14/04/2013 CCNA Training » CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim 1/14

Type text to search here...

Home > CCNA Access List Sim

CCNA Access List Sim

July 10th, 2011 Go to comments

Question

An administrator is trying to ping and telnet from Switch to Router with the results shown below:

Switch>

Switch> ping 10.4.4.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds:

.U.U.U

Success rate is 0 percent (0/5)

Switch>Switch> telnet 10.4.4.3

Trying 10.4.4.3 …

% Destination unreachable; gateway or host down

Switch>

Click the console connected to Router and issue the appropriate commands to answer the questions.

Answer and Explanation

Note: If you are not sure about Access-list, please read my Access-list tutorial. You can also download this sim

to practice (open with Packet Tracer) here:

http://www.9tut.com/download/9tut.com_CCNA_Access_List_Sim.pkt

For this question we only need to use the show running-config command to answer all the questions below

14/04/2013 CCNA Training » CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim 2/14

Router>enable

Router#show running-config

14/04/2013 CCNA Training » CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim 3/14

14/04/2013 CCNA Training » CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim 4/14

Question 1:

Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?

A – Correctly assign an IP address to interface fa0/1

B – Change the ip access-group command on fa0/0 from “in” to “out”

C – Remove access-group 106 in from interface fa0/0 and add access-group 115 in. D – Remove access-group 102 out from interface s0/0/0 and add access-group 114 in

E – Remove access-group 106 in from interface fa0/0 and add access-group 104 in

Answer: E

14/04/2013 CCNA Training » CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim 5/14

Explanation:

Let’s have a look at the access list 104:

The question does not ask about ftp traffic so we don’t care about the two first lines. The 3rd line denies alltelnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on

the inbound direction so the 5th line “access-list 104 deny icmp any any echo-reply” will not affect our icmp

traffic because the “echo-reply” message will be sent over the outbound direction.

Question 2:

What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?

A – Attempts to telnet to the router would fail

B – It would allow all traffic from the 10.4.4.0 network

C – IP traffic would be passed through the interface but TCP and UDP traffic would not

D – Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface

Answer: B

Explanation:

From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understandthat this access list allows all traffic (ip) from 10.4.4.0/24 network

Question 3:

What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?

A – No host could connect to Router through s0/0/1

B – Telnet and ping would work but routing updates would fail. C – FTP, FTP-DATA, echo, and www would work but telnet would fail

D – Only traffic from the 10.4.4.0 network would pass through the interface

Answer: A

Explanation:

14/04/2013 CCNA Training » CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim 6/14

First let’s see what was configured on interface S0/0/1:

Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1

interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate

answer C).

B is not correct because if telnet and ping can work then routing updates can, too.

D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.

But here raise a question…

The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect toRouter through s0/0/1” seems right…

But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer Aseems incorrect!

Please comment if you have any idea for this sim!

Other lab-sims on this site:

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

CCNA EIGRP LAB

CCNA Drag and Drop SIM

CCNA Implementation SIM

Comments

Comment pages

« Previous 1 … 7 8 9 39

1. rajan maretha

February 23rd, 2013

pls send to me the ccna dumps.thanks in advance.

2. m

14/04/2013 CCNA Training » CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim 7/14

February 25th, 2013

Question 1:

Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?

A – Correctly assign an IP address to interface fa0/1

B – Change the ip access-group command on fa0/0 from “in” to “out” <–seems to be correct

m.

3. NoDumps4You

February 26th, 2013

The easiest way to answer to Q3 is that there is an implicit deny at the end of the access list which we

cannot see. Hence, all the traffic will be automatically blocked. I don’t know why people are writing

gigantic answers just to answer Q3.

4. oshawkat-Sudan

March 2nd, 2013

regarding Q1

B-Change the ip access-group command on fa0/0 from “in” to “out

not correct becuase this will allow telnet and ping as well.

