CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
Hey I really like this site so I wanted to elaborate and inform everyone regarding a question that was asked on Cisco Learning Network and the response. Link is below, the question concerns potential changes May 14-15 timeframe. Question was asked May 4, response on the 5th.
https://learningnetwork.cisco.com/docs/DOC-4976#/?page=10
Anyone have further info they would like to share?
I will be writing the exam next month. Can anyone send me the latest dump of 640-802?
Thanks in advance.
ACL direction is determined by traffic direction- from host to router= inbound; from router to host= outbound.
am confuses about how to invert the wild card bit to the equivalent subnet mask. pls can any one explain.
thanks
@Steevs: You should read my Access list tutorial, there is a part talking about how to invert subnet mask into wildcard mask: http://www.9tut.com/access-list-tutorial/2
Can someone please explain Question#8? Shouldn’t (a) 5.1.1.10 be denied?
can someone explains how we get the wild mask as 0.0.015? thanks
for qns 1
acl questions
1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
this question help plz i dont understand why there is no ip 192.168.15.32 with port 23
or am i understanding the question wrong?
help plz
question 8 is wrong answer. correct answer is A.
Q 8
Ans B D
hi guys i am going to take the test in to days please send latest dump if i need some help pleeeeeeeees my e mail is zanshah12@yahoo.com
in question 8, if mask is 255.255.255.252, then the networks are 5.1.1.0, 5.1.1.4, 5.1.1.8, 5.1.1.12, etc, so 5.1.1.8 is a network address, not valid for a host, isn’t it?
Hi Guys,
This site is just awesome. I am going to take the CCNA exam this coming June 9, 2011, hope you can send me more information to pass the exam. My email address is jaybeeoas@yahoo.com.
Thank you very much.
JB
@Steevs & kayden ;
We can convert subnetmask to wildcard mask easily by :
WC = 255 – SM,
where WC is wildcard mask and SM is subnetmask. Example :
SM = 255.255.255.240, so WC is : 0.0.0.15
SM = 255.255.255.192, so WC is : 0.0.0.63
SM = 255.255.248.0, so WC is : 0.0.7.255
and so on :)
“desiagui=
in question 8, if mask is 255.255.255.252, then the networks are 5.1.1.0, 5.1.1.4, 5.1.1.8, 5.1.1.12, etc, so 5.1.1.8 is a network address, not valid for a host, isn’t it?”
I think you misundertand about wildcard mask. Wildcard mask is not a simple inverse of subnet mask.
Wildcard mask just matching bit. So, according to the statement “access-list 101 deny tcp 5.1.1.8 0.0.0.3 5.1.3.0 0.0.0.255 eq telnet”, it means
“deny tenet connection originated from 5.1.1.8, 5.1.1.9, 5.1.1.10, 5.1.1.11 ….”
Thanks for evry one and 9tut one more that is pass4sure
i took test today and pass
HI I passed the test i had vtp,eigrpand acces list in there
This ACL concepts are very useful since i am going to write my CCNA Certification exam on 27.5.2011. Thank you very much
Hi guys,
I passed my CCNA exam today! Thanks to 9tut, this site helps me a lot!!!
EIGRP, VTP and Access List is on my lab….
hi..friends, I plan to give exam in 5 days , please friend send me latest dump on my email id please .. please… my id – urmish_gadhia@yahoo.com pleas mention the simulation thank u friends in advanced…
Guys any one to help me, i will be taking my CCNA on 3rd June , any one to help me with a dump? send to eliasaphnkamukunda@yahoo.com
Hi
Taking ccna on monday, could anyone send me the latest dumps at
raykelly2305@yahoo.ie
Hi all,
I’M taking my exam mid june, please help with latest dumps.But so far this site is the best.
My email Sean.rammutla@standardbank.co.za
you can explain me why in question 7 he said in the end :” If we use the command “access-list 135 permit ip any any” at the end of this access list then the answer should be C – FTP traffic from 192.169.1.9 to any host will be denied”
but in the question they said that the acl was applied in the outbound of e0 that connected to the lan-so its mean that the acl will be not effected because its should be e0-in
Please , those who passed the exam ,write more info for the labs: the conditions ot the 3 simulations.
Thank you so much in advance!
I’m taking my ICND1 exam mid june, please help with latest dumps!
My email mainroc@optonline.net
thx
hi we have completed our CCNA Examination…WE HAVE GOT 973/1000 and 933/1000..
Most thanks to Mr.abdhul vahid-our CCNA Trainer
And also thanks to MR.SYED working in Maznet solution…gandhipurm cbe…
Hi I am taking the ccna exam on mid of june can anyone give me the latest dumps pls…thanks
Dear Sati….Now the CCNA Questions were updated…So be careful before Attend the Examination
Vahid…ji..ca u find out…….Riyas(Afsal Riyas)
Dear Lehna no need to worry about the lab..Accesslist and EIGRP will definitly come in exam and VTP sim also..so must prepare for those labs…
hi em taking the ccna exam on june plz can any one send me the latest dums..
sheikh.farhal@hotmail.com
Hi Guys
I’M taking my CCNA exam on 16 of June 2011, please help with latest dumps
this is my email Address : mohamed.ahh@hotmail.com
many thanks
hi !! i am planning exam in july , Will you please send me the latest
dumps to malalesr@yahoo.com
hi All,
I’m going to sit exam in two weeks time could you all please provide latest dump to uvaraja_rj@yahoo.com.Tq Tq…
im planing to write ccna these week cn any one provide me a new dumps.
Taking CCNA soon please email any dump questions. Thanks
send it to mfathy_n@yahoo.com
please send it to my WRUSSELL06@YAHOO.COM
thks
what do i have to do to do these SIMS as nothing happens when i click
hi guys,
i am going to write ccna exam on next month 26th , pls tel me how i have to prepare for my exam . am very much confused in that.
Hey guys, i just passed the CCNA exam, actually it’s not that difficualt as u guys think, just practice all the ques her and be familiar with the labs sim, the 3 of them came out in mine. But u have to practice them and know the reasons for each anwser because the anwser may change, about 8 changed in mine
Big thanks to 9tut….
for the latest dumps……..check this site “examcollection.com/640-802.html”
hi guys.. will take my exam this june 27… hoping you can email me any helpful tools wizard_mage_98@yahoo.com
Will be writing CCNA Exam in a week time i will appreciate a good samarithan should assit me with the latest dumps. Kindly send the dumps to oke_skyus@yahoo.com
i have completed my ccna becoz of my jeni…lot of thanks jeni…
I have been working towards getting my CCNA for the past year. I’ve never yet taken the exam, I have test anxiety and hope to do so by the end of the summer. I’d appreciate any dumps, links or tips that others have found helpful. Please send to progandlog2@yahoo.com
Thanks very much in advance for any assistance you good folks are willing to provide.
Q1 : access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet but local LAN is /29 ….. it should be /28 or in STATEMENT wildcard should be 0.0.0.7 …
hi i m taking my CCNA exam very soon. Please Please help me out with latest dumps>>>> my email add: niranjan_baral@hotmail.com
hi Guys !!! i m taking the CCNA exam very soon. Can someone help me with the latest dumps plsss
my email : kushtrimhamza@hotmail.com