Home > CCNA – Access list Questions

CCNA – Access list Questions

April 29th, 2015 Go to comments

Note: If you are not sure about Access list, please read our Access List Tutorial.

Question 1


The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only access list 50 is a standard access list.

Question 2


We see the difference of the four networks,,, and is at the third octet (146, 147, 148, 149) so we need to convert them into binary numbers (the different bit is underlined):

146 = 10010010
147 = 10010011

We see only the last bit is different so a wildcard mask can be created to cover them with XOR operation:

Wildcard mask = 10010010 XOR 10010011 = 00000001 = 1

Note: The XOR operation here means “if two compared bits are same, write 0; if two compared bits are different, write 1”. Remember, for the wildcard mask, 1 means “I DON’T CARE”, and 0 means “I CARE”

Therefore the full wildcard mask should be The last octet is “255” to cover all hosts in /24 range. And the “access-list 10 permit ip” can cover networks,

Do the same for two remaining networks:

148 = 10010100
149 = 10010101

So the “access-list 10 permit ip” can cover these two networks.


If we want to use only one command in the access-list, we can compare all four networks at the same time:

146 = 10010010
147 = 10010011
148 = 10010100
149 = 10010101

-> Wildcard mask = 00000011 = 3

Therefore we can use one command “access-list 10 permit ip” to cover all four networks.

Question 3

Question 4

Question 5


An access-list will be checked from the first to last statement. If a statement is matched then the check will finish immediately. A rule of thumb when creating an access-list is writing more specific matches first. So for this question we need to:

+ Permit hosts & (first & last IP of subnet
+ Deny other hosts in subnet
+ Permit anyone else

Remember another rule of thumb: the “permit/deny anyone else” statement is always put at the end of the access-list because it will be matched surely and the check will finish immediately (so any statements under this statement cannot be checked -> they are useless). Therefore in this case, the “permit any” statement will surely be at the end of the access-list.

We cannot place statement B: “deny” before statement A: “permit” and statement C: “permit” because any IP that matches statement A & C will surely match statement B and the check will finish immediately -> statements A & C are never been matched. Therefore statements A & C must be placed on top of statement B.

Question 6


We can have only 1 access list per protocol, per direction and per interface. It means:

+ We can not have 2 inbound access lists on an interface
+ We can have 1 inbound and 1 outbound access list on an interface

Question 7


We can use a dynamic access list to authenticate a remote user with a specific username and password. The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server. The configuration of dynamic ACL can be read here: http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml

Comments (50) Comments
Comment pages
1 2 3 6 1782
  1. Adeel
    September 29th, 2013

    Hello Guys I hope you will be fine there.Now New CCNA (200-120) and CCNA security (640-554) Vouchers on special discount of 58% for World wide, with six months expiry date till you purchase. Each voucher cost 70USD.

    Details Required For CCNA Voucher For Discount Processing:

    1-Full Name. 1st Name & Last Name (as you want to appear on certificate & documents)
    5-Pin Code (or Area Code)
    6-Residential Address (or where you can collect your Certificate or further correspondence
    can be received)
    7-Date of birth
    Add me on Skype through this information which is written below:
    Skype Name: rockon660
    you can also email me at this email address which is written below:
    If you have any Questions feel free to contact me.

    Best regards,

  2. harish
    October 3rd, 2013

    Acl.practice is more important. I have forgot the syntax of the command and hade a great trouble. Also thanks to 9 tut for matterial.

  3. kgotso
    October 21st, 2013

    Guys please help me out here, in a wildcard mask what in a difference between 1and 255

  4. Mohan
    October 24th, 2013


    tutorial links r not there in new ccna topics for that we need go back to old ccna links. it would look much better to have these links in new topics tooo. thank u

  5. Anonymous
    October 28th, 2013

    download latest dumps from

  6. ฺีBundit
    October 31st, 2013

    Q2. It is standard access-list ,so command is
    Router(config)#access-list 10 permit

    but answer A. access-list 10 permit (ip)
    can anyone explain why have(ip)

  7. sameer
    November 10th, 2013

    @kgotso i think the difference is when you choose 1 that means the range of permit or deny is only one more NW or Host.
    but when you choose 255 that means you select all the range.
    (please look again in Q5)

  8. James
    November 14th, 2013

    You r right!

  9. biacosta
    November 28th, 2013

    Just took it yesterday, I PASSED with a 920, thanks to 9tut…woooohhhooooo!!!!

  10. SAM
    November 30th, 2013

    why Q3 and is D. isn’t should be C, isn’t 102 represent extended ACL?

  11. SAM
    November 30th, 2013

    why Q3 ans is D. isn’t should be C, isn’t 102 represent extended ACL?

  12. Anonymous
    December 1st, 2013

    Did you read all the way through the output in question3? Outgoing access list is 102

    This is the key.

  13. papashango
    December 5th, 2013

    @kgotso and Bundit
    the share common bits up to the 7 bits which is 254 when all the bits are on and occurs at the third octect, hence the summary address is when we subtract from we get the wildcad mask same process for the 148and 149 addresses.

  14. AHMEDG
    December 19th, 2013

    QUESTION 5 :
    what CDBA mean and explain please

  15. Nat
    December 20th, 2013

    CDBA is the order in which the ACL should be written. Remember a the end of every ACL is the implicit deny.. Hope that helps

    C. permit
    D. permit
    B. deny
    A. permit any

  16. Thatguy
    December 21st, 2013

    6 is wrong
    you can apply only one access list on any interface

  17. Thaind
    December 26th, 2013

    Explanning for me Q2 plz. why A and C true?

