14/04/2013

CCNA Training CCNA Access List Sim

Type text to search here...

Home > CCNA Access List Sim

CCNA Access List Sim

July 10th, 2011 Go to comments Question

An administrator is trying to ping and telnet from Switch to Router with the results shown below: Switch> Switch> ping 10.4.4.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds: .U.U.U Success rate is 0 percent (0/5) Switch> Switch> telnet 10.4.4.3 Trying 10.4.4.3 % Destination unreachable; gateway or host down Switch> Click the console connected to Router and issue the appropriate commands to answer the questions. Answer and Explanation Note: If you are not sure about Access-list, please read my Access-list tutorial. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_CCNA_Access_List_Sim.pkt For this question we only need to use the show running-config command to answer all the questions below
www.9tut.com/70-ccna-access-list-sim 1/14

14/04/2013

CCNA Training CCNA Access List Sim

Router>enable Router#show running-config

www.9tut.com/70-ccna-access-list-sim

2/14

14/04/2013

CCNA Training CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim

3/14

14/04/2013

CCNA Training CCNA Access List Sim

Question 1: Which will fix the issue and allow ONLY ping to work while keeping telnet disabled? A Correctly assign an IP address to interface fa0/1 B Change the ip access-group command on fa0/0 from in to out C Remove access-group 106 in from interface fa0/0 and add access-group 115 in. D Remove access-group 102 out from interface s0/0/0 and add access-group 114 in E Remove access-group 106 in from interface fa0/0 and add access-group 104 in

Answer: E

www.9tut.com/70-ccna-access-list-sim

4/14

14/04/2013

CCNA Training CCNA Access List Sim

Explanation: Lets have a look at the access list 104:

The question does not ask about ftp traffic so we dont care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line access-list 104 deny icmp any any echo-reply will not affect our icmp traffic because the echo-reply message will be sent over the outbound direction. Question 2: What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface? A Attempts to telnet to the router would fail B It would allow all traffic from the 10.4.4.0 network C IP traffic would be passed through the interface but TCP and UDP traffic would not D Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface

Answer: B Explanation: From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network Question 3: What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface? A No host could connect to Router through s0/0/1 B Telnet and ping would work but routing updates would fail. C FTP, FTP-DATA, echo, and www would work but telnet would fail D Only traffic from the 10.4.4.0 network would pass through the interface

Answer: A Explanation:
www.9tut.com/70-ccna-access-list-sim 5/14

14/04/2013

CCNA Training CCNA Access List Sim

First lets see what was configured on interface S0/0/1:

Recall that each interface only accepts one access-list, so when using the command ip access-group 115 in on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C). B is not correct because if telnet and ping can work then routing updates can, too. D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A. But here raise a question The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: no host could connect to Router through s0/0/1 seems right But what will happen if we dont use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect! Please comment if you have any idea for this sim!

Other lab-sims on this site: CCNA NAT SIM Question 1 CCNA NAT SIM Question 2 CCNA Frame Relay Sim CCNA Configuration SIM Question (RIPv2 SIM) CCNA VTP SIM CCNA EIGRP LAB CCNA Drag and Drop SIM CCNA Implementation SIM Comments Comment pages Previous 1 7 8 9 39 1. rajan maretha February 23rd, 2013 pls send to me the ccna dumps.thanks in advance. 2. m
www.9tut.com/70-ccna-access-list-sim 6/14

