Home > CCNA – Access List Questions

CCNA – Access List Questions

May 1st, 2011 Go to comments

Here you will find answers to CCNA Access list questions

Note: If you are not sure about how to use Access list, please read my Access list tutorial

Question 1

Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)

accesslist1

access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any

A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23

 

Answer: D E

Explanation

First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.

The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.

Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47

-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.

Question 2

Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)

accesslist2

A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any

 

Answer: B C

 

Question 3

Refer to the exhibit. Why would the network administrator configure RA in this manner?

accesslist3

A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network

 

Answer: B

Explanation

Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.

This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.

C is not correct as this access list allows administrators to access the console of RA.

F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.

(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)

Question 4

An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?

accesslist4

A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255

 

Answer: C

Explanation

Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.

/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.

A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255

Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.

Question 5

A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?

A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any

 

Answer: A

Explanation:

First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.

Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect

In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.

Question 6

As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?

accesslist_blocktraffic

 

A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out

 

Answer: C

Question 7

The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:

access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any

How will the above access lists affect traffic?

A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied

 

Answer: D

Explanation:

There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.

Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.

Question 8

The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)

accesslist

A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8

 

Answer: B D

Explanation

Below is the simple syntax of an extended access list:

access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]

Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:

Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.

Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered

Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.

Question 9

The following configuration line was added to router R1

Access-list 101 permit ip 10.25.30.0 0.0.0.255 any

What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations

 

Answer: A

Comments
Comment pages
1 2 3 4 5 6 22 61
  1. atulya
    February 25th, 2011

    Hi Every one …
    I am having exam on March 17 .Anybody please send me the latest dumb file for 640-802 .

  2. Sanish
    February 27th, 2011

    Hi Everybody,

    planning to ans exam 640-802 somewhere in the middle of next week, please send me latest dumb file …

  3. ahmed samy
    February 27th, 2011

    hi Everybody ,
    i am going to take exam this week
    i need the latest dump on my email

    thans

  4. crabla
    February 28th, 2011

    very good dump! thanks for the info!! I passed the exam with 987/1000!!

  5. trying
    March 1st, 2011

    Hello,

    I have my exam on Friday, can someone send me the latest dumps to peefrosch@gmx.de
    Thanks to all that helps to support!

  6. Rupa
    March 4th, 2011

    Hello..

    I’m Planning to write CCNA exam on March-15th ,can anyone of u suggest me like on which topics i need to concentrate more?

  7. Niv
    March 6th, 2011

    Hi there , i’m going to have my Exam on 29/3/2001
    Can anyone help with send the latest dumps to my mail
    niv_newmail@hotmail.com
    Good luck 4 all

  8. Balakrishnan……chennai
    March 7th, 2011

    Thank u to all,I passed CCNA with 961/1000 today,ACL,VTP,EIGRP sims,The ACL sim did correctly and i got the correct output but i lost the mark for ACL sim.
    I prefer the dumps,”TestInside.640-802.v2010-05-23.by.Acme.356qq.vce.file.html” &”ActualTests.640-802.v2010-05-21.by.Mashti.354q.vce.file.html”
    once again thanks to u all…………………

  9. Mateo
    March 7th, 2011

    can anyone can explain the question no. 4 thanks thanks

  10. Gabby
    March 7th, 2011

    Hi Guys,

    Could any one explain question 3….. please..

  11. Anonymous
    March 8th, 2011

    access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet plzzzzzzzzzzzzzz explain Q1 plzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

  12. alex
    March 8th, 2011

    @Anonymous the protocol to match is telnet so port 23 and the wildcard mask to match is .15 (inverted 240). So the only answers that match are D and E. .49 is outside if the range (47 is the broadcast of that subnet).

