ccna training » ccna access list sim

Type text to search here...

Home > CCNA Access List Sim

CCNA Access List SimOctober 25th, 2010 Go to comments

Question

An administrator is trying to ping and telnet from Switch to Router with the results shown below:

Switch>Switch> ping 10.4.4.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds:.U.U.USuccess rate is 0 percent (0/5) Switch>Switch> telnet 10.4.4.3 Trying 10.4.4.3 …% Destination unreachable; gateway or host downSwitch>

Click the console connected to Router and issue the appropriate commands to answer the questions.

Answer and Explanation:

For this question we only need to use the show running-config command to answer all the questions below

Ads by Google Cisco CCNA Voice CCNA Practice Exam CCNA ACL Physical Therapy

I passed the CCIE R&S Lab on my first attempt! Steve Clarkin - CCIE #25821 www.INE.com/CCIE

ACL Information Get Medical Advice On ACL From Dr HC Chang, At No Cost To You www.ortho.com.sg/acl

CADS for Skiing No more knee pain while skiing It's true! Read what CADS users say www.cads.com

1/2/2011 CCNA Training » CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim 1/11

Router>enableRouter#show running-config



Question 1:

Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?

A – Correctly assign an IP address to interface fa0/1B – Change the ip access-group command on fa0/0 from “in” to “out”C – Remove access-group 106 in from interface fa0/0 and add access-group 115 in. D – Remove access-group 102 out from interface s0/0/0 and add access-group 114 in E – Remove access-group 106 in from interface fa0/0 and add access-group 104 in

Answer: E

Explanation:

Let’s have a look at the access list 104:



The question does not ask about ftp traffic so we don’t care about the two first lines. The 3rd line denies all telnet trafficand the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound directionso the 5th line “access-list 104 deny icmp any any echo-reply” will not affect our icmp traffic because the “echo-reply”message will be sent over the outbound direction.

Question 2:

What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?

A – Attempts to telnet to the router would failB – It would allow all traffic from the 10.4.4.0 networkC – IP traffic would be passed through the interface but TCP and UDP traffic would notD – Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface

Answer: B

Explanation:

From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that thisaccess list allows all traffic (ip) from 10.4.4.0/24 network

Question 3:

What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?

A – No host could connect to Router through s0/0/1B – Telnet and ping would work but routing updates would fail. C – FTP, FTP-DATA, echo, and www would work but telnet would failD – Only traffic from the 10.4.4.0 network would pass through the interface

Answer: A

Explanation:

First let’s see what was configured on interface S0/0/1:



Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it

will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).

B is not correct because if telnet and ping can work then routing updates can, too.

D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.

But here raise a question…

The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will beaccepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router throughs0/0/1” seems right…

But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!

Please comment if you have any idea for this sim!

Other lab-sims on this site:

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

CCNA EIGRP LAB

CCNA Drag and Drop SIM

CCNA Implementation SIM

Comments

1. AbeDecember 3rd, 2010

On Question 2

What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?

A – Attempts to telnet to the router would failB – It would allow all traffic from the 10.4.4.0 networkC – IP traffic would be passed through the interface but TCP and UDP traffic would notD – Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface

The access-list is access-list 114 permit ip 10.4.4.0 0.0.0.255 any

There is no permit any any

I passed the CCIE R&S Lab on my first attempt! Steve Clarkin - CCIE #25821 www.INE.com/CCIE

ACL Information Get Medical Advice On ACL From Dr HC Chang, At No Cost To You www.ortho.com.sg/acl

CADS for Skiing No more knee pain while skiing It's true! Read what CADS users say www.cads.com



So there is an explicit deny at the end.

Would B still the correct?

2. VikasDecember 4th, 2010

@ Abe: Yes B is still the correct answer.ACL make filtering sequentially.

So considering implicit deny at the end our access-list will be like this:

access-list 114 permit ip 10.4.4.0 0.0.0.255 anyaccess-list 114 deny ip 10.4.4.0 any any

It means if a host from network 10.4.4.0 send any traffic to any ip address,1st permit line will be executed. AnACL execution is stopped when it matches any line in ACL so it will not read deny line and stopped after matchingfirst line of ACL.

3. AbeDecember 4th, 2010

@ Vikas

Thanks

4. ChrisDecember 12th, 2010

@VikasIt can not be “access-list 114 deny ip 10.4.4.0 any any”The implicit deny at the end of an access-list is like that:access-list 114 deny ip any any

5. sameheskDecember 16th, 2010

In question 3I think the right answer is Dcause the access list on the serial interface s0/0/1 is applied in means traffic going inbut the traffic comming out which is comming from interface f0/0 from network 10.4.4.0will pass am i right?