  18. valmir
    December 28th, 2013

    read the exhibit in the end:
    Outgoing access list is 102
    Inbound access list is not set
    so answer D. no ip access-group 102 out is right.

  19. Abdullah
    January 17th, 2014

    Hi, can anyone ps email me info on how to get the latest VCE 3.4.2 crack version or the version that can open recent dumps.
    My email address is: mehdi01912330796@gmail.com

  20. Abdul Azeez
    January 18th, 2014

    in wildcard mask 1 means ignore 0 means to check
    so 1 means 00000001 meaning check the first 7 bits and ignore the last bit
    255 is 11111111 means ignore all the bits

  21. kgotso
    January 27th, 2014

    Guys the access list sim of ,where the switch cannot ping or telnet the router, what is it that is really asked should one remove the access list for the switch to ping the router n again be able to telnet please explain to me

  22. Sabry
    January 29th, 2014

    Q1,5&6 were in today’s exam.

  23. Marvin
    January 30th, 2014

    Which question number are you referring to so we can try to assist?

  24. MOHSIN
    January 30th, 2014

    hi … i am writing my ccna exam on monday please could u sent me the latest dumps that u people got. mohsinfida489@yahoo.com

  25. kgotso
    February 2nd, 2014

    Passed my ccna yesterday
    Rip version 2
    Access list

  26. ali
    February 2nd, 2014

    give me more detail about paper

  27. oakener
    February 5th, 2014

    Q2 Study wildcard mark

    A. access-list 10 permit ip
    = –

    C. access-list 10 permit ip

    Choice A,C be correct.

  28. where?
    February 9th, 2014

    kgotso , really RIP i higly doubt it as it go taken out from the CCNA, because it is a legacy protcolol and too old.

  29. ahmed negm
    March 7th, 2014

    please, give me RipV2 lab
    you can send it to

  30. Al7
    March 12th, 2014

    I cleared 200-120

    Question 6 in today’s exam

    Almost all questions from 9tut

    Thanks everyone :)

  31. Sagar
    March 15th, 2014

    what is loop back address?

  32. mine
    March 18th, 2014

    @ sagar, loop back address is

  33. M
    March 19th, 2014

    RIP is still used in small business networks where a very simple topology is deployed. Also, RIP has a new version out for IPv6, RIPng. So I would not say it is “outdated”.

    Also, I took it about a month ago, and there were still questions about RIP in mine as well.

  34. Amir
    March 21st, 2014

    Hey Al7
    how come you are commenting on all the pages with the same words!! sometimes you say Question 6 sometimes Question 4 and any other random one. Are you the owner of the website and trying to advertise? to get more click on the website?

  35. basheer
    March 29th, 2014

    just finished ccna 917 thank you 9 tut……

  36. vivek
    April 7th, 2014

    Hello Basher,

    Congratulations, could you please send me latest dumps…


  37. Esther
    April 25th, 2014

    This’s really nice, studing CCNA 640-802 With this review questions & ans is helping. pls i need latest dumps nd pdf books to enable me prepare effectively for my exams.thanks in advance. thanks to 9tut too.

  38. certcry
    May 6th, 2014

    dear all
    contact for


    guides online training updated valid dumps & discounted vouchers for exams.

  39. LP
    May 10th, 2014

    Amir, perhaps because each page here has a different topic and he is telling us which questions were on his test.

  40. ajay
    May 27th, 2014


    we know that standard access list use source address only. then in a Q2 how (ip) is come i dont understand this.

  41. 9tut
    May 27th, 2014

    @ajay: The Q.2 says ” to allow traffic from hosts …” so they are source addresses.

  42. Vijay
    June 5th, 2014

    Could anyone tell me if in the real exam they give you the same ip addresses as shown in the dumps. Also for the simulation, do we have to fix “hidden” mistakes in the network or just enter the commands as shown here in 9tut simulations. Please help.

  43. Anonymous
    June 11th, 2014

    no ip no ip

  44. Anonymous
    June 11th, 2014

    life is like a protocol ……………………… some time protocol is ups and down !!!!!! by khalid a.m.

  45. tolu
    June 11th, 2014

    thanks to 9tut. i passed my exams today

  46. subhsamal
    June 16th, 2014

    A Hearty Thanks to 9tut for helping me to score 945 in my exam.. :) :) More than 95% questions were from 9tut. I was familiar with all those question which were in my exam..Sims were ACL1 ACL2 and EIGRP.
    I felt little trouble in EIGRP. Though I removed the wrong Eigrp Conf (22) and configured proper AS no (212) and the two adjacent networks, Still i was unable to ping to internet. Guys don’t bother about dumps too much. First go through all question provided here. No where u ll get such nice explanations…

  47. Yeison!!
    June 24th, 2014

    Thanks a lot, i took the test today and i got 936! God bless u guys!!

  48. Sergio F.
    June 26th, 2014

    Thanks 9tut, i passed with 1000 (yesterday 25 juny 2014)
    All questions of 9tut and lab sim : acl,acl2 and eigrp

  49. yes we can
    June 26th, 2014

    Q1, Q2, Q3 and Q5 in yesterday’s exam.
    All questions from 9tut and Watson dump.
    Sim ACL, ACL2 and EIGRP.
    Thank you 9tut!!

  50. Etsh zizk
    June 28th, 2014

    MR. yes we can
    I am also taking 200-120 with in next week. Please send me latest dumps. thanks for the help

Comment pages
1 2 3 6 1782
Add a Comment