CCNA Access List Sim
Question
An administrator is trying to ping and telnet from Switch to Router with the results shown below:
Switch>
Switch> ping 10.4.4.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds:
.U.U.U
Success rate is 0 percent (0/5)
Switch>
Switch> telnet 10.4.4.3
Trying 10.4.4.3 …
% Destination unreachable; gateway or host down
Switch>
Click the console connected to Router and issue the appropriate commands to answer the questions.
Answer and Explanation
Note: If you are not sure about Access-list, please read my Access-list tutorial. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_CCNA_Access_List_Sim.pkt
For this question we only need to use the show running-config command to answer all the questions below
Router>enable
Router#show running-config
Question 1:
Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?
A – Correctly assign an IP address to interface fa0/1
B – Change the ip access-group command on fa0/0 from “in” to “out”
C – Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D – Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E – Remove access-group 106 in from interface fa0/0 and add access-group 104 in
Answer: E
Explanation:
Let’s have a look at the access list 104:
The question does not ask about ftp traffic so we don’t care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line “access-list 104 deny icmp any any echo-reply” will not affect our icmp traffic because the “echo-reply” message will be sent over the outbound direction.
Question 2:
What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?
A – Attempts to telnet to the router would fail
B – It would allow all traffic from the 10.4.4.0 network
C – IP traffic would be passed through the interface but TCP and UDP traffic would not
D – Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface
Answer: B
Explanation:
From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network
Question 3:
What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?
A – No host could connect to Router through s0/0/1
B – Telnet and ping would work but routing updates would fail.
C – FTP, FTP-DATA, echo, and www would work but telnet would fail
D – Only traffic from the 10.4.4.0 network would pass through the interface
Answer: A
Explanation:
First let’s see what was configured on interface S0/0/1:
Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).
B is not correct because if telnet and ping can work then routing updates can, too.
D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.
But here raise a question…
The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router through s0/0/1” seems right…
But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!
Please comment if you have any idea for this sim!
Other lab-sims on this site:
For Q3, the answer is obviously “A”.
Since the question states that S0/0/1 ip address is on class C network, the last octet to match ACL is 0 which is network address.
For Q1, are you sure it’s answer E ?
Cause if you apply Access-group 104, ICMP-Echo-Reply is denied. Don’t you need the reply for a successful ping ?
In my opinion, it should be answer B.
If you apply Access-group 106 out, it denies any telnet traffic from leaving the router, while the Echo-Reply is allowed and you would get a successful ping command.
@invetalcom
i think Acl 106 have implicit deny ip any any. That’s why ACL 104 can be right answer.
@invetalcom: The ACL is applied to the inbound interface. So if the echo-reply is received on the Fast interface, the packet will be discarded. The very reason for a echo-reply to come across Fast interface is the PING request from the router or the inside network which would send an echo request to the switch and echo-reply would arrive as a response.
It need not do anything with the ping request / ECHO request from the switch and ECHO reply to the switch.
Hello, for Q3, no protocol would be accepted because of the implicit deny any in the end right? ACL 115 doesn’t explicitly say to accept any telnet or ping. So the only thing to focus is the ip address and wildcard mask? Please explain.. Thanks.
hello everyone… can u clarify me on this thing…
for eigrp lab, is there a need to advertise the route for the ISP on the R1 router (the router connected to ISP router)?
pls information of cisco send in surajccna123@gmail.com and top institude in india send full information
PLZ I WANT CCNA SOFTWARE SO HOW TO DOWNLOAD PLZ TELL MEEEEE
@ Q1
hi all, the Q1 is not well explained, how do we come by the details of access-list 104?
i can`t see it from the output of the show running-config command up there
somebody please explain to me!!!!!
oh, my mistake i have seen the access-list sorry every body , am ok now
anyone got this question in the exam? any modifications to report? same questions? etc
About Q1, answer B:
Consider the telnet connection THROUGH the router (not TO the router).
For example, we connect another switch2 to router Fa0/1 interface and configure in like first Switch1.
Without “ip access-group 106 in” and without “ip access-group 106 out” in the router configuration, we can telnet from Switch1 to Switch2.
The telnet-packets with destination port 23 will go from Switch1 to Switch2, and then the packets with source port 23 will go back to Switch1.
If we configure “ip access-group 106 out” in the router, the backward telnet-packets from Switch2 to Switch1 with source port 23 will be blocked because of implicit “deny ip any any”.
Telnet connection THROUGH the router will be blocked, but telnet connection TO the router CLI will be permitted.
I configured “access-list 106 deny tcp any eq telnet any”, but the packets from router CLI to Switch1 with source port 23 are still permitted.
Maybe this is made for not to block telnet connection to Cisco devices.
P.S. sorry for my BAD English )))
Any comments to my previous message?
