CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
comment7, http://about.me/doctors_who_03 phentermine uses, -=, http://about.me/prozac_order_a9 prozac uk, cake
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer D…..
but one thing i am not understanding …..
to avoid the FTP trafiic from 192.169.1.8/29 network
we should have the following access-list commands
interface e0
ip access-group 135 out ——–> it will block only return FTP traffice.
access-list 135 deny tcp any eq 20 192.169.1.8 0.0.0.7
access-list 135 deny tcp any eq 21 192.169.1.8 0.0.0.7
access-list 135 allow ip any any.
Please any body comment on this.
@ Anonymous: There isn’t a comment called allow (It is permit).
Actually because of absence of access-list 135 permit any any and as deny all is the last default one, we can say all traffic will be denied (Because of deny all). Good Luck
fm
can anyone send me the latest dumps am writing my ccna next week? thanks a lot for your help caige@highveldmail.co.za
Please , i am taking the ccna exam on april 22. If someone took the exam i will be very happy to hear about the experiencie and if anyone can send me the lastest dumps. i really aprreciate it. Thanks.
I forgot , my mail is : checkmatemaster@hotmail.com
Thanks.
Mate get how2pass and the labs on this site are the same how2pass is properly the best practise exam out there and its the cheapest, that and this site will be more than enough good luck with it. The exam is qiet nervy gonig in but when you get into your stried you will be fine the questions you get will be between 1 – 55 with 3 sims make sure you study the drags and drops and you will be fine.
when i take the exam do i get a pencil and sheet of paper for calculations?
this site is to much helpful, i gave my paper on 16-aug-2011 and by the blessing of Allah i score 920…
@Otakking: Please visit http://www.9tut.com/share-your-experience to learn about CCNA experience and read CCNA FAQs & Tips at http://www.9tut.com/ccna-faqs-a-tips your question was answered there.
Can someone send me the latest dump?.. please sent at champy_dioso@yahoo.com thanks.. I will take my CCNA exam next week.. thanks so much
Hi,
I will be writing my exam next week. Can someone please send me the latest dump files to jeyasothi@hotmail.com
am new can u feed me cisco?
i will b doing it in the next month
frankllynfrancistester@yahoo.com
dont 4get
Hi admin just a suggestion why don’t we create a newsgroup lor newsfeed where people can subscribe and where people who subscribed can receive the lates dumps??? This can be paid or not it depends on you…
Cheers,
me dumb :p
Hi thnks all u guys… am new to this forum..am doing my exam next week.. Can some 1 help me with latest dumps.. to sirabdikarim@yahoo.com
can somebody tell me what is this 17.14 ver
Please send me too the latest Dumps to my email Address: Danespaulo143@yahoo.com.. Tnx
Hello Guys,
I have passed the CCNA exam today April 23th. I have written my exam in Canada, Toronto, I got the VTP Sim, ACL, and EIGRP Simulation. The EIGRP simulation has a EIGRP 112 Network . There few new questions on IPv6. and few new questions in general.
I have got 854/1000; minimum passing marks required to pass is 825.
90mins for 53 questions.
I have used the following study material
1) Sybex CCNA Study Guide Todd Lammle 6th edition
2) CCNA Official Exam Certification Guide (ICND1/ICND2)
3) Cisco Packet Tracer
4) Certs by Masthi, Acme and Ghal and Actual tests
5) 9TUT.com
I had a tough time with the exam time line, I barely made it just before the time ran out.
My advice to you guys be quick as possible and do your simulations as fast as you can. I did not like the simulation screen. It was small and all crammed in one screen. You have to keep refering back and forth.
Another advise to all of you guys, please be clear in your concepts, sepcially subnetting and VLSM design, ACL, NAT and Switching concepts, and importantly IP Routing. It will not help in exam only but this will go a long way in your career too. It will be hard to pass the exam if you just cram the certs.
This exam is tough based on scope of knowledge.
All the best and good luck Guys!
Thank you 9TUT.com for the support and knowledge sharing.