14/04/2013

CCNA Training CCNA Access List Sim

February 25th, 2013 Question 1: Which will fix the issue and allow ONLY ping to work while keeping telnet disabled? A Correctly assign an IP address to interface fa0/1 B Change the ip access-group command on fa0/0 from in to out <seems to be correct m. 3. NoDumps4You February 26th, 2013 The easiest way to answer to Q3 is that there is an implicit deny at the end of the access list which we cannot see. Hence, all the traffic will be automatically blocked. I dont know why people are writing gigantic answers just to answer Q3. 4. oshawkat-Sudan March 2nd, 2013 regarding Q1 B-Change the ip access-group command on fa0/0 from in to out not correct becuase this will allow telnet and ping as well. 5. EnthusiatCCNA March 3rd, 2013 I downloaded the pkt, regarding the Q3 it did not overide as i execute the command the s0/0/0 has now 2 ACL: ip access-group 115 in and ip access-group 102 out in the explanation it says override so in my unerstanding the first ACL will be read and the second ACL will just be ignored? 6. EnthusiatCCNA March 3rd, 2013 I downloaded the pkt, regarding the Q3 it did not overide as i execute the command the s0/0/0 has now 2 ACL: ip access-group 115 in and ip access-group 102 out in the explanation it says override so in my unerstanding the first ACL will be read and the second ACL will just be ignored? 7. Ahmed March 3rd, 2013 Does anyone out there have Packet Tracer 6 or later? Please send to aaegh7@gmail.com. My version (V5) does not support iBGPIm preparing for CCIE. Thanks in advance. 8. CAHOP240 March 5th, 2013
www.9tut.com/70-ccna-access-list-sim 7/14

14/04/2013

CCNA Training CCNA Access List Sim

@Enthusiast Check your directions. You can only have 1 access list per interface, per protocol, per direction. You have two ACLs on your interface because one is facing in and the other is facing out. The original question has ACL 102 IN. If you apply ACL 115 IN it will over write ACL 102 9. going4CCNA March 7th, 2013 is this lab subject to any changes during the exam? thank you very much. 10. Nera March 8th, 2013 plz tell me any one..??? do we need to change the ACLz on that router.? or we can jus look at the ACLs and answer them 11. Anonymous March 14th, 2013 @9tut Vindicated!!! Um, by virtue of actually reading your last statement on Question 3! :P I downloaded the Packet Tracer sim and just moved all the answers from Q1-Q3 to a separate text box and attempted to answer them by myself. That was somewhat of a mistake since I didnt have the actual multiple choice answers and issued a command to modify the ACL instead of the ACL interface assignment. Regardless, when I got to question three, this is what I wrote: Q3: What would be the effect of issuing the command ip access-group 115 in on the s0/0/1 interface? My Answer: It would allow any host in whose last octet was 0. It seemed the most reasonable, precise answer I could think of. Perhaps you could save the current .pkt file as 9tut.com_CCNA_ACL_sim_question_Answered.pkt and place the multiple choice possibilities in 9tut.com_CCNA_ACL_sim_question.pkt file and zip them up like did with the NAT_sim_question. That would be my only request for this. Other than that, great lab. Thanks! 12. jv March 18th, 2013 Q3: i setup a lab.. R1 ip 10.45.45.1/21 R2 ip 10.45.45.0/21 (direct connect) yes the .0 can ping .1.. but look at the question and answers.. the answer only traffic from NETWORK 10.4.4.0 would be allowed Look at the config, the 10.4.4.0 is a /24, would 10.4.4.1 be able to ping thru? nope.. Final answer, A..
www.9tut.com/70-ccna-access-list-sim 8/14

