Home > CCNA – Access list Questions

CCNA – Access list Questions

April 29th, 2015 Go to comments

Note: If you are not sure about Access list, please read our Access List Tutorial.

Question 1

Explanation

The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only access list 50 is a standard access list.

Question 2

Explanation

We see the difference of the four networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 is at the third octet (146, 147, 148, 149) so we need to convert them into binary numbers (the different bit is underlined):

146 = 10010010
147 = 10010011

We see only the last bit is different so a wildcard mask can be created to cover them with XOR operation:

Wildcard mask = 10010010 XOR 10010011 = 00000001 = 1

Note: The XOR operation here means “if two compared bits are same, write 0; if two compared bits are different, write 1”. Remember, for the wildcard mask, 1 means “I DON’T CARE”, and 0 means “I CARE”

Therefore the full wildcard mask should be 0.0.1.255. The last octet is “255” to cover all hosts in /24 range. And the “access-list 10 permit ip 192.168.146.0 0.0.1.255” can cover networks 192.168.146.0, 192.168.147.0.

Do the same for two remaining networks:

148 = 10010100
149 = 10010101

So the “access-list 10 permit ip 192.168.148.0 0.0.1.255” can cover these two networks.

Note:

If we want to use only one command in the access-list, we can compare all four networks at the same time:

146 = 10010010
147 = 10010011
148 = 10010100
149 = 10010101

-> Wildcard mask = 00000011 = 3

Therefore we can use one command “access-list 10 permit ip 192.168.146.0 0.0.3.255” to cover all four networks.

Question 3

Question 4

Question 5

Explanation

An access-list will be checked from the first to last statement. If a statement is matched then the check will finish immediately. A rule of thumb when creating an access-list is writing more specific matches first. So for this question we need to:

+ Permit hosts 172.21.1.129 & 172.21.1.142 (first & last IP of subnet 172.21.1.128/28)
+ Deny other hosts in subnet 172.21.1.128/28
+ Permit anyone else

Remember another rule of thumb: the “permit/deny anyone else” statement is always put at the end of the access-list because it will be matched surely and the check will finish immediately (so any statements under this statement cannot be checked -> they are useless). Therefore in this case, the “permit any” statement will surely be at the end of the access-list.

We cannot place statement B: “deny 172.21.1.128 0.0.0.15” before statement A: “permit 172.21.1.129 0.0.0.0” and statement C: “permit 172.21.1.142 0.0.0.0” because any IP that matches statement A & C will surely match statement B and the check will finish immediately -> statements A & C are never been matched. Therefore statements A & C must be placed on top of statement B.

Question 6

Explanation

We can have only 1 access list per protocol, per direction and per interface. It means:

+ We can not have 2 inbound access lists on an interface
+ We can have 1 inbound and 1 outbound access list on an interface

Question 7

Explanation

We can use a dynamic access list to authenticate a remote user with a specific username and password. The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server. The configuration of dynamic ACL can be read here: http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml

Comments (50) Comments
Comment pages
  1. Apush
    March 18th, 2015

    Passed my CCNA exam today (18th Mar)… Q2, Q4 and Q7 in exam

  2. rusy
    March 21st, 2015

    How many times can u retake ccna afta u fail???

  3. justin13
    March 25th, 2015

    hello 9tut. question:

    the only deceiving part of question #2 is the following:
    /23= 255.255.254.0
    128 subnets/ block size=2
    192.168.146.0 network covers from 192.168.146.1-192.168.147.254
    192.168.148.0 network covers from 192.168.148.1-192.168.149.254

    Technically, 192.168.147.0 is not a network because it resides in the network 192.168.146.0
    I was able to figure the answer out based solely on the wildcard mask, and process of elimination
    Am I missing something because the question phrases it as “hosts on network 192.168.147.0”
    this is a bit deceiving

  4. Peter
    March 26th, 2015

    Q1,Q5

  5. steve
    March 26th, 2015

    Hey 213 look at what you put as the network ip.. that is what is wrong

    your using the wrong network ip

    3 private IP’s for the LAN Host
    Host A 192.168.25.3
    Host B 192.168.25.4
    ******************Host C 192.168.25.5
    2 Public IP addresses
    198.18.188.25
    198.18.188.26
    2 Servers were on
    172.16.25.5
    172.16.25.4
    Q1. Write an Access list that will allow host C to access the Finance accounting server via HTTP.
    Q2.Other LAN hosts should not access the Finance accounting server but can access the Public web server
    Q3. Hosts from the core network should not also access the Finance accounting server but can access the rest.
    I tried creating an ACL with the commands below but always got an error:
    under config mode:
    #access-list 1 permit tcp 192.168.25.5 0.0.0.3 eq 80
    #access-list 1 permit 192.168.25.5 0.0.0.3
    #access-list 1 permit 192.168.25.5 0.0.0.3 eq 80
    #access-list 1 permit tcp 192.168.25.5 0.0.0.3 eq80
    #access-list 1 permit 192.168.25.5 0.0.0.3 eq80
    Got error on the above.