5. EnthusiatCCNA

March 3rd, 2013

I downloaded the pkt, regarding the Q3 it did not overide as i execute the command the s0/0/0 has now 2

ACL: ip access-group 115 in and ip access-group 102 out in the explanation it says override so in my

unerstanding the first ACL will be read and the second ACL will just be ignored?

6. EnthusiatCCNAMarch 3rd, 2013

I downloaded the pkt, regarding the Q3 it did not overide as i execute the command the s0/0/0 has now 2

ACL: ip access-group 115 in and ip access-group 102 out in the explanation it says override so in my

unerstanding the first ACL will be read and the second ACL will just be ignored?

7. Ahmed

March 3rd, 2013

Does anyone out there have Packet Tracer 6 or later? Please send to aaegh7@gmail.com. My version

(V5) does not support iBGP…I’m preparing for CCIE.

Thanks in advance.

8. CAHOP240

March 5th, 2013

14/04/2013 CCNA Training » CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim 8/14

@Enthusiast

Check your directions. You can only have 1 access list per interface, per protocol, per direction. You

have two ACLs on your interface because one is facing in and the other is facing out. The original question

has ACL 102 IN. If you apply ACL 115 IN it will over write ACL 102

9. going4CCNA

March 7th, 2013

is this lab subject to any changes during the exam? thank you very much.

10. Nera

March 8th, 2013

plz tell me any one……..??? do we need to change the ACLz on that router….? or we can jus look at the

ACLs and answer them…

11. Anonymous

March 14th, 2013

@9tut Vindicated!!! Um, by virtue of actually reading your last statement on Question 3! :P I downloaded

the Packet Tracer sim and just moved all the answers from Q1-Q3 to a separate text box and attempted

to answer them by myself. That was somewhat of a mistake since I didn’t have the actual multiple choice

answers and issued a command to modify the ACL instead of the ACL interface assignment. Regardless,when I got to question three, this is what I wrote:

Q3: What would be the effect of issuing the command ip access-group 115 in on the

s0/0/1 interface?

My Answer: It would allow any host in whose last octet was 0.

It seemed the most reasonable, precise answer I could think of. Perhaps you could save the current .pkt

file as 9tut.com_CCNA_ACL_sim_question_Answered.pkt and place the multiple choice possibilities in9tut.com_CCNA_ACL_sim_question.pkt file and zip them up like did with the NAT_sim_question. That

would be my only request for this. Other than that, great lab. Thanks!

12. jv

March 18th, 2013

Q3: i setup a lab..

R1 ip 10.45.45.1/21 R2 ip 10.45.45.0/21 (direct connect)

yes the .0 can ping .1.. but look at the question and answers..

the answer “only traffic from NETWORK 10.4.4.0 would be allowed”

Look at the config, the 10.4.4.0 is a /24, would 10.4.4.1 be able to ping thru? nope..

Final answer, A..

14/04/2013 CCNA Training » CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim 9/14

13. Elyor

March 20th, 2013

(Hardcover) Do you need help in trying to pass the ICND1 and CCNA exams? If you do, then this book

is for you! Author Wendell Odom, has done an ottsuanding job of writing the third edition of a book that

is designed to make you much more knowledgeable about how to do your job.Author Odom, begins by

providing a basic introduction for those who are brand new to networking. Then, the author introduces the

terminology surrounding two different networking architectures: TCP/IP and OSI. Next, he covers theconcepts and terms used for the most popular option for the data link layer for local-area networks,

namely Ethernet. The author also covers the concepts and terms used for the most popular options for the

data link layer for wide-area networks, including High-Level Data Link Control, the Point-to-Point