6. DhivyaaDecember 16th, 2010

@samehesk

D may not be the right option as it says only 10.4.4.0 traffic passes through. Traffic other than 10.4.4.0 can alsopass through as there is no ACL applied on the outbound direction on s0/0/1

7. Vnpro(nbh)December 19th, 2010



for question 3. I think B is correctBecause only address x.x.x.0 can pass, so broacast upadates address of routing protocol can’t pass. (RIPv1:255.255.255.255, RIPv2: 224.0.0.9, OSPF: 224.0.0.5/.6, EIGRP: 224.0.0.10)

8. Jasmin PatelDecember 20th, 2010

for question 3:

We can consider option A as only the answer compare to other available answers which are quite wrong. So optionA is a comparitively true answer but conseptually it’s not necessarily true. Because “what will happen if we don’tuse a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such ahost with that ip address exists and we can connect to the router through that host. Now answer A seemsincorrect!” (As explained above)

9. sameheskDecember 20th, 2010

@Dhivyaa

For question 3 i think D is correct because the traffic from the lan 10.4.4.0 can pass in the out direction, as i saidwe have interface f0/1 shutdownwe have interface s0/0/0 i have a doubt about this one but it has access list 102 in the in direction and it has asubinterface connected to a frame relay i am not sure if traffic can be routed to the s0/0/1 in the out direction or not.but if A was correct he could have used deny any if he wants to deny all hosts

10. Mr-abcDecember 20th, 2010

Hi guys,

I try to understand the first question but have no idea why the answer is E. Can some shed some lights please?

Much appreciated.

Thanks.

11. Mr-abcDecember 20th, 2010

Sorry forgot to mention Question 1:

12. prabuDecember 22nd, 2010

Access-list 104 denied the Telnet………..Then How can u access the telnet.Once u removed that line Access-list104 deny tcp any(Host) any (Destination) eq telnet u can able to take telnet.

13. selloDecember 22nd, 2010

Hi everyone,pls, can i get a link like 9tut,for those in juniper networks. i want to write my jncia er next week.9tut thanks for what



you are doing for ccna candidates.pls,need a quick response

14. ChrisDecember 22nd, 2010

Let me explain why the answer for the 3-rd question is A.Access-list 115 would permit only traffic coming from IP addresses like x.x.x.0.But if you check the routing table of the router you can see there are only /24 routes and no gateway of last resort.So no host with IP address x.x.x.0 will be able to get an answer from the router, as the router will consider it anetwork address or it won’t find it in the routing table

15. Vnpro(nbh)December 23rd, 2010

@Chris:

What happen if Router connect to another RouterX through s0/0/1, And RouterX connect to a network with prefix-length /16?Result is that there are many hosts with ip address x.x.x.0 connect to routerX can connect to Router through s0/0/1.Right?

16. ChrisDecember 23rd, 2010

i think the question reffers to the current network layout


in the current network layout, interface s0/0/1 don’t connect to any exact router, that mean it connect to a largenetwork.


interface S0/0/1 has IP address 10.45.45.1/24, so it’s only a /24 out there :)


if they want to refer /24, the current layout will show RouterX connect to router. In this case, they hide it, and wemust think about large

Come back my answer, B is perfect choice here.Because ping and telnet may not work for /24 prefix, but they can pass through network with prefix first statement iscorrect, “telnet and ping would work”example 192.168.0.0/23 (IP address 192.168.1.0/23)But all routing updates will be denied by interface s0/0/1. Routing update of routing protocols use multicast ip224.0.0.x with x#0, second statement is also correct “routing updates fail”




Now I think I understand what you were trying to say: that out there might be another router, let’s assume its IPaddress 10.45.45.2/24, running for example EIGRP, and advertising a /23 route like 192.168.0.0/23. Ok, I admityou might be right about this, but I would wait for somebody to bump into this lab on his/her exam and issue a“show ip route” command at the console of the router to see what prefixes are in the routing table, then share theoutput here, as a comment. I guess the output will shed some light onto this question :)

1. No trackbacks yet.

Add a Comment

Name

Website (not required)

Submit Comment

Subscribe to comments feedCCNA FAQs & Tips Practice Real CCNA Labs with Packet Tracer Simulator

CCNA 640-802

CCNA Lab SimCCNA – Access List QuestionsCCNA – WANCCNA – OSPF QuestionsCCNA – EIGRP QuestionsDHCP Group of Four QuestionsCCNA – Drag and Drop 1CCNA – Drag and Drop 2CCNA – Drag and Drop 3CCNA – Drag and Drop 4CCNA – HotspotCCNA – IPv6 QuestionsCCNA – SubnettingCCNA – Operations 1CCNA – Operations 2CCNA – Operations 3CCNA – Troubleshooting 1CCNA – Troubleshooting 2Share your CCNA Experience

CCNA Self-Study



Practice CCNA GNS3 LabsCCNA Knowledge

Network Resources

CCNA FAQs & TipsFree Router Simulators

ICND1/ICND2 Website

CCNP - ROUTE Website

CCNP - SWITCH Website

CCNP - TSHOOT Website

CCNA Voice Website

CCNA Security Website

CCDA Website

CCIE Written Website

Support 9tut

Your contribution will help keep this site updated!

TopCopyright © 2010 CCNA TrainingPrivacy Policy. Valid XHTML 1.1 and CSS 3.

Ads by Google

CCNA ICND 1

Knee ACL Tear

ACL Ligament

CCNA Test Preparation



ccna training » ccna access list sim

Documents