still valid ?
Good morning,
Can anyone send me please the last dump file to iutl87@yahoo.com
I´m going to do my CCNA next week. Thanks!!!
hello guys
I will be writing my exam next week. Please can somebody send me the latest dumps at
iutl87@yahoo.com please
Does anyone know what is the last valid dump ? I am going to seat for test within one week
shruti what happended ?with you plz tell us and share your exam experience
hi guys..im going to take the CCNA exam on the 2nd week of april..is there any latest dump? if youo have please kindly send me a copy at liveskai@yahoo.com
hey all ive been studying ccna and really nervous about my ccna exam is there any1 out there that can give me all the dumps to all the questions that will be in the exam asap if i pass i can finally propose to my girlfriend some1 please help
habib_mania@hotmail.com
please send it to this email
hello guys
I have ccna exam on April 21th
please send me the latest dump:
esi_1981@yahoo.com
i m going to give the exam next week sooo if one can send me dumps of lates papers……………. to this id (adnanback@yahoo.com)
can anybody explain the question no.1?
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
D. source ip address:, 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
ok mate if you look at the 192.168.15.32 and the wild/mask 0.0.0.15 if you add the 32 and the 15 together you get 47 and we no we cant use the .47 because its a broadcast so the only two addresses we can use in between 32 and 47 are the 192.168.15.(36) and the 192.168.15.(46) and are both equal to port 23 whitch is telnt hope this helps good luck
A:
I have to do my second try CCNA exam next month.how one knows that he’s ready?
hello.
plz can anyone send me the latest dumps on smrcradle@yahoo.com plzzz
thank you
Hi Im going for my CCNA exam next week could any one help with advice or any material which are usefully for the exam please my email address is narajoly@yahoo.co.uk. many thanks