Protocol and Frame Relay. He continues by introducing the basics of IP, including IP addressing and

routing. Then, the author introduces the basics of TCP and UDP. Next, he shows you how to access,

examine, and configure Cisco Catalyst LAN switches. The author also shows you how to configure a

variety of switch features, including duplex and speed, port security, securing the CLI, and the switch IPaddress. He continues by focusing on how to tell if the switch is doing what it is supposed to be doing,

mainly through the use of show commands. Then, the author explains the basic operation concepts of

wireless LANs, along with addressing some of the most common security concerns. Next, he walks

through the entire concept of subnetting, from starting with a Class A, B, or C network, analyzing

requirements, making choices, calculating the resulting subnets, assigning those on paper, all in preparation

to deploy and use those subnets by configuring the devices. The author also explores all things related to

address classes and the IP network concept created by those classes. He continues by showing you how

to quickly and easily convert between the formats, so you can practice before having to think more aboutwhat the mask does. Then, the author shows you how to look at the mask to discover key facts, like the

size of subnet and the number of subnets in the network. Next, he shows you how to find and analyze the

subnet in which the that IP address resides, including finding the subnet ID, range of addresses in the

subnet, and subnet broadcast address. The author also shows you how to find all of those subnet IDs,

given a network number and a single mask used throughout the network. He continues by showing you

how to configure IP addresses, static routes, and one routing protocol: RIP Version 2. Then, the author

features a scenario that examines the IP packet forwarding process. Next, he covers the concepts ofNetwork Address Translation. The author also focuses on a few small WAN configuration tasks, plus

NAT configuration using Cisco Security Device Manager. Finally, he suggests a plan for final preparation

once you have finished the core parts of the book, in particular explaining the many study options available

in the book.This most excellent book uses several key methodologies to help you discover the exam

topics on which you need more review; to help you fully understand and remember those details; and, to

help you prove to yourself that you have retained your knowledge of those topics. Perhaps more

importantly, this book does not try to help you pass the exams only by memorization, but by truly learningand understanding the topics.

14. adil

March 24th, 2013

@9tut

Question1: If we remove access-list 106 and use 102 in the same direction (IN), then it also gives the

same result (i.e allow ping but deny telnet). Not sure how the exam will score it, but it seems to be validoption.

14/04/2013 CCNA Training » CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim 10/14

15. adil

March 24th, 2013

@9tut

More detail on my point. I first used acces-list 102. The ping attempts matched “permit ip any any line”

RouterC(config-if)#do show acc

Extended IP access list 102permit tcp any any eq ftp

deny tcp any any eq telnet (12 match(es))

deny icmp any any echo-reply

permit ip any any (5 match(es))

—-output omitted——-

============================

Then I removed 102 and used 104. In this case ping attempts matched the “permit icmp any any echo”

RouterC(config-if)#do show acc

Extended IP access list 102

permit tcp any any eq ftp

deny tcp any any eq telnet (12 match(es))

deny icmp any any echo-reply

permit ip any any (5 match(es))Extended IP access list 104

permit tcp any any eq ftp

deny tcp any any eq telnet (12 match(es))

permit icmp any any echo (5 match(es))

deny icmp any any echo-reply

permit ip any any

16. GJMarch 27th, 2013

@9Tute

Question 3:

What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?

***** Is it “access-group 115 in” or “ip access-group 115 in”

If “access-group 115 in” is the CMD, the old “ip access-group 102 in” will not be overwrite

17. GJ

March 27th, 2013

if so Ans is C

14/04/2013 CCNA Training » CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim 11/14

18. dd

March 29th, 2013

how many questions are there for this ACL lab in the real test?

19. dd

March 29th, 2013

how many questions for this ACL lab in the real test?

20. mazhar hussain

April 3rd, 2013

please some one send me licenced version of visual_certexam_suite_setup .i m thank full 2 u.my mailing

add: its_md.5277@yahoo.com.

Comment pages

« Previous 1 … 7 8 9 39

1. No trackbacks yet.

Add a Comment

Name

Submit Comment

Subscribe to comments feed

VLAN Trunking Protocol VTP Tutorial CCNA NAT SIM Question 2

Premium Membership

Become a member to interact with all questions and read all tutorials, labs!