@fanat
so… you’ve removed the access-list filters. no wonder telnetting works from sw1 to sw2 and vice-versa :)
@xallax
You don`t understand.
I:
1) load this sim from 9tut.com and open it in Packet Tracer
2) add new Switch2 and connect it to Router Fa0/1
3) configure Router Fa0/1 with ip 10.5.5.3/24
4) configure Switch2 Vlan1 interface with ip 10.5.5.1/24 and it`s default gateway as 10.5.5.3
5) configure Router and Switch2 vty 0 4 lines with “password cisco” and “login”
6) configure “no ip access-group 106 in” on Router Fa0/0 interface
Now I can telnet from Switch1 to BOTH Router and Switch2 because all access lists are removed.
Then:
7) I configure “ip access-group 106 out” on Router Fa0/0 interface
And now I CANNOT telnet from Switch1 to Switch2 (forward packets will go from Switch1 to Switch2 through Router, and backward packets from Switch2 to Switch1 will be blocked on Router Fa0/0 outbound direction because of implicit “deny ip any any”).
At the same time I CAN telnet form Switch1 to Router (forward packets will go from Switch1 to Router, and backward packets from Router to Switch1 WILL NOT BE BLOCKED, but implicit “deny ip any any” remains)
Why? Am I wrong?
@fanat
yada yada yada
just upload your pkt file somewhere and post the link here so we can all have a look at your config :)
in question 3 we already have an access list so 102 access list is overwrite .and 115 access list does not work here.according t0 102 access list echo reply & telnet deny.and all other traffic is permitted so according to this concept option FTP, FTP-DATA, echo, and www would work but telnet would fail is valid.correct me if i am using wrong logic !!!!!!!!!!!
@xallax please give me answer
Just a comment, interfaces can accept just one access-list per direction, per direction, therefore we can assign two access-list(one In, one out) to the same interface
Sorry per direction, per address
@furqan
also remember that you can have one ACL per direction. 1 in, 1 out.
both acls are inbound .so 115 cannot be given.now give answer
@xallax i am waiting for your answer
@furqan
only hosts with the IP address ending in .0 could send data through the router.
as 9tut explains, this could be possible on class A and class B networks.
since we don’t have that option then we pick the next best one which is option A.
no, there won’t be any ftp, http, icmp traffic going on since the source will most likely not have an IP address that ends with 0
MY MISTAKE ,I WAS C0NFUSING WILDCARD MASK WITH SUBNET MASK.ANYWAYS I G0T THE P0INT THAT LAST 0CTAT IS WE CARE AB0UT & ITS ZER0.AND AS WE CANT ASSIGN NETW0RK ADDRESS T0 H0ST S0 N0 TRAFFIC FL0WS THR0UGH
@furqan
“ip access-group 115 in” overwrites the “acl 102 in” state at interface (you can check it by typing it in), so you get two rules applied to that interface:
1st allows all traffic from addresses that ends with .0 (255.255.255.0 wildcard) and
2nd denies everything else (implicit deny ip any any)
so that’s why there would be no connectivity
btw
@EVERYONE_WHO_LOOKS_FOR_DUMPS
there’s a huge dump collection on http://examcollection.com. Click on “Cisco” link and then search for 640-802
Oh, kinda slowpoke answer)
@xallax
http://dl.dropbox.com/u/15659109/9tut.com_CCNA_Access_List_Sim_WTF.pkt
Here’s modified sim, with problem which was told by Fanat123123, and I don’t understand why is there still full telnet connectivity from RouterC to SwitchC if we put 106 out on fa0/0, too
But that issue is lost when you move 106th acl on fa 0/0 in
@bogdan: ACL is not affected traffic generated by the router. Try to connect a host to Switch0 and to establish telnet connection with SwitchC. You will not able to connect.
I really dont understand the answer to Q1…(unless there is a typo?)
I cant see why Pings wouldn’t work anyway as it is with ACL106 on F0/0 of the router?
doesnt this line allow it..??
“access-list 106 permit icmp any any echo-reply”
@DrumGeek
that rule allows icmp replies that goes to router
in that situation router will be able to ping other network devices: it sends echo-requests through OUT interface, and get echo-replies through IN interface, but it won’t get any ping requests (cuz they are denied with implicit deny ip any any at the bottom of acl) – so it won’t answer with echo-reply, that will entail ping inaccessability of the router
hi
Q1
why i don’t use ACL 102 in instead of 104
thank y 9tut
@ibraham
yep indeed… actually you can use acl 102 in instead of 104. you can ping but can’t telnet.
but none of the answers mention acl 102. so stick it with answer D and “because the “echo-reply” message will be sent over the outbound direction”
sorry if i got it wrong :D
QUESTION 1 :
Remember that the access list 104 is applied on the inbound direction so the 5th line “access-list 104 deny icmp any any echo-reply” will not affect our icmp traffic because the “echo-reply” message will be sent over the outbound direction.
what does these last two lines means ,when it says “echo-reply” message will be sent over the outbound direction.
thanks
@ hamid
“echo-reply” is the answer for “ping” which is generated from router, and router will send the answer out from fa0/0.
