Home > CCNA Access List Sim

CCNA Access List Sim

July 10th, 2011 Go to comments

Question

accesslist_sim

An administrator is trying to ping and telnet from Switch to Router with the results shown below:

Switch>
Switch> ping 10.4.4.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds:
.U.U.U
Success rate is 0 percent (0/5)
Switch>
Switch> telnet 10.4.4.3
Trying 10.4.4.3 …
% Destination unreachable; gateway or host down
Switch>

Click the console connected to Router and issue the appropriate commands to answer the questions.

Answer and Explanation

Note: If you are not sure about Access-list, please read my Access-list tutorial. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_CCNA_Access_List_Sim.pkt

For this question we only need to use the show running-config command to answer all the questions below

Router>enable
Router#show running-config

accesslist_sim_showrun1

accesslist_sim_showrun2

accesslist_sim_showrun3

Question 1:

Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?

A – Correctly assign an IP address to interface fa0/1
B – Change the ip access-group command on fa0/0 from “in” to “out”
C – Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D – Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E – Remove access-group 106 in from interface fa0/0 and add access-group 104 in


Answer: E


Explanation:

Let’s have a look at the access list 104:

accesslist_sim_answer1

The question does not ask about ftp traffic so we don’t care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line “access-list 104 deny icmp any any echo-reply” will not affect our icmp traffic because the “echo-reply” message will be sent over the outbound direction.

Question 2:

What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?

A – Attempts to telnet to the router would fail
B – It would allow all traffic from the 10.4.4.0 network
C – IP traffic would be passed through the interface but TCP and UDP traffic would not
D – Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface


Answer: B

Explanation:

From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network

Question 3:

What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?

A – No host could connect to Router through s0/0/1
B – Telnet and ping would work but routing updates would fail.
C – FTP, FTP-DATA, echo, and www would work but telnet would fail
D – Only traffic from the 10.4.4.0 network would pass through the interface


Answer: A

Explanation:

First let’s see what was configured on interface S0/0/1:

accesslist_sim_answer3

Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).
B is not correct because if telnet and ping can work then routing updates can, too.
D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.

But here raise a question…

The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router through s0/0/1” seems right…

But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!

Please comment if you have any idea for this sim!

Other lab-sims on this site:

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

CCNA EIGRP LAB

CCNA Drag and Drop SIM

CCNA Implementation SIM

Comments
Comment pages
1 2 3 39
  1. ma boy
    January 11th, 2012

    For Q3, the answer is obviously “A”.

    Since the question states that S0/0/1 ip address is on class C network, the last octet to match ACL is 0 which is network address.

  2. invetalcom
    January 12th, 2012

    For Q1, are you sure it’s answer E ?
    Cause if you apply Access-group 104, ICMP-Echo-Reply is denied. Don’t you need the reply for a successful ping ?
    In my opinion, it should be answer B.
    If you apply Access-group 106 out, it denies any telnet traffic from leaving the router, while the Echo-Reply is allowed and you would get a successful ping command.

  3. jed
    January 12th, 2012

    @invetalcom
    i think Acl 106 have implicit deny ip any any. That’s why ACL 104 can be right answer.

  4. Dharamjeet Brar (djbrar@gmail.com)
    January 17th, 2012

    @invetalcom: The ACL is applied to the inbound interface. So if the echo-reply is received on the Fast interface, the packet will be discarded. The very reason for a echo-reply to come across Fast interface is the PING request from the router or the inside network which would send an echo request to the switch and echo-reply would arrive as a response.

  5. Dharamjeet Brar (djbrar@gmail.com)
    January 17th, 2012

    It need not do anything with the ping request / ECHO request from the switch and ECHO reply to the switch.

  6. Deebokchopra
    January 18th, 2012

    Hello, for Q3, no protocol would be accepted because of the implicit deny any in the end right? ACL 115 doesn’t explicitly say to accept any telnet or ping. So the only thing to focus is the ip address and wildcard mask? Please explain.. Thanks.

  7. serial
    January 19th, 2012

    hello everyone… can u clarify me on this thing…
    for eigrp lab, is there a need to advertise the route for the ISP on the R1 router (the router connected to ISP router)?

  8. suraj prakash
    January 19th, 2012

    pls information of cisco send in surajccna123@gmail.com and top institude in india send full information

  9. J CHANDER
    January 20th, 2012

    PLZ I WANT CCNA SOFTWARE SO HOW TO DOWNLOAD PLZ TELL MEEEEE

  10. usGhana
    January 20th, 2012

    @ Q1
    hi all, the Q1 is not well explained, how do we come by the details of access-list 104?
    i can`t see it from the output of the show running-config command up there
    somebody please explain to me!!!!!

  11. usGhana
    January 20th, 2012

    oh, my mistake i have seen the access-list sorry every body , am ok now

  12. g
    January 21st, 2012

    anyone got this question in the exam? any modifications to report? same questions? etc

  13. Fanat123123
    January 22nd, 2012

    About Q1, answer B:
    Consider the telnet connection THROUGH the router (not TO the router).
    For example, we connect another switch2 to router Fa0/1 interface and configure in like first Switch1.
    Without “ip access-group 106 in” and without “ip access-group 106 out” in the router configuration, we can telnet from Switch1 to Switch2.
    The telnet-packets with destination port 23 will go from Switch1 to Switch2, and then the packets with source port 23 will go back to Switch1.
    If we configure “ip access-group 106 out” in the router, the backward telnet-packets from Switch2 to Switch1 with source port 23 will be blocked because of implicit “deny ip any any”.
    Telnet connection THROUGH the router will be blocked, but telnet connection TO the router CLI will be permitted.
    I configured “access-list 106 deny tcp any eq telnet any”, but the packets from router CLI to Switch1 with source port 23 are still permitted.
    Maybe this is made for not to block telnet connection to Cisco devices.