  6. steve
    March 26th, 2015

    hey 213

    you are leaving out .3 and .4 hosts … with that network statement..

  7. Siddheshwar
    March 28th, 2015

    please tell me the exam pattern as below:-
    1.Number of questions
    2.Time of exam in hours
    3.marks
    4.if there is questions set

  8. nesrin
    March 28th, 2015

    In Q3 the answer is no ip access-group 102 out I think they mean there is no such an Acl Active on the interface look at the lesson explanation by clicking on the link at the beginning of the page and you will understand.

  9. Agya
    April 4th, 2015

    Justin13, do not get confused by the phrase “hosts on network 192.168.147.0”. Any IP address can stand for a Host or a Network address, depending on the mask applied. An address with a mask ff.ff.ff.ff can be considered as a Host only. 192.168.147.0 ff.ff.ff.0 is a Network address, whileas 192.168.147.0 ff.ff.fe.0 is a Host address.

  10. justin13
    April 7th, 2015

    thank you Agya. Its possible I am too literal, but I still think the question is worded improperly

    In your explanation you say any IP address can stand for a Host or network address, ‘depending on the mask applied’
    in this case, the 255.255.254.0 mask was applied, so technically 192.168.147.0 is not a network in this subnet mask, no?

  11. sumit7843
    April 15th, 2015

    Pased ccna on 13 april…..got 1000 marks….this is the best site

  12. SaedAdi
    April 17th, 2015

    Q1,2,3,5

  13. gidz
    May 2nd, 2015

    192.168.147.0 can be a network with a block size of 1 means with /24 prefix…

  14. gidz
    May 2nd, 2015

    I cant understand question 2
    If i try to summarize the networks 146-149, i get the block size of 1, i cant figure out why are you guys trying to summarize network 192.168.146.0 and 192.168.147.0 together and separate them from 192.168.149.0 and 192.168.149.0?…

  15. metacortex
    May 4th, 2015

    @gidz – don’t summarize. Because of the increment when you have a wildcard mask of 0.0.1.255 you’re including 146-147 and 148-149 in the ACL.
    For example:
    192.168.146.0/23 (subnet mask 255.255.254.0 / wildcard mask 0.0.1.255)
    192.168.146.1 – first host
    192.168.147.254 – last host
    192.168.147.255 – broadcast address

  16. gidz
    May 4th, 2015

    but 192.168.146.0 and 192.168.147.0 was stated as a network, ryt?

  17. A.k
    May 4th, 2015

    Hello guys, those who said they passed the exam, did you guys pay the 9$ and reviewed from there or did you just studied the questions here for free?

  18. CCNA-seeker
    May 8th, 2015

    passed today. Thanks a lot to 9tut. eigrp trouble shooting lab and both ACL labs came.

  19. Anonymous
    May 17th, 2015

    please i need help ! i need dump for my email please !! danielbar159@gmail.com

  20. bhabs
    June 4th, 2015

    can anyone help me to solve Q2??

  21. Anonymous
    June 5th, 2015

    @bhabs – Q2 – ACLs use wildcard masks not subnet
    masks
    Widcard masks are the inverse of a subnet mask

    The access list could be written as:

    access-list 10 pemit ip 192.168.146.0 0.0.0.255
    access-list 10 pemit ip 192.168.147.0 0.0.0.255
    access-list 10 pemit ip 192.168.148.0 0.0.0.255
    access-list 10 pemit ip 192.168.149.0 0.0.0.255

    OR SUMMARISED

    access-list 10 pemit ip 192.168.146.0 0.0.1.255
    access-list 10 pemit ip 192.168.148.0 0.0.1.255

    OR FURTHER SUMMARISED

    access-list 10 pemit ip 192.168.146.0 0.0.3.255

    Only the first summarised options were given so
    thats the answer.

    For anyone thats confused on the network addresses
    192.168.147.0 and 192.168.149.0 being included as
    a host in the ACL, it wont make a difference
    because the ACL includes all hosts within those
    networks and being network addresses no host can
    have those network addresses to be worried about.

    The 192.168.146.0 ACL will assume that 192.168.146.0
    is the network and 192.168.147.255 is the broadcast
    which they would be even if you were to do each ACL
    seperately. Same applies to the 192.168.148.0 ACL

  22. h.k
    June 5th, 2015

    i don’t understand Q5

  23. FayazH
    June 5th, 2015

    Allhumdulillah Passed today Q4 & 7 in Exam – Email me for Dumps at suhamba20022001@yahoo.com

  24. Anonymous
    June 6th, 2015

    @H.K – Q5 – ACLs must be in order.

    ACLs are checked off the list in order from top to bottom. Once a statement is met that refers to the host that ACL is applied and no further checks down the list are done.

    In Q5 above, the first ACL is permit any which would apply to all hosts trying to gain access and to anything they wish to access. Those who are supposed to be denied gain access because the first ACL permits everyone to everything.