Question 3.
as per my knowledge Wild card mask is the inverse of subnetmask so 255.255.255.0 wild card mask means 0.0.0.255 subnetmask, which is wrong subnetmask and all traffic will deny by implicit deny all…
Q3:-
the ans is ‘A’
–b’cus the access-list first apply is source ip + waildcard mask and the last apply is destination ip + waildcard mask……..
–access list 115 the first apply 0.0.0.0 255.255.255.0 is the source ip and the last apply any is destination ip……
Q3:
Doesn’t 0.0.0.0 255.255.255.0 mean the ip address range 0.0.0.0 – 0.0.0.255/24 ?
For Question 3 , acl 115 allows hosts in the 0 subnet, in the ip range of 0.0.0.1 – 0.0.0.254
The above comment “For Question 3 , acl 115 allows hosts in the 0 subnet, in the ip range of 0.0.0.1 – 0.0.0.254″ should be :
For Question 3 , acl 115 allows hosts in the 0 network, in the ip range of 0.0.0.1 – 0.0.0.254
which is not valid (I think).
Sorry about the confusion.
i tot that an access control list should look lyk this: access-list 100 permit ip 192.168.1.0 0.0.0.255 any…..am confused with an access-list that looks lyk this: access-list 100 permit ip 192.168.1.0 255.255.255.0 any…isn’t 255.255.255.0 a subnet mask not a wildcard mask?
0.0.0.0 mean this host only i see it after the ip not before
how it can be ?
Hi
i took the test yesterday basically everything is the same unfortunately i found this site the day before the test and failed have to retake anyway the eigrp sim and vtp sim are the same but there’s an access list sim where you have to give host D access to finance web server while blocking from accessing to anywhere else at the same time you have to block access hosts A,B and C from accessing to webserver and only access to the other webserver.
there’s 2 webservers (1for finance webserver and 1for webserver “dont remember name” those 2 webserver have a class B IPs)
4 hosts A,B,C and D connected to a switch and the switch connected to a Router (same router connecting the 2 web servers and a computer connected to the routers console
If anyone remember this sim can you help me please!!!! email mirazoboy@aol.com
BTW The LAN IP Used is a Class C
I can hardly remember the topology like this http://dl.dropbox.com/u/6887378/Access-list%20packet%20trace.pkt
MZO — Yes, I remember the problem — this is the problem that stopped me from passing.
I panicked. The pen I was given stopped writing. I write big and I take my time figure these things out. I believe the problem said something about 3 lines. I think that the answer has to do with placement (in or out) and implicit deny. Make your own example in packet tracer. Don’t worry about the names or the adddresses. Look at the flow. Look at what you want to block and what you want to allow. Practice so you dont panic
Q. 3
Access-list 115 permit ip 0.0.0.0 255.255.255.0
a wildcard mask.
Int s0/0/1 add. is 10.45.45.1 255.255.255.0
is it a wildcard mask?
means, according to ac-list, any add. first 3 octet may be any number, but the last octet no. must be 1.
anything wrong ! Please put your openion.
Thank-you.
God bless all. I am included too.
Hi,
i going to exam on 10th march and i have prepared only 9tut simulation ac anyone tll me it is sufficient or not.
Q3
personaly i dont know wich network mask match this wildcard…for me is a wrong subnet mask
255.255.255.0 means 10.45.45.1 0.0.0.255
there is somewhone out there who can answer this question 10.45.45.1/???
hi evryone i am new here am contemplating on doing my CCNA, please give me every required information i need to know will be higly appreciated.thanks
my emali add is aleroxgood@yahoo.com. thanks
hi every one i know am not really good but if you really check which i discovered, literally between access list 104 and 106 statement
here it is:
this is what i change and my switch was ping 10.4.4.3 how come did you guys confirm very well…. need urgent answer.
RouterC(config)#int fa0/0
RouterC(config-if)#ip acce
RouterC(config-if)#access-list 106 permit ip any any
RouterC(config)#end
and later configured>
RouterC(config)#int fa0/0
RouterC(config-if)#no ip access-group 104 in
RouterC(config-if)#ip access-group 106 in
RouterC(config-if)#end
RouterC#
%SYS-5-CONFIG_I: Configured from console by console
exit
and here was the ping result
SwitchC>ping 10.4.4.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/9 ms
ver good help
cisco X
q3– I think that this is very tricky because I didnt see the 255.255.255.0– originally I saw it as 255.255.255.255 — my mind did a trick on me
@all
plz help me in 2 eq. & give me correct ans…
Which command will show the MAC addresses of stations connected to switch ports?