  13. hi Everybody
    March 9th, 2011

    This friday en my exam CCNA somebody have some tips to this exam … Tkns

  14. hi Everybody
    March 9th, 2011

    This friday is my exam CCNA somebody have some tips for the exam, which topics are included in the exam…jevir10@hotmail.com …. Thanks alot

  15. tyrone
    March 10th, 2011

    hi all, my name is tyrone, i am doing self study for ccna, i hear the exams now pretty tough, i was just wondering if we are allowed a few minutes before the exams to write things down on a peice of paper, before the exam actually starts, cos it will help to write down subnet mask block size, number of host, and etc so that if a question comes, you just look at your sheet this will save time. are we actually allowed? i know you can’t bring it in but can you write things to remeber down before the exam starts? someone please please respond. thanks

  16. CCNA-640-802
    March 10th, 2011

    Dear..Balakrishnan……chennai, Please give me details I am doing study from only ACME also 9tut. only is it enough for exam. Please reply

  17. Bruno
    March 10th, 2011

    1. Failed my exam last Saturday March 5th. Two questions from the VTP changed, no more multiple answers, if I’m not mistaken, the choices are the same but instead of multiple answers.. it only asked for one correct answer.

    2. EIGRP the same, ACL the same.

    3. Drag and drop, the same.

    4. There are 4 to 5 new questions for multiple choices part, review your OSI.

    If someone from this form encounter the same VTP questions as I did, please let me know, my email address is hello.zero6@yahoo.com

    Thanks guys, and good luck to your exam : )

  18. DevD
    March 10th, 2011

    PEOPLE, Please don’t misguide anyone by your comments. If you cannot study the dumps, it’s your problem. Dumps and Sim’s are 100 % valid. Most of the dumps have same set of questions. Well, if you don’t know the answers for the questions, then you don’t know CCNA well and mugging them will not help. Rest Best of LucK

  19. Parsram
    March 11th, 2011

    Thank you!! Studied for 2 weeks and used this site. Passed today in Florida with 898. VTP, EIGRP and Access list SIMS. Thanks again!!

  20. Skankang
    March 11th, 2011

    Hi guys,
    I’m sitting the exam next month, please send me latest dumps. (ptolemy007 at gmail dot com)

  21. Anonymous
    March 13th, 2011

    Dear all,

    What is the total time duration for CCNA 640-802 certification exam ?

    Is it 1 hour 45 minutes or 2 hours ?

  22. Maverick
    March 13th, 2011

    Dear all,

    Can someone pls explain answers to Question 3 and Question 4.

    For Question 3, the syntax permits telnet access but the answer is B (deny students access to command prompt). Shouldn’t the answer be E (preventing access to internet) due to implicit deny ?

    For Question 4, the access-list ip address and subnet-mask is what i dont understand. Because the answeR C, includes the network address as well. (access-list 10 permit 172.29.16.0 0.0.3.255). the ip add 172.29.16.0 is infact a host address. I think E would have been a better option 172.29.0.0 0.0.255.255.

  23. 9tut
    March 13th, 2011

    @Maverick: I added the explanations for question 3 and 4, kindly check again.

  24. binz
    March 16th, 2011

    please mail me latest ccna dumps @t londonangles@live.co.uk

  25. binz
    March 16th, 2011

    Hello guys

    i am planning to take exam on april please post new dumps and labs : mail me
    @t londonangles@live.co.uk

  26. Shruti March 17th, 2011
    March 17th, 2011

    hi,
    this site is best for pratice……….wish me gud luck for xam. My xam is on 2 april…..

  27. Edward
    March 19th, 2011

    Good morning,
    Can anyone send me please the last dump file to edu_steva@yahoo.com.br
    I´m going to do my CCNA next week. Thanks!!!

  28. TOM
    March 19th, 2011

    HI,
    Can anyone please be generous and send me the latest dumbs eltahir_86@hotmail.com

  29. dam
    March 20th, 2011

    pls can sum 1 send d latest dumps to me….writing it next week….demex20022002@yahoo.com

  30. sello
    March 21st, 2011

    Please,Dear all ONE love.i have written my CCNA and passed thanks to 9tut team.i want to write juniper exam ‘JNO 101′,can anyone help me with the link download latest dumps on that exam. donsello20@yahoo.com

  31. Tunapiano
    March 22nd, 2011

    I will be taking my exam tomorrow and have an Extended ACL question.

