Home > CCNA Access List Sim

CCNA Access List Sim

February 10th, 2014 Go to comments

Question

accesslist_sim

Answer and Explanation

Note: If you are not sure about Access-list, please read my Access-list tutorial. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_CCNA_Access_List_Sim.pkt

For this question we only need to use the show running-config command to answer all the questions below

Router>enable
Router#show running-config

accesslist_sim_showrun1

accesslist_sim_showrun2

accesslist_sim_showrun3

Question 1

How can we fix the problem but only allow ping to work while disabling telnet?

A – Correctly assign an IP address to interface fa0/1
B – Change the ip access-group command on fa0/0 from “in” to “out”
C – Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D – Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E – Remove access-group 106 in from interface fa0/0 and add access-group 104 in

 

Answer: E

Explanation

Let’s have a look at the access list 104:

accesslist_sim_answer1

The question does not ask about ftp traffic so we don’t care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line “access-list 104 deny icmp any any echo-reply” will not affect our icmp traffic because the “echo-reply” message will be sent over the outbound direction.

Question 2

What will happen after issuing the command “ip access-group 114 in” to the fa0/0 interface?

A – Attempts to telnet to the router would fail
B – All traffic from the 10.4.4.0 network would be allow to go through
C – TCP and UDP traffic are not allowed to pass
D – Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface

 

Answer: B

Explanation

From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network

Question 3

What will happen after issuing the command “access-group 115 in” on the s0/0/1 interface?

A – Hosts cannot connect to Router through s0/0/1
B – Telnet and ping would work but routing updates would fail.
C – FTP, FTP-DATA, echo, and HTTP traffic would work but telnet would fail
D – Only traffic from the 10.4.4.0 network would pass through the interface

 

Answer: A

Explanation

First let’s see what was configured on interface S0/0/1:

accesslist_sim_answer3

Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).
B is not correct because if telnet and ping can work then routing updates can, too.
D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.

But here raise a question…

The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router through s0/0/1” seems right…

But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!

Please comment if you have any idea for this sim!

Other lab-sims on this site:

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

CCNA EIGRP LAB

 

Comments
Comment pages
1 25 26 27 39
  1. Bill Gates Jr. III
    August 19th, 2016

    All,

    These sims are identical to Watson 314

  2. blsed
    August 30th, 2016

    any one with new 200-125 quiz please help

  3. Cisco_Ramon
    September 29th, 2016

    I would like to clear up the explanation for Question 3 a bit. Firstly, each interface accepts two access-lists to be precise, though there can only be one access-list in each direction(traffic flow) i.e. “in or out”. For example you can configure an interface like this:-
    ‘ ip access-group 110 in
    ip access-group 120 out ‘
    Secondly, its true that “if we don’t use a subnet mask of 255.255.255.0, we can use an ip address of 10.45.45.0 255.255.0.0 and such a host with that ip address exists and we can connect to the router through that host”. Option A is correct because no such host ip(x.x.x.0) exits in the network. Hope it helped.

  4. Zaz
    January 10th, 2017

    zindagi na milegi dobara mp3 – myfreemp3.review/search/zindagi-na-milegi-dobara-mp3/
    download free music

  5. Sessum
    January 20th, 2017

    Couldn’t find the 171q dump and no one provided it to me when I posted mt email….. However did come across this seller on eb8y (looks like im not able to type it out without it being filtered). Passed the exam with his materials. If you dont want to wait or bother looking for the 171Q dump here is an alternative:

    e 8 a y (dot) c o m / i t m / 2 0 0 – 1 2 5 – v 3 – 0 – D u m p – / 3 2 2 3 3 6 7 8 2 5 2 6 ? (change the “8” to a “b” and paste in without spaces)

    Cheers and Good Luck!

Comment pages
1 25 26 27 39
  1. No trackbacks yet.