CCNA – Access List Questions
Here you will find answers to CCNA Access list questions
Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.
The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?
A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?
A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.
/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?
A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.
Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.
Question 8
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)
A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
Does anybody know is the simulation in the actual exam allows the test-taker to simply pick the answer without entering any statement or the statement is require in order to find out the answer for that labs? Can someone please confirm how simulations are tested in the actual exam?
Thanks
Newbie
hello somebody help me to pass my CCNA exam on August 7. please send me the latest dump. here my email neiransphinxs@hotmail.com.
hello somebody help me to pass my CCNA exam on August 7. please send me the latest dump. here my email neiransphinxs@hotmail.com.
thank you.
@robbie: Please have a look at the right side menu bar on the top. You will see my sites for CCNP & CCNA Wireless there.
A bit surprised it seems to simple and yet uesful.
great site thank you really helped. passed the exam today. 3 sims acl, eigrp, nat the rest multi choice. on to ccda
can some body send me latest dump… hereis my alishabus@msn.com
is there any change in ccna course from last three years
I’m taking the CCNA exam on the 7th of August, can anyone send me the latest dumps,so i can practice before then? Or a link to the dumps. God bless ya’ll.
Its urgent so help ASAP…thanks.
my email address: morganie2002@yahoo.com
Pls can any body send me the latest dumps because am planny to do my ccna very soon
Pls can any body send me the latest dumps because am planny to do my ccna exams very soon here is my email kadeshina57@yahoo.com
Pls can any body send me the latest dumps because am planny to do my ccna exams very soon here is my email keny4real5@yahoo.co.uk
haii guy… I will take the ccna exam in two weeks, anyone can give me a dumb ccna? please send to my email: falkondohape@yahoo.com
wish me luck…..
thx…..
Happy new month everybody. I’m planning to write my ccna in the next 3 wks. Can somebody send me the latest dump? my email address is talk2gbepat@yahoo.com
Hi guys can someone tell me the latest dumps i can use to pass my CCNA exams
my e-mail address is okothlog@yahoo.com
hello, i want to give this exam in the month of aug: can anyone please send the latest dumps, i heard many people just giving and uploading fake dumps.. please i’ll be thankful to you all..
weeping_eyez@hotmail.com
send dumps to this Id. thanks in advance
please send me the latest dumps at bwgrandison@yahoo.com Would be much appreciated Thanks
Thanks 9tut, I passed my exam today. I got eigrp, acl. For eigrp as number and network of central router. Best of luck….
@Sachin
Is the Eigrp Lab similar to the one on this website? Can you please share your experience with us here?
By the way, does anybody here know what happen to the website http://www.examcollection.com. When I tried to accessed and the web page display the following message “It Works!” Anyone know what’s going on?
hi am writing exam on next month can help me how should i prepare and send me new dumps
my email id abhishathu@gmail.com
Hi,
Please sent me the latest Dump of CCNA Examination. Please sent me to apinus3@gmail.com.
Please sent me ASAP since Im going to write an examination
hi 9tut can u plz explain me Q. no.1
@shweta arora: I updated the explanation of Q. no 1, please check.
If i may to ask a favor and would very much appreciate it if someone can share the latest dump and mailto: ‘barca4eever@yahoo.com’ . May our CCNA journey continue to grow broader.
Thank you very very much!
Great! Thx 9Tut
i got a question about nat this is the link of the image with the related question :
http://imageshack.us/photo/my-images/40/immaginetoh.png/
i think the answer given is wrong can u please confirm me if the right answer is:
INSIDE LOCAL = 172.16.1.23 (can’t understand why he places router’s interface as inside local…)
INSIDE GLOBAL = 209.165.201.30
OUTSIDE LOCAL & GLOBAL = 128.77.188.166
here is the corret link to the question(i hope it’s correct this time
http://hotfile.com/dl/126204348/b780093/Immagine.png.html
http://s1230.photobucket.com/albums/ee487/stefano651982/
seems i can’t share….. :SAD: :(
i am too much confuse in inbound and outbound.i don’t able to get it when to apply an inbound and outbound to an interface.so pls any one clear it please………….
I will take the ccna on ausgt 30 ., can anyone send me a latest dump
thank you so much
@arunesh….1st remember that access-lists are applied through traffic passing thru a router….if it is applied in2 an interface entering in2 a router from the source ip then it is called inbound…but if it is applied in2 an a router’s interface leaving 2 the destination, then it is called outband….e.g in the figure in Question 3, if u want 2 block any host from Students LAN from accessing a host in Admin Lan, if we apply the access-list on interface fa0/1 of the router then it is inbound(traffic entering the router)…but if we apply on fa1/1 then it is outboud(i.e traffic leaving the router
On Question 1, the LANs off RTB are /29 but the ACL represents a .240 subnet. If the answers are to remain D and E, the IP range off the .40 LAN should be changed and subnets on both LANs should be changed to /28.
@grayhat
‘a host is sending packet to another host on a different network , what is the first action that the anding host will take ‘
They keywords here are ‘different network’ so the ARP request has already been processed. Answer A would be the correct answer, mate.
Please can anyone email me the latest dumps… thanks… in.abhijit@gmail.com
HI guys am Al am taking an exams by the end of this month can any one give me a 90% question????
thank you
RE: HI guys am Al am taking my CCNA exams by the end of this month can any one give me a 90% question????
thank you
hey al. please write your question in your language and ask someone to translate it to English. i’m not being rude, but it’s hard to understand what you really want.
thanks
@xallax. Please which part of the above sentence you don’t understand. OK all am asking is that can someone please help me with a 90% CCNA dump. because am writing my final exams by the end of this month (August).
thank you
@al
you can try out all the VCEs on my site if you want to, they’re for icnd1, icnd2 and ccna. they cover all the concepts.
http://www.tinyurl.com/xallaxvce
hi friends,,,,,,,,,,,,anybody help me…..today only i saw this sim accl question…..is there all such like choose model…..but in the ccna also just like ah..?or we have to configure that model…../plz help me…..and send lastest dumps to my mail id sraja21888@gmail.com plzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz………………
Hi.. Please send the latest dumps on pooja_271987@yahoo.com
Hi Guys.. This site is so informative for people who are aspiring to pass the exam and has helped me a lot for an overview. Can anybody help me on getting the new dumps for the exam.. and how do these sims work? Do I need to set these up using packet tracer? or there is a real simulator? help please…. email at dagkung_kahoy@yahoo.com.. thank you guys..
please send me a latest dump to my email: rahimcontact@yahoo.in
I really appreciate that if someone do send me a latest dumps
my exam on 10 sep 2011….so please help me ….
Thanks you so much!
Hello guys, can some one please send me the latest dump. my email is coco_mian@hotmail.com. Thanks in advance!!!
Hey 9tut thank you very much …this is a great site….with lot of important information for CCNA …I passed may CCNA today 881/1000 ….the credit goes to you and Todd Lammle….
ACS list/ eigrp/ VTP Sim were the same ……I used permit ip any any instead of using ip address
of the public server(They didn’t provide the ip of the public server)….I had to write Acs list or host B
God bless & regards,
Rohit
Hi there,
I am have my CCNA exam 640-802, please send me the latest exam dumps if you have.
askme05@hotmail.com
Thanks
I have my CCNA exam 640-802 in two weeks time.
Can someone please send me the latest exam dumps.
askme05@hotmail.com
Thanks
Q6.
Why access group should go like in if LAN is in ethernet?
It should de access-group out in ethernet