    P.S. sorry for my BAD English )))

  14. Fanat123123
    January 23rd, 2012

    Any comments to my previous message?

  15. xallax
    January 23rd, 2012

    @fanat
    so… you’ve removed the access-list filters. no wonder telnetting works from sw1 to sw2 and vice-versa :)

  16. Fanat123123
    January 23rd, 2012

    @xallax
    You don`t understand.
    I:
    1) load this sim from 9tut.com and open it in Packet Tracer
    2) add new Switch2 and connect it to Router Fa0/1
    3) configure Router Fa0/1 with ip 10.5.5.3/24
    4) configure Switch2 Vlan1 interface with ip 10.5.5.1/24 and it`s default gateway as 10.5.5.3
    5) configure Router and Switch2 vty 0 4 lines with “password cisco” and “login”
    6) configure “no ip access-group 106 in” on Router Fa0/0 interface

    Now I can telnet from Switch1 to BOTH Router and Switch2 because all access lists are removed.
    Then:
    7) I configure “ip access-group 106 out” on Router Fa0/0 interface
    And now I CANNOT telnet from Switch1 to Switch2 (forward packets will go from Switch1 to Switch2 through Router, and backward packets from Switch2 to Switch1 will be blocked on Router Fa0/0 outbound direction because of implicit “deny ip any any”).
    At the same time I CAN telnet form Switch1 to Router (forward packets will go from Switch1 to Router, and backward packets from Router to Switch1 WILL NOT BE BLOCKED, but implicit “deny ip any any” remains)
    Why? Am I wrong?

  17. xallax
    January 23rd, 2012

    @fanat
    yada yada yada
    just upload your pkt file somewhere and post the link here so we can all have a look at your config :)

  18. furqan
    January 30th, 2012

    in question 3 we already have an access list so 102 access list is overwrite .and 115 access list does not work here.according t0 102 access list echo reply & telnet deny.and all other traffic is permitted so according to this concept option FTP, FTP-DATA, echo, and www would work but telnet would fail is valid.correct me if i am using wrong logic !!!!!!!!!!!

  19. furqan
    January 30th, 2012

    @xallax please give me answer

  20. Aerodesliza
    January 31st, 2012

    Just a comment, interfaces can accept just one access-list per direction, per direction, therefore we can assign two access-list(one In, one out) to the same interface

  21. Aerodesliza
    January 31st, 2012

    Sorry per direction, per address

  22. xallax
    January 31st, 2012

    @furqan
    also remember that you can have one ACL per direction. 1 in, 1 out.

  23. furqan
    January 31st, 2012

    both acls are inbound .so 115 cannot be given.now give answer

  24. furqan
    January 31st, 2012

    @xallax i am waiting for your answer

  25. xallax
    January 31st, 2012

    @furqan
    only hosts with the IP address ending in .0 could send data through the router.
    as 9tut explains, this could be possible on class A and class B networks.

    since we don’t have that option then we pick the next best one which is option A.

    no, there won’t be any ftp, http, icmp traffic going on since the source will most likely not have an IP address that ends with 0

  26. furqan
    February 1st, 2012

    MY MISTAKE ,I WAS C0NFUSING WILDCARD MASK WITH SUBNET MASK.ANYWAYS I G0T THE P0INT THAT LAST 0CTAT IS WE CARE AB0UT & ITS ZER0.AND AS WE CANT ASSIGN NETW0RK ADDRESS T0 H0ST S0 N0 TRAFFIC FL0WS THR0UGH

  27. bogdan
    February 1st, 2012

    @furqan
    “ip access-group 115 in” overwrites the “acl 102 in” state at interface (you can check it by typing it in), so you get two rules applied to that interface:

    1st allows all traffic from addresses that ends with .0 (255.255.255.0 wildcard) and
    2nd denies everything else (implicit deny ip any any)
    so that’s why there would be no connectivity

    btw
    @EVERYONE_WHO_LOOKS_FOR_DUMPS
    there’s a huge dump collection on http://examcollection.com. Click on “Cisco” link and then search for 640-802

  28. bogdan
    February 1st, 2012

    Oh, kinda slowpoke answer)
    @xallax
    http://dl.dropbox.com/u/15659109/9tut.com_CCNA_Access_List_Sim_WTF.pkt
    Here’s modified sim, with problem which was told by Fanat123123, and I don’t understand why is there still full telnet connectivity from RouterC to SwitchC if we put 106 out on fa0/0, too
    But that issue is lost when you move 106th acl on fa 0/0 in

  29. DimS
    February 3rd, 2012

    @bogdan: ACL is not affected traffic generated by the router. Try to connect a host to Switch0 and to establish telnet connection with SwitchC. You will not able to connect.

Comment pages
1 2 3 39
  1. No trackbacks yet.
Add a Comment