Access Control List (ACL) Simlet


acl2

An administrator is trying to ping and telnet from Switch to Router with the results shown below:

acl2result


For this question we only need to use the show running-config command to answer all the questions below:

Router>enable
Router#show running-config

p1

p2

p3 

p4




Question 1

Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?

A. Correctly assign an IP address to interface fa0/1
B. Change the ip access-group command on fa0/0 from “in” to “out”
C. Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D. Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E. Remove access-group 106 in from interface fa0/0 and add access-group 104 in


Answer : E

Explanation:

a1

The question was not about FTP so skip line #1 and line #2.
The line #3 denies telnet traffic and line #4 permits icmp-echo traffic.
Line #5 denies echo-reply traffic. If any device pings a device that attached to Fa0/0, the packet will be denied.
Line #6 permits all other traffic.




Question 2:

What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?

A. Attempts to telnet to the router would fail
B. It would allow all traffic from the 10.4.4.0 network
C. IP traffic would be passed through the interface but TCP and UDP traffic would not
D. Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface

Answer: B

Explanation:

a2

There is only one command that is associated with access-list 114 and it is access-list 114 permit ip 10.4.4.0 0.0.0.255 any. This command will permit traffic from 10.4.4.0 /24 network.




Question 3:

What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?

A. No host could connect to Router through s0/0/1
B. Telnet and ping would work but routing updates would fail.
C. FTP, FTP-DATA, echo, and www would work but telnet would fail
D. Only traffic from the 10.4.4.0 network would pass through the interface

Answer: A


Explanation:

a4


The above command will only the IP (0.0.0.0). Also there is no such IP address exists.

The wildcard mask of access-list 115 is 255.255.255.0, means that only host with IP addresses x.x.x.0 will be accepted. If the 4th part of an IP address is 0, then definitely it would be a network address. So no host can communicate with other network using S0/0/1 interface.

But it will accept the packet with source IP address – 10.10.0.0/8. The 4th octet is 0, and is not a network address but a valid IP address. So confusion... confusion... Anyhow other 3 choices (B, C, D) will definitely not the answer and Choice A is closest to the result, So the Answer is A. 


27 Responses so far.

  1. Alex says:

    Hi!Regarding question 3. The ACL 115 how you wrote it is equal to permit ip any any.It is a WILDCARD not s subnet mask. Thus it is not the source 0.0.0.0 how you said. In this case your logic fails. Rather i would choose d in this case.

    I have also found the version with access-list 115 permit ip 0.0.0.0 255.255.255.0 any .This would result in host of format x.x.x.0 and for the given topology it will result kinda complicated in answer A.

    Any opinions?

  2. Arun says:

    Thanks dude. I will correct this bug.

  3. Amin khan says:

    So guys whats the ans for question no 3 ? A or D ?

  4. Anwar says:

    @Amir Khan: A. as the wildcard mask is wrongly assigned

  5. Anonymous says:

    Just passed This Friday Oct 4. Test Is valid. Thank you.

  6. Adi says:

    Hello Guys I hope you will be fine there.Now New CCNA (200-120) and CCNA security (640-554) Vouchers on special discount of 58% for World wide, with six months expiry date till you purchase. Each voucher cost 70USD.

    Details Required For CCNA Voucher For Discount Processing:

    1-Full Name. 1st Name & Last Name (as you want to appear on certificate & documents)
    2-Country.
    3-City.
    4-State.
    5-Pin Code (or Area Code)
    6-Residential Address (or where you can collect your Certificate or further correspondence
    can be received)
    7-Date of birth
    Add me on Skype through this information which is written below:
    Skype Name: rockon660
    you can also email me at this email address which is written below:
    madeelqaiser@gmail.com
    If you have any Questions feel free to contact me.

    Thanks,
    Best regards,
    Adeel

  7. ALI says:

    can we get the topology in packet tracer format?

    Thanks
    ALI

  8. Anonymous says:
    This comment has been removed by a blog administrator.
  9. Anonymous says:
    This comment has been removed by a blog administrator.
  10. Anonymous says:

    Correct Answer is A: A network address cannot be permitted(No match for the access list).

  11. Anonymous says:

    i had passed my ccna exam with 972/1000 score on 12 feb.
    the labs were acl1,acl2 and eigrp
    acl 1 (same as it is)
    eigrp (just change od AS and advertising a network (same as it is) with NO issue about passive interfaces and default network )
    acl 2 (with bit modification)

    "The task is to create and apply a numbered access-list with no more than three statements that
    -> will allow ONLY host A web access to the Finance Web Server.
    ->All other traffic from A to finance server is denied.
    ->All traffic from lan servers(B,C,D) and core to the Finance Web Server is denied.
    -> All other traffic is permitted to public server.