Sincerely,
Hugo Bossz
can someone please send me the latest dump writing exam in next two days?
n_saleem@hotmail.com
Thanks,
I m sitting for my CCNA next week and i would be very grateful if someone send me the latest dumps and an over view of how the exam is, how to handle it and areas i should go through before i get to the exam room address is mailyapaul@yahoo.ca
Thanks,
If anyone has the latest dumps could I get you to send them to mike.rodgers@hp.com
Thanks,
comment6, http://www.thoughts.com/thankfully3/lexxik butt 8-) 2990
comment4, http://www.thoughts.com/thankfully3/lexxik trilled :-! 8736
Hello guys,
I took my ccna today and passed my ccna .I prepare from Test inside .24 ,Actual Test,Acme.And labs from 9tut.The multiple choice questions were from these dumbs exactly smae except few i think 5 ques are new but they are.In Labs Cisco changes Access List lab a little bit please read lab ques carefully ,Eigrp lab are easy and same.I got 1 vtp lab question only.And in the End do not forget to save your labs by using this command #save run start
i did not use it in Acl lab and got 0% marks.
So this was my experience hope you will benefit from it.
guys on Q 2 can sm 1 explain hw we substute a for be and on the real acl does it change pliz i nid to knw
what are you all talking about? these “dumps”? and other coments, are you all in the same
class? again I ask how does this site help? does Packet Tracer work with this? Who is responsible for this site? Please can some one respond? It would be appreciated
Hi all, I am going to write CCNA exam on 11 may 2011. Kindly suggest if any thing new. I am preparing from pass4sure dumps.Is it k. Or else please send me the latest dumbs on g_o_vind@yahoo.co.in
I shall be highly obliged to u all.
Thanks in advance.
Hi,
Can anyone please send me the latest dump file to nshaf99@yahoo.com
Thanks in advance
Hi
Please send me the lastest dump file to genghis_vong@yahoo.com
Thank you
@Syed Kashif Ahmed (Pakistan) you don’t use command “save run start” in Cisco,you use “copy run start”or “copy running-config startup-config”
I cleared CCNA today. For Labs the scenarios/diagrams are same for VTP, EIGRP, NAT and ACL but with different questions and concept. So don’t memorize the Labs given at 9tut.com. Understand them and practice well. Lots of questions which are not given in any where. ACME, Testinside and etc only covered less than 50% of the question. If you have good concept you will clear the exam.
I would like to pass CCNA any body can provide me latest dums
zaheermallah@hotmail.com
hi ALL,
Can anyone please send me the latest CCNA dumbs, my exam is monday 09/05/2011.
pleaseeeee!!!!
thanks Guy i really appreciate. my email is michealolusegunicsl@yahoo.co.uk
Can anyone explain Question 1 please? Thanks in advance :)
Taking Exam next week. Can anyone, please send me latest 640-802 dumps to burksmw@comcast.net. Many thanks!
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
@jehangt3
See the access list is denying any ip address 192.168.15.32-47 to access telnet i.e port no 23
Thats the answer is DE
@mike
I have sent u the dumps please check and help others also
comment4, http://www.apple.com/search/?q=LeXxiK Мне на кризис наплевать, вылез в топе гоу бухать ìíå íàïëåâàòü, X-D
@Santosh
could you please send me latest dump of 640-802 ccna ?
I\m going to take the exam in 2 weeks !
I forgot my mail : u3fnm@yahoo.com
Hi Guys,
Please send me the latest dump to vj21dx@yahoo.com.sg.
Thank you so much!
usef bro please send me the latest dumps for ccna i am living in saudi arabia so please also
make a note that the dumps were also valid in saudi arabia !!!
i am going for the exam in 2 weeks in between ( 10 may to 20 may )
my id >> noofaal@yahoo.com
thanks !!!
santosh bro please send me the latest dumps also !!!
my id >> noofaal@yahoo.com
thanks !!! and waiting
HI,
Can anyone explains why the wild/mask is 0.0.0.15 for 192.168.15.32, Qns1?
@Kayden
You have to convert into binary
192.168.15.32 0.0.0.15
0 0 1 0 0 0 0 0 – 32
+
0 0 0 0 1 1 1 1 – 15
=
0 0 1 0 1 1 1 1 – 47
Everything what is denied is beetwen 32 and 47
Hi Ogryzek,
Thanks. Would you be able to explain how we get the wild mask as 0.0.015? thanks
Hi first of all many thanks to 9tut.com & careercert.info … cleared CCNA today got 900/1000 …got EIGRP, ACL2 and VTP & studied Actual Test 640-802 v4.2_Q647 …. Few questions were tricky so better understand concepts before appearing to exam ….. All the best to all … moving to CCNP :) ….
i am little bit confused in ACL when to use in/out?