    Therfore, the permit any statement should be the last statement so that hosts trying to gain access pass all other ACLs first.

  25. Elmın
    June 19th, 2015

    hello 9tut administrator.
    Is thıs questions were old we need new dumps or we can pass wıth this yet?

  26. 9tut
    June 19th, 2015

    @Elmın: All the questions here are up-to-date.

  27. Mzi
    June 21st, 2015

    I enjoy 9tut so much. It exposes my understanding (lack of). Keep up good work. I will be taking my exam on Wednesday. I already developed a skin rash from stress. LOL. The second question above is exposing my understanding of access lists. I defaulted to thinking the mentioned IP as a network ID and I sought to find a subnet that can include .146 up to .149. – That would make my network ID to be .144.0 0.0.7.255 – but that option doesn’t exist.

  28. Imran
    June 21st, 2015

    Can any one explain Q2.

  29. Hussain
    June 22nd, 2015

    Hi everyone,
    Can anyone please explain question no 2

  30. Elena
    June 22nd, 2015

    @ Imran & Hussain, for Q2 , you need to pay attention to the wildcard mask:

    A. access-list 10 permit ip 192.168.146.0 0.0.1.255 -> the wildcard mask it allows the very next IP add network, meaning 192.168.147.0, to have the same permission as 192.168.146.0

    C. access-list 10 permit ip 192.168.148.0 0.0.1.255 -> same as above, allowing the very next IP add network in the sequence, meaning 192.168.149.0, to have the same permission as 192.168.148.0

    the rest of the answers are wrong because either the wildcard mask is wrong , either there is no 2nd command to match the 1st

  31. Questions Today
    June 24th, 2015

    Q3,Q7 was in exam. Praise The Lord and thnx 9tut passed on 24th june 986/1000.
    Some new questions to be observed:
    What will happen if a private IP address is assigned to a public interface connected to an ISP?
    A. Addresses in a private range will be not be routed on the Internet backbone.
    B. Only the ISP router will have the capability to access the public network.
    C. The NAT process will be used to translate this address to a valid IP address.
    D. A conflict of IP addresses happens, because other public routers can use the same range.
    Answer: A
    What are three values that must be the same within a sequence of packets for Netflow to consider
    them a network flow? (Choose three.)
    A. source IP address
    B. source MAC address
    C. egress interface
    D. ingress interface
    E. destination IP address
    F. IP next-hop
    Answer: A,D,E

  32. Anonymous
    June 26th, 2015

    download free dumps from following link
    wurl. cc/dumps

  33. Hamdi
    June 27th, 2015

    hi administrator.I have 2 question to you.
    1)If i will learn all these questions i will pass surely?
    2)If i will donate website what i will get?Extra questions?

  34. 9tut
    June 27th, 2015

    @Hamdi:
    1) Yes, you will pass the exam if you grasp the concept behind all questions and sims here.
    2) By joining Premium Membership, you can interact with all questions and sims here but you will not have extra questions because all the questions are posted here freely.

  35. Hamdi
    June 27th, 2015

    Thanks Administrator.
    why people search new dumps?What is the difference with this site?

  36. 9tut
    June 27th, 2015

    @Hamdi: Many readers don’t read all information on this site and keep asking for new dump. But in fact all are posted here.

  37. nghia
    July 1st, 2015

    Please send latest ccna dumps to me.
    I will take ccna exam Agust.
    My email :phamphuocnghia@yahoo.com.
    Thank you very much.

  38. papi victor
    July 2nd, 2015

    thank u so much Admin. passed with 986!!!! God over everything.

  39. 9tut
    July 12th, 2015

    @all: We had to move all the questions and answers out of 9tut. We can only keep the explanation. You can download the questions and answers at: https://mega.co.nz/#!wt9kVCjL!vvp79FTtjsqfpCgq0uTOTKlE6_qsLY6C_m163sNGs_s

  40. Anonymous
    July 13th, 2015

    Adim thesr question are not visible please do something

  41. sanjubaba
    July 13th, 2015

    Adim thesr question are not visible please do something

  42. Anonymous
    July 13th, 2015

    Questions are not showing

  43. michelle
    July 13th, 2015

    why questions cannot be ssen?

  44. sanjubaba
    July 13th, 2015

    Please that link is not opening i hav exam on next week do someyhing

  45. Anonymous
    July 14th, 2015

    please check can’t view questions, TIA

  46. 9tut
    July 14th, 2015

    We had to move all the questions and answers out of 9tut. We can only keep the explanation. You can download the questions and answers at: https://mega.co.nz/#!wt9kVCjL!vvp79FTtjsqfpCgq0uTOTKlE6_qsLY6C_m163sNGs_s

  47. Richard
    July 14th, 2015
  48. 9tut
    July 14th, 2015
  49. Mohammed
    July 16th, 2015

    Hi guys what happened to 9tut
    There is no questions, reply please

  50. Mohammed
    July 16th, 2015

    Thanks guys I downloaded the questions and answers from that link
    Over there
    Thanks in advance

Comment pages