A. show mac-address
B. show arp
C. show table
D. show switchport
Refer to the exhibit. After a RIP route is marked invalid on Router_1, how much time will elapse before that
route is removed from the routing table?
A. 30 seconds
B. 60 seconds
C. 90 seconds
D. 180 seconds
E. 240 seconds
Answer: B
plz send me correct ans???????????
friends plzzz read Drag and Drop Question…..b’case in the exam 5 ya 6 Drag and Drop Question in paper…
@RAJEN’
Which command will show the MAC addresses of stations connected to switch ports?
B. show arp
Refer to the exhibit. After a RIP route is marked invalid on Router_1, how much time will elapse before that route is removed from the routing table?
B. 60 seconds
Rajen
Which command will show the MAC addresses of stations connected to switch ports?
A. show mac-address
B. show arp
C. show table
D. show switchport
Answer : B
Refer to the exhibit. After a RIP route is marked invalid on Router_1, how much time will elapse before that route is removed from the routing table?
A. 30 seconds
B. 60 seconds
C. 90 seconds
D. 180 seconds
E. 240 seconds
Answer : E
Q1
I think the best explanation is that for using ping , you must use icmp echo…all ACLs here like 102 , 106 have permit for icmp echo-reply not echo itself, so the only ACL which has permit to echo is 104, and it must be defined as inbound to interface fa0/0 of router for accepting echo first then reply to that. So the best answer is E.
Which command will show the MAC addresses of stations connected to switch ports?
A. show mac-address
B. show arp
C. show table
D. show switchport
Answer : B
Refer to the exhibit. After a RIP route is marked invalid on Router_1, how much time will elapse before that route is removed from the routing table?
A. 30 seconds
B. 60 seconds
C. 90 seconds
D. 180 seconds
E. 240 seconds
ANS is 60 Seconds
@Rajen
Answer : B
The reason for selecting show arp instead of show mac-address is it is a router. Router don’t build mac address table it will show addresses in arp only.
====================================
ANS is 60 Seconds
180 is invalid timer by default and 240 is flush timer.. after 180 second router will wait for 60 sec than flush the route completely..
Since he’s trying to get an aneswr to his homework questions, you should give him the formula for figuring it out and not the aneswr only.The formula is (2^n)-2 where n = the number of bits you have available for hosts. So, the aneswr is (2^9)-2 or 512-2. That leaves you with 510 hosts.WG
passed ccna exam today with 960 mark
thanks 9tut and examcollection for the assist, you guys rock \m/
labs are vtp acl and eigrp
Goodluck to all ccna candidates!
Nice meeting you JEPOY and Congratulation, please can you help me with your dumps?
Looking forward to hearing from you.
iykethebest@yahoo.com
@ Jepoy wgich ACL problem? 1 or 2 ?
I am writng CCNA exam .I hav doubts .CCNA exam same quetions are coming or not ?
In simulations Plz Update any one
Hey Guys How are you all. i live in south Africa and will be writing my ccna 640-802 exam soon. if anybody has written it and has some advise for me can you email me at neeresh.ganesh@webmail.co.za i will appreciate your help and guidance in preparing me for this exam.
Kind Regards
Neeresh
any one want :
1-CCNP ROUTE Actual Test version 5.1,quick reference book ,portable command guide (FOR FREE)
2-CCNP SWITCH Actual Test version 5.1,quick reference book ,portable command guide(FOR FREE)
3-CCNP T.SHOOT Actual Test version 5.1,quick reference book ,portable command guide(FOR FREE)
4-A-CCNP ROUTE CBT NUGGETS(642-902)
B-CCNP SWITCH CBT NUGGETS(642-813)
C-CCNP T.SHOOOT CBT NUGGETS (642-832) ALL OF CBT Nuggerts series (FOR 50$)
email me at “hassanzuhair58@yahoo.com” and good luck for all of you
and ,just to explain my point of view ,when i took my ccnp course ,i bought the cbt nuggets and they cost me alot ,so this offer mainly for these series but if any one want the actuall test for free i will send it to him just e-mail me on the same email and of course thank to this website because of him i will not make a great score so thank you 9tut
Passed CCNA in US today using 9tut. Thanks for all the advice! For people wanting to take the exam, just go through all the modules here on 9tut. Dont bother with dumps, just go through all these questions and explanations. Here you will learn the thing you need to learn to answer the questions!
Dear Friends :
Tell me the Latest Dumps.I am going to write CCNA Exam in this MOnth
@ all
I’m going to take exam Wednesday, Pls tell me about latest Question in exam…