    An Extended ACL basically has several fields, but they generally go like this

    access-list 100 [permit|deny] [tcp|udp or various other protocols] [source ip address] [source wildcard mask] [destination ip address] [destination wildcard mask] eq [port number]

    My problem is this….the usage of any and host for the source|destination info, i understand you can use any for the source and destination IP’s but how to use host, i have not been able for the life of me to find a clear cut explanation on how to use it.

    i have seen various ACL’s use something like

    access-list 100 permit tcp host 192.168.1.0 host 204.123.55.24 eq 80

    in that scenario i don’t see what the meaning of host is, it’s coming before the IP addresses.

  32. 9tut
    March 23rd, 2011

    @Tunapiano: host 192.168.1.0 equals to 192.168.1.0 0.0.0.0 (“host” equals to 0.0.0.0) but it is put before the IP address.

    We have a complete tutorial about access list, you can read at: http://www.9tut.com/access-list-tutorial

  33. nihility
    March 28th, 2011

    i am going to take CCNA exam in the next 2h40′. Say good luck to me :), i’ll update my result soon (i’ve been trying pass4sure 7.73 with 463 Qs&As, update v3.0 with 146 new Qs&As, and test inside 17.14 with 356Qs&As, lab sim on 9tut).

  34. nihility
    March 28th, 2011

    to all who is looking for latest dumps for CCNA exam, please visit: http://www.careercert.info, a useful site for you.

  35. Anonymous
    April 1st, 2011

    hi anyone pls send the latest dumps… email id uvaraja_rj@yahoo.com

  36. Shruti
    April 1st, 2011

    My paper is tmmrw…….just pray 4 me, dat i clear my xam

  37. rizwan shah
    April 2nd, 2011

    Shruti i will pray for you , but make note what simulations you have seen in exam ? and acme dumps testsinside 17.14 are still valid ?

  38. gassah
    April 2nd, 2011

    Good morning,
    Can anyone send me please the last dump file to iutl87@yahoo.com
    I´m going to do my CCNA next week. Thanks!!!

  39. gassah
    April 2nd, 2011

    hello guys
    I will be writing my exam next week. Please can somebody send me the latest dumps at
    iutl87@yahoo.com please

  40. Sarker
    April 3rd, 2011

    Does anyone know what is the last valid dump ? I am going to seat for test within one week

  41. rizwan shah
    April 3rd, 2011

    shruti what happended ?with you plz tell us and share your exam experience

  42. billy
    April 3rd, 2011

    hi guys..im going to take the CCNA exam on the 2nd week of april..is there any latest dump? if youo have please kindly send me a copy at liveskai@yahoo.com

  43. Anonymous
    April 4th, 2011

    hey all ive been studying ccna and really nervous about my ccna exam is there any1 out there that can give me all the dumps to all the questions that will be in the exam asap if i pass i can finally propose to my girlfriend some1 please help

    habib_mania@hotmail.com

    please send it to this email

  44. ehsan
    April 5th, 2011

    hello guys
    I have ccna exam on April 21th
    please send me the latest dump:
    esi_1981@yahoo.com

  45. Adnan
    April 6th, 2011

    i m going to give the exam next week sooo if one can send me dumps of lates papers……………. to this id (adnanback@yahoo.com)

  46. Archan
    April 6th, 2011

    can anybody explain the question no.1?

  47. John
    April 6th, 2011

    Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
    access-list 101 permit ip any any

    D. source ip address:, 192.168.15.36 destination port: 23

    E. source ip address: 192.168.15.46; destination port: 23

    ok mate if you look at the 192.168.15.32 and the wild/mask 0.0.0.15 if you add the 32 and the 15 together you get 47 and we no we cant use the .47 because its a broadcast so the only two addresses we can use in between 32 and 47 are the 192.168.15.(36) and the 192.168.15.(46) and are both equal to port 23 whitch is telnt hope this helps good luck

    A:

  48. Jbass
    April 11th, 2011

    I have to do my second try CCNA exam next month.how one knows that he’s ready?

  49. samer
    April 11th, 2011

    hello.

    plz can anyone send me the latest dumps on smrcradle@yahoo.com plzzz

    thank you

  50. Nara
    April 11th, 2011

    Hi Im going for my CCNA exam next week could any one help with advice or any material which are usefully for the exam please my email address is narajoly@yahoo.co.uk. many thanks

Comment pages
1 2 3 4 5 6 22 61
  1. No trackbacks yet.
Add a Comment