Vous êtes sur la page 1sur 11

1/2/2011

Type text to search here...


Ads by Google Cisco CCNA Voice

CCNA Training CCNA Access List Sim


CCNA Practice Exam CCNA ACL Physical Therapy

Home > CCNA Access List Sim

CCNA Access List Sim


October 25th, 2010 Go to comments Question

An administrator is trying to ping and telnet from Switch to Router with the results shown below: Switch> Switch> ping 10.4.4.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds: .U.U.U Success rate is 0 percent (0/5) Switch> Switch> telnet 10.4.4.3 Trying 10.4.4.3 % Destination unreachable; gateway or host down Switch> Click the console connected to Router and issue the appropriate commands to answer the questions. Answer and Explanation:
I passed the CCIE R&S Lab on my first attempt! Steve Clarkin - CCIE #25821 www.INE.com/CCIE ACL Information Get Medical Advice On ACL From Dr HC Chang, At No Cost To You www.ortho.com.sg/acl CADS for Skiing No more knee pain while skiing It's true! Read what CADS users say www.cads.com

For this question we only need to use the show running-config command to answer all the questions below
www.9tut.com/70-ccna-access-list-sim 1/11

1/2/2011

CCNA Training CCNA Access List Sim

Router>enable Router#show running-config

www.9tut.com/70-ccna-access-list-sim

2/11

1/2/2011

CCNA Training CCNA Access List Sim

www.9tut.com/70-ccna-access-list-sim

3/11

1/2/2011

CCNA Training CCNA Access List Sim

Question 1: Which will fix the issue and allow ONLY ping to work while keeping telnet disabled? A Correctly assign an IP address to interface fa0/1 B Change the ip access-group command on fa0/0 from in to out C Remove access-group 106 in from interface fa0/0 and add access-group 115 in. D Remove access-group 102 out from interface s0/0/0 and add access-group 114 in E Remove access-group 106 in from interface fa0/0 and add access-group 104 in

Answer: E

Explanation: Lets have a look at the access list 104:


www.9tut.com/70-ccna-access-list-sim 4/11

1/2/2011

CCNA Training CCNA Access List Sim

The question does not ask about ftp traffic so we dont care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line access-list 104 deny icmp any any echo-reply will not affect our icmp traffic because the echo-reply message will be sent over the outbound direction. Question 2: What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface? A Attempts to telnet to the router would fail B It would allow all traffic from the 10.4.4.0 network C IP traffic would be passed through the interface but TCP and UDP traffic would not D Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface

Answer: B Explanation: From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network Question 3: What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface? A No host could connect to Router through s0/0/1 B Telnet and ping would work but routing updates would fail. C FTP, FTP-DATA, echo, and www would work but telnet would fail D Only traffic from the 10.4.4.0 network would pass through the interface

Answer: A Explanation: First lets see what was configured on interface S0/0/1:

www.9tut.com/70-ccna-access-list-sim

5/11

1/2/2011

CCNA Training CCNA Access List Sim

Recall that each interface only accepts one access-list, so when using the command ip access-group 115 in on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C). B is not correct because if telnet and ping can work then routing updates can, too. D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A. But here raise a question The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: no host could connect to Router through s0/0/1 seems right But what will happen if we dont use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect! Please comment if you have any idea for this sim!

I passed the CCIE R&S Lab on my first attempt! Steve Clarkin - CCIE #25821 www.INE.com/CCIE ACL Information Get Medical Advice On ACL From Dr HC Chang, At No Cost To You www.ortho.com.sg/acl CADS for Skiing No more knee pain while skiing It's true! Read what CADS users say www.cads.com

Other lab-sims on this site: CCNA NAT SIM Question 1 CCNA NAT SIM Question 2 CCNA Frame Relay Sim CCNA Configuration SIM Question (RIPv2 SIM) CCNA VTP SIM CCNA EIGRP LAB CCNA Drag and Drop SIM CCNA Implementation SIM Comments 1. Abe December 3rd, 2010 On Question 2 What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface? A Attempts to telnet to the router would fail B It would allow all traffic from the 10.4.4.0 network C IP traffic would be passed through the interface but TCP and UDP traffic would not D Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface The access-list is access-list 114 permit ip 10.4.4.0 0.0.0.255 any There is no permit any any
www.9tut.com/70-ccna-access-list-sim 6/11

1/2/2011

CCNA Training CCNA Access List Sim

So there is an explicit deny at the end. Would B still the correct? 2. Vikas December 4th, 2010 @ Abe: Yes B is still the correct answer. ACL make filtering sequentially. So considering implicit deny at the end our access-list will be like this: access-list 114 permit ip 10.4.4.0 0.0.0.255 any access-list 114 deny ip 10.4.4.0 any any It means if a host from network 10.4.4.0 send any traffic to any ip address,1st permit line will be executed. An ACL execution is stopped when it matches any line in ACL so it will not read deny line and stopped after matching first line of ACL. 3. Abe December 4th, 2010 @ Vikas Thanks 4. Chris December 12th, 2010 @Vikas It can not be access-list 114 deny ip 10.4.4.0 any any The implicit deny at the end of an access-list is like that: access-list 114 deny ip any any 5. samehesk December 16th, 2010 In question 3 I think the right answer is D cause the access list on the serial interface s0/0/1 is applied in means traffic going in but the traffic comming out which is comming from interface f0/0 from network 10.4.4.0 will pass am i right? 6. Dhivyaa December 16th, 2010 @samehesk D may not be the right option as it says only 10.4.4.0 traffic passes through. Traffic other than 10.4.4.0 can also pass through as there is no ACL applied on the outbound direction on s0/0/1 7. Vnpro(nbh) December 19th, 2010
www.9tut.com/70-ccna-access-list-sim 7/11