  12. Ahmad Ali Usman says:

    Alhumdolillah just passed the exam with 931/1000 score. Labs are 100% valid. if anyone have query plz contact aa.usman at skype.

  13. Anonymous says:

    at Q1, access-list 102 wouldnt work too?? it does not deny icmp echo and at last permit ip any any..

  14. Anonymous says:

    hello everybody… im planning to tke the exam nextweek… but i cant hardly understand this LAb can anyone pls elaborate it to me? thanks… i can ping but i cant telnet… tnx in advance… alfechekurt@gmail.com… my email

  15. ACL1 ACL2 EIGRP
    https://www.youtube.com/watch?v=FO3eD6oAIRQ&index=2&list=PLW2Xk7jJ5ZSoFn2G_x0ql_S5AlKvaDaOZ

  16. Adi says:

    Hello Guys good news for you that CCNA discounted and Microsoft vouchers are now available. Now New CCNA (200-120) vouchers on special discount of 58% for World wide, with six months expiry date till you purchase.

    Details Required For CCNA Voucher For Discount Processing:

    1-First Name.
    Last Name. (as your name written in your National Identity card)
    2-Country.
    3-City.
    4-State.
    5-Pin Code (or Area Code)
    6-Residential Address (or where you can collect your Certificate or further correspondence
    can be received)
    7-Date of birth
    Add me on Skype through this information which is written below:
    Skype Name: rockon660
    you can also email me at this email address which is written below:
    madeelqaiser@gmail.com
    If you have any Questions feel free to contact me.

    Thanks,
    Best regards,
    Adeel

  17. Afsal says:

    Any video link is avalilable for thi sim?

  18. full ccna exam and dump
    https://www.youtube.com/watch?v=Q7cTJsVxebc&list=UUyppZ-pXVGuzXQEq8L8HEhg

  19. Anonymous says:

    kindly sm one tells me....
    we have to answer with just A b or c?? in this lab?

  20. Anonymous says:

    For question 3 the correct answer is A, "No host could connect to Router through s0/0/1." But the reason is because of the implicit deny all statement at the end of all ACLs. The only other statement for access-list 115 does not have a valid wildcard mask, so it would do nothing.

  21. Q1 - why is there a "deny icmp echo replay"? build the lab in packet tracer and got echo replays as usual. what is the purpose for that line?

  22. Hey Adi..How can i get this vouvher coupon.?

    Hello Guys good news for you that CCNA discounted and Microsoft vouchers are now available. Now New CCNA (200-120) vouchers on special discount of 58% for World wide, with six months expiry date till you purchase.

    Details Required For CCNA Voucher For Discount Processing:

    1-First Name.
    Last Name. (as your name written in your National Identity card)
    2-Country.
    3-City.
    4-State.
    5-Pin Code (or Area Code)
    6-Residential Address (or where you can collect your Certificate or further correspondence
    can be received)
    7-Date of birth
    Add me on Skype through this information which is written below:
    Skype Name: rockon660
    you can also email me at this email address which is written below:
    madeelqaiser@gmail.com
    If you have any Questions feel free to contact me.

    Thanks,
    Best regards,
    Adeel

  23. I hope you can help me

    Regards

  24. Hi guys, what does the acl 115 mean here,
    ip access-list 115 0.0.0.0 255.255.255.0, is it incorrectly written subnet mask?
    IF so, what would happen if 115 was as following,
    ip access-list 115 0.0.0.0 0.0.0.255 and it is applied in inbound interface instead?
    I am very confused why no host could connect to se0/0/1 when applying acl 115 in question no 3 ?
    I would appreciate if someone clarifies me.
    thanks in advance.

  25. Mansa says:

    I passed the written CCNP Routing and Switching 200-120 exam exam by scoring 95%. Most of the questions are from the www.grades4sure.com/200-120-exam-questions.html dumps, though the sequences of choices are changed, so it is better to understand the concepts beforehand and go through the dumps so that you will not be surprised in the exam.

  26. I recommended http://www.cisexams.com/200-120-dumps dumps is Valid. I took the test on Monday. 92% questions were from the Cisexams dumps. All questions and answers are valid, You’d better have to understand the technologies.

  27. Preparation of Cisco CCIE Free 400-101 exam without having dumps is very difficult. If you need to prepare your exam in a easy way then i recommended you to download your exam dumps from Dumps4Download website.

    watch video and share,
    How To Prepare Free Cisco 400-101 Dumps - Dumps4download.com

Leave a Reply

Popular Posts