CCNA Access List Sim
Question
An administrator is trying to ping and telnet from Switch to Router with the results shown below:
Switch>
Switch> ping 10.4.4.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds:
.U.U.U
Success rate is 0 percent (0/5)
Switch>
Switch> telnet 10.4.4.3
Trying 10.4.4.3 …
% Destination unreachable; gateway or host down
Switch>
Click the console connected to Router and issue the appropriate commands to answer the questions.
Answer and Explanation
Note: If you are not sure about Access-list, please read my Access-list tutorial. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_CCNA_Access_List_Sim.pkt
For this question we only need to use the show running-config command to answer all the questions below
Router>enable
Router#show running-config
Question 1:
Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?
A – Correctly assign an IP address to interface fa0/1
B – Change the ip access-group command on fa0/0 from “in” to “out”
C – Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D – Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E – Remove access-group 106 in from interface fa0/0 and add access-group 104 in
Answer: E
Explanation:
Let’s have a look at the access list 104:
The question does not ask about ftp traffic so we don’t care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line “access-list 104 deny icmp any any echo-reply” will not affect our icmp traffic because the “echo-reply” message will be sent over the outbound direction.
Question 2:
What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?
A – Attempts to telnet to the router would fail
B – It would allow all traffic from the 10.4.4.0 network
C – IP traffic would be passed through the interface but TCP and UDP traffic would not
D – Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface
Answer: B
Explanation:
From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network
Question 3:
What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?
A – No host could connect to Router through s0/0/1
B – Telnet and ping would work but routing updates would fail.
C – FTP, FTP-DATA, echo, and www would work but telnet would fail
D – Only traffic from the 10.4.4.0 network would pass through the interface
Answer: A
Explanation:
First let’s see what was configured on interface S0/0/1:
Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).
B is not correct because if telnet and ping can work then routing updates can, too.
D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.
But here raise a question…
The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router through s0/0/1” seems right…
But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!
Please comment if you have any idea for this sim!
Other lab-sims on this site:
For Q3, the answer is obviously “A”.
Since the question states that S0/0/1 ip address is on class C network, the last octet to match ACL is 0 which is network address.
For Q1, are you sure it’s answer E ?
Cause if you apply Access-group 104, ICMP-Echo-Reply is denied. Don’t you need the reply for a successful ping ?
In my opinion, it should be answer B.
If you apply Access-group 106 out, it denies any telnet traffic from leaving the router, while the Echo-Reply is allowed and you would get a successful ping command.
@invetalcom
i think Acl 106 have implicit deny ip any any. That’s why ACL 104 can be right answer.
@invetalcom: The ACL is applied to the inbound interface. So if the echo-reply is received on the Fast interface, the packet will be discarded. The very reason for a echo-reply to come across Fast interface is the PING request from the router or the inside network which would send an echo request to the switch and echo-reply would arrive as a response.
It need not do anything with the ping request / ECHO request from the switch and ECHO reply to the switch.
Hello, for Q3, no protocol would be accepted because of the implicit deny any in the end right? ACL 115 doesn’t explicitly say to accept any telnet or ping. So the only thing to focus is the ip address and wildcard mask? Please explain.. Thanks.
hello everyone… can u clarify me on this thing…
for eigrp lab, is there a need to advertise the route for the ISP on the R1 router (the router connected to ISP router)?
pls information of cisco send in surajccna123@gmail.com and top institude in india send full information
PLZ I WANT CCNA SOFTWARE SO HOW TO DOWNLOAD PLZ TELL MEEEEE
@ Q1
hi all, the Q1 is not well explained, how do we come by the details of access-list 104?
i can`t see it from the output of the show running-config command up there
somebody please explain to me!!!!!
oh, my mistake i have seen the access-list sorry every body , am ok now
anyone got this question in the exam? any modifications to report? same questions? etc
About Q1, answer B:
Consider the telnet connection THROUGH the router (not TO the router).
For example, we connect another switch2 to router Fa0/1 interface and configure in like first Switch1.
Without “ip access-group 106 in” and without “ip access-group 106 out” in the router configuration, we can telnet from Switch1 to Switch2.
The telnet-packets with destination port 23 will go from Switch1 to Switch2, and then the packets with source port 23 will go back to Switch1.