14/04/2013

CCNA Training CCNA Access List Sim

13. Elyor March 20th, 2013 (Hardcover) Do you need help in trying to pass the ICND1 and CCNA exams? If you do, then this book is for you! Author Wendell Odom, has done an ottsuanding job of writing the third edition of a book that is designed to make you much more knowledgeable about how to do your job.Author Odom, begins by providing a basic introduction for those who are brand new to networking. Then, the author introduces the terminology surrounding two different networking architectures: TCP/IP and OSI. Next, he covers the concepts and terms used for the most popular option for the data link layer for local-area networks, namely Ethernet. The author also covers the concepts and terms used for the most popular options for the data link layer for wide-area networks, including High-Level Data Link Control, the Point-to-Point Protocol and Frame Relay. He continues by introducing the basics of IP, including IP addressing and routing. Then, the author introduces the basics of TCP and UDP. Next, he shows you how to access, examine, and configure Cisco Catalyst LAN switches. The author also shows you how to configure a variety of switch features, including duplex and speed, port security, securing the CLI, and the switch IP address. He continues by focusing on how to tell if the switch is doing what it is supposed to be doing, mainly through the use of show commands. Then, the author explains the basic operation concepts of wireless LANs, along with addressing some of the most common security concerns. Next, he walks through the entire concept of subnetting, from starting with a Class A, B, or C network, analyzing requirements, making choices, calculating the resulting subnets, assigning those on paper, all in preparation to deploy and use those subnets by configuring the devices. The author also explores all things related to address classes and the IP network concept created by those classes. He continues by showing you how to quickly and easily convert between the formats, so you can practice before having to think more about what the mask does. Then, the author shows you how to look at the mask to discover key facts, like the size of subnet and the number of subnets in the network. Next, he shows you how to find and analyze the subnet in which the that IP address resides, including finding the subnet ID, range of addresses in the subnet, and subnet broadcast address. The author also shows you how to find all of those subnet IDs, given a network number and a single mask used throughout the network. He continues by showing you how to configure IP addresses, static routes, and one routing protocol: RIP Version 2. Then, the author features a scenario that examines the IP packet forwarding process. Next, he covers the concepts of Network Address Translation. The author also focuses on a few small WAN configuration tasks, plus NAT configuration using Cisco Security Device Manager. Finally, he suggests a plan for final preparation once you have finished the core parts of the book, in particular explaining the many study options available in the book.This most excellent book uses several key methodologies to help you discover the exam topics on which you need more review; to help you fully understand and remember those details; and, to help you prove to yourself that you have retained your knowledge of those topics. Perhaps more importantly, this book does not try to help you pass the exams only by memorization, but by truly learning and understanding the topics. 14. adil March 24th, 2013 @9tut Question1: If we remove access-list 106 and use 102 in the same direction (IN), then it also gives the same result (i.e allow ping but deny telnet). Not sure how the exam will score it, but it seems to be valid option.
www.9tut.com/70-ccna-access-list-sim 9/14

14/04/2013

CCNA Training CCNA Access List Sim

15. adil March 24th, 2013 @9tut More detail on my point. I first used acces-list 102. The ping attempts matched permit ip any any line RouterC(config-if)#do show acc Extended IP access list 102 permit tcp any any eq ftp deny tcp any any eq telnet (12 match(es)) deny icmp any any echo-reply permit ip any any (5 match(es)) -output omitted============================ Then I removed 102 and used 104. In this case ping attempts matched the permit icmp any any echo RouterC(config-if)#do show acc Extended IP access list 102 permit tcp any any eq ftp deny tcp any any eq telnet (12 match(es)) deny icmp any any echo-reply permit ip any any (5 match(es)) Extended IP access list 104 permit tcp any any eq ftp deny tcp any any eq telnet (12 match(es)) permit icmp any any echo (5 match(es)) deny icmp any any echo-reply permit ip any any 16. GJ March 27th, 2013 @9Tute Question 3: What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface? ***** Is it access-group 115 in or ip access-group 115 in If access-group 115 in is the CMD, the old ip access-group 102 in will not be overwrite 17. GJ March 27th, 2013 if so Ans is C
www.9tut.com/70-ccna-access-list-sim 10/14

14/04/2013

CCNA Training CCNA Access List Sim

18. dd March 29th, 2013 how many questions are there for this ACL lab in the real test? 19. dd March 29th, 2013 how many questions for this ACL lab in the real test? 20. mazhar hussain April 3rd, 2013 please some one send me licenced version of visual_certexam_suite_setup .i m thank full 2 u.my mailing add: its_md.5277@yahoo.com. Comment pages Previous 1 7 8 9 39 1. No trackbacks yet. Add a Comment Name

Submit Comment

Subscribe to comments feed VLAN Trunking Protocol VTP Tutorial CCNA NAT SIM Question 2

Premium Membership
Become a member to interact with all questions and read all tutorials, labs!

www.9tut.com/70-ccna-access-list-sim

11/14