1/2/2011

CCNA Training CCNA Access List Sim

for question 3. I think B is correct Because only address x.x.x.0 can pass, so broacast upadates address of routing protocol cant pass. (RIPv1: 255.255.255.255, RIPv2: 224.0.0.9, OSPF: 224.0.0.5/.6, EIGRP: 224.0.0.10) 8. Jasmin Patel December 20th, 2010 for question 3: We can consider option A as only the answer compare to other available answers which are quite wrong. So option A is a comparitively true answer but conseptually its not necessarily true. Because what will happen if we dont use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect! (As explained above) 9. samehesk December 20th, 2010 @Dhivyaa For question 3 i think D is correct because the traffic from the lan 10.4.4.0 can pass in the out direction, as i said we have interface f0/1 shutdown we have interface s0/0/0 i have a doubt about this one but it has access list 102 in the in direction and it has a subinterface connected to a frame relay i am not sure if traffic can be routed to the s0/0/1 in the out direction or not. but if A was correct he could have used deny any if he wants to deny all hosts 10. Mr-abc December 20th, 2010 Hi guys, I try to understand the first question but have no idea why the answer is E. Can some shed some lights please? Much appreciated. Thanks. 11. Mr-abc December 20th, 2010 Sorry forgot to mention Question 1: 12. prabu December 22nd, 2010 Access-list 104 denied the Telnet..Then How can u access the telnet.Once u removed that line Access-list 104 deny tcp any(Host) any (Destination) eq telnet u can able to take telnet. 13. sello December 22nd, 2010 Hi everyone, pls, can i get a link like 9tut,for those in juniper networks. i want to write my jncia er next week.9tut thanks for what
www.9tut.com/70-ccna-access-list-sim 8/11

1/2/2011

CCNA Training CCNA Access List Sim

you are doing for ccna candidates.pls,need a quick response 14. Chris December 22nd, 2010 Let me explain why the answer for the 3-rd question is A. Access-list 115 would permit only traffic coming from IP addresses like x.x.x.0. But if you check the routing table of the router you can see there are only /24 routes and no gateway of last resort. So no host with IP address x.x.x.0 will be able to get an answer from the router, as the router will consider it a network address or it wont find it in the routing table 15. Vnpro(nbh) December 23rd, 2010 @Chris: What happen if Router connect to another RouterX through s0/0/1, And RouterX connect to a network with prefixlength /16? Result is that there are many hosts with ip address x.x.x.0 connect to routerX can connect to Router through s0/0/1. Right? 16. Chris December 23rd, 2010 i think the question reffers to the current network layout 17. Vnpro(nbh) December 24th, 2010 in the current network layout, interface s0/0/1 dont connect to any exact router, that mean it connect to a large network. 18. Chris December 25th, 2010 interface S0/0/1 has IP address 10.45.45.1/24, so its only a /24 out there :) 19. Vnpro(nbh) December 25th, 2010 if they want to refer /24, the current layout will show RouterX connect to router. In this case, they hide it, and we must think about large Come back my answer, B is perfect choice here. Because ping and telnet may not work for /24 prefix, but they can pass through network with prefix first statement is correct, telnet and ping would work example 192.168.0.0/23 (IP address 192.168.1.0/23) But all routing updates will be denied by interface s0/0/1. Routing update of routing protocols use multicast ip 224.0.0.x with x#0, second statement is also correct routing updates fail 20. Chris December 25th, 2010
www.9tut.com/70-ccna-access-list-sim 9/11

1/2/2011

CCNA Training CCNA Access List Sim

Now I think I understand what you were trying to say: that out there might be another router, lets assume its IP address 10.45.45.2/24, running for example EIGRP, and advertising a /23 route like 192.168.0.0/23. Ok, I admit you might be right about this, but I would wait for somebody to bump into this lab on his/her exam and issue a show ip route command at the console of the router to see what prefixes are in the routing table, then share the output here, as a comment. I guess the output will shed some light onto this question :) 1. No trackbacks yet. Add a Comment Name Website (not required)

Submit Comment

Subscribe to comments feed CCNA FAQs & Tips Practice Real CCNA Labs with Packet Tracer Simulator

CCNA 640-802
CCNA Lab Sim CCNA Access List Questions CCNA WAN CCNA OSPF Questions CCNA EIGRP Questions DHCP Group of Four Questions CCNA Drag and Drop 1 CCNA Drag and Drop 2 CCNA Drag and Drop 3 CCNA Drag and Drop 4 CCNA Hotspot CCNA IPv6 Questions CCNA Subnetting CCNA Operations 1 CCNA Operations 2 CCNA Operations 3 CCNA Troubleshooting 1 CCNA Troubleshooting 2 Share your CCNA Experience

CCNA Self-Study
www.9tut.com/70-ccna-access-list-sim 10/11

1/2/2011

CCNA Training CCNA Access List Sim

Practice CCNA GNS3 Labs CCNA Knowledge

Network Resources
CCNA FAQs & Tips Free Router Simulators ICND1/ICND2 Website CCNP - ROUTE Website CCNP - SWITCH Website CCNP - TSHOOT Website CCNA Voice Website CCNA Security Website CCDA Website CCIE Written Website

Support 9tut

Your contribution will help keep this site updated!

Ads by Google CCNA ICND 1 Knee ACL Tear ACL Ligament CCNA Test Preparation

Top Copyright 2010 CCNA Training Privacy Policy. Valid XHTML 1.1 and CSS 3.

www.9tut.com/70-ccna-access-list-sim

11/11