If we configure “ip access-group 106 out” in the router, the backward telnet-packets from Switch2 to Switch1 with source port 23 will be blocked because of implicit “deny ip any any”.
Telnet connection THROUGH the router will be blocked, but telnet connection TO the router CLI will be permitted.
I configured “access-list 106 deny tcp any eq telnet any”, but the packets from router CLI to Switch1 with source port 23 are still permitted.
Maybe this is made for not to block telnet connection to Cisco devices.
P.S. sorry for my BAD English )))
Any comments to my previous message?
@fanat
so… you’ve removed the access-list filters. no wonder telnetting works from sw1 to sw2 and vice-versa :)
@xallax
You don`t understand.
I:
1) load this sim from 9tut.com and open it in Packet Tracer
2) add new Switch2 and connect it to Router Fa0/1
3) configure Router Fa0/1 with ip 10.5.5.3/24
4) configure Switch2 Vlan1 interface with ip 10.5.5.1/24 and it`s default gateway as 10.5.5.3
5) configure Router and Switch2 vty 0 4 lines with “password cisco” and “login”
6) configure “no ip access-group 106 in” on Router Fa0/0 interface
Now I can telnet from Switch1 to BOTH Router and Switch2 because all access lists are removed.
Then:
7) I configure “ip access-group 106 out” on Router Fa0/0 interface
And now I CANNOT telnet from Switch1 to Switch2 (forward packets will go from Switch1 to Switch2 through Router, and backward packets from Switch2 to Switch1 will be blocked on Router Fa0/0 outbound direction because of implicit “deny ip any any”).
At the same time I CAN telnet form Switch1 to Router (forward packets will go from Switch1 to Router, and backward packets from Router to Switch1 WILL NOT BE BLOCKED, but implicit “deny ip any any” remains)
Why? Am I wrong?
@fanat
yada yada yada
just upload your pkt file somewhere and post the link here so we can all have a look at your config :)
in question 3 we already have an access list so 102 access list is overwrite .and 115 access list does not work here.according t0 102 access list echo reply & telnet deny.and all other traffic is permitted so according to this concept option FTP, FTP-DATA, echo, and www would work but telnet would fail is valid.correct me if i am using wrong logic !!!!!!!!!!!
@xallax please give me answer
Just a comment, interfaces can accept just one access-list per direction, per direction, therefore we can assign two access-list(one In, one out) to the same interface
Sorry per direction, per address
@furqan
also remember that you can have one ACL per direction. 1 in, 1 out.
both acls are inbound .so 115 cannot be given.now give answer
@xallax i am waiting for your answer
@furqan
only hosts with the IP address ending in .0 could send data through the router.
as 9tut explains, this could be possible on class A and class B networks.
since we don’t have that option then we pick the next best one which is option A.
no, there won’t be any ftp, http, icmp traffic going on since the source will most likely not have an IP address that ends with 0
MY MISTAKE ,I WAS C0NFUSING WILDCARD MASK WITH SUBNET MASK.ANYWAYS I G0T THE P0INT THAT LAST 0CTAT IS WE CARE AB0UT & ITS ZER0.AND AS WE CANT ASSIGN NETW0RK ADDRESS T0 H0ST S0 N0 TRAFFIC FL0WS THR0UGH
@furqan
“ip access-group 115 in” overwrites the “acl 102 in” state at interface (you can check it by typing it in), so you get two rules applied to that interface:
1st allows all traffic from addresses that ends with .0 (255.255.255.0 wildcard) and
2nd denies everything else (implicit deny ip any any)
so that’s why there would be no connectivity
btw
@EVERYONE_WHO_LOOKS_FOR_DUMPS
there’s a huge dump collection on http://examcollection.com. Click on “Cisco” link and then search for 640-802
Oh, kinda slowpoke answer)
@xallax
http://dl.dropbox.com/u/15659109/9tut.com_CCNA_Access_List_Sim_WTF.pkt
Here’s modified sim, with problem which was told by Fanat123123, and I don’t understand why is there still full telnet connectivity from RouterC to SwitchC if we put 106 out on fa0/0, too
But that issue is lost when you move 106th acl on fa 0/0 in
@bogdan: ACL is not affected traffic generated by the router. Try to connect a host to Switch0 and to establish telnet connection with SwitchC. You will not able to connect.