11:04, 16/06/2022 CCNA Training » Access-list Questions

Type text to search here...

Home > Access-list Questions

Access-list Questions
January 13th, 2021 Go to comments

Premium Member: You can test your knowledge with these questions first via this link (via HTML).

Note: If you are not sure about Access list, please read our Access List Tutorial.

Question 1

Refer to the exhibit. A network engineer must block access for all computers on VLAN 20 to the web server via
HTTP. All other computers must be able to access the web server. Which configuration when applied to switch
A accomplishes this task?

A.
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
int vlan 100
ip access-group wwwblock in

B.
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
permit ip any any
int vlan 20
ip access-group wwwblock in

https://www.9tut.com/access-list-questions-2 1/10
11:04, 16/06/2022 CCNA Training » Access-list Questions

C. config t
ip access-list extended wwwblock
permit ip any any
deny tcp any host 10.30.0.100 eq 80
int vlan 30
ip access-group wwwblock in

D.
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
int vlan 20
ip access-group wwwblock in

Answer: B

Explanation

The “deny tcp any host 10.30.0.100 eq 80” command means “block all (any) traffic from accessing web server at
10.30.0.100 on port 80”. And since it is applied to VLAN 20 interface so only computers on VLAN 20 are
affected.

In summary, just notice that 10.30.0.100 here is the destination IP address, not source address.

Note: The traffic flow from hosts in VLAN 20 to the Web Server is: host in VLAN 20 -> Interface VLAN 20 ->
Interface VLAN 30 -> Web Server. If we place the ACL: host in VLAN 20 -> (ACL Inbound) Interface VLAN
20 -> Interface VLAN 30 -> Web Server. Therefore the ACL can block traffic from VLAN 20.

Question 2

Refer to the exhibit. An extended ACL has been configured and applied to router R2. The configuration failed to
work as intended. Which two changes stop outbound traffic on TCP ports 25 and 80 to 10.0.20.0/26 from the
10.0.10.0/26 subnet while still allowing all other traffic? (Choose two)

R2#config t
R2(config)#access-list 101 deny tcp 10.0.20.0 0.0.0.63 10.0.10.0 0.0.0.63 eq smtp
R2(config)#access-list 101 deny tcp 10.0.20.0 0.0.0.63 10.0.10.0 0.0.0.63 eq www
R2(config)#int gi0/2
R2(config-if)#ip access-group 101 in
https://www.9tut.com/access-list-questions-2 2/10
11:04, 16/06/2022 CCNA Training » Access-list Questions

A. Add a “permit ip any any” statement to the beginning of ACL 101 for allowed traffic
B. Add a “permit ip any any” statement at the end of ACL 101 for allowed traffic
C. The source and destination IPs must be swapped in ACL 101
D. The ACL must be configured the Gi0/2 interface inbound on R1
E. The ACL must be moved to the Gi0/1 interface outbound on R2

Answer: B C

Question 3

While examining excessive traffic on the network, it is noted that all incoming packets on an interface appear to
be allowed even though an IPv4 ACL is applied to the interface. Which two misconfigurations cause this
behavior? (Choose two)

A. The packets fail to match any permit statement

B. A matching permit statement is too high in the access list
C. A matching permit statement is too broadly defined
D. The ACL is empty
E. A matching deny statement is too high in the access list

Answer: B C

Explanation

If we have a matching permit statement too high in the access list then it will be matched first before we can
deny it. If a matching permit statement is too broadly defined (for example if we only want to permit TCP traffic
then we should not permit “ip” traffic, which includes both TCP and UDP).

Question 4

Refer to the exhibit. What configuration on R1 denies SSH access from PC-1 to any R1 interface and allows all
other traffic?

A. access-list 100 deny tcp host 172.16.1.33 any

eq 22
access-list 100 permit ip any any
interface GigabitEthernet0/0
ip access-group 100 in

https://www.9tut.com/access-list-questions-2 3/10
11:04, 16/06/2022 CCNA Training » Access-list Questions

B. access-list 100 deny tcp host 172.16.1.33 any eq 22

access-list 100 permit ip any any

C. line vty 0 15
access-class 100 in
access-list 100 deny tcp host 172.16.1.33 any eq 23
access-list 100 permit ip any any

interface GigabitEthernet0/0
ip access-group 100 in

D. access-list 100 deny tcp host 172.16.1.33 any eq 23

access-list 100 permit ip any any
line vty 0 15
access-class 100 in

Answer: A

Explanation

To deny SSH, we must block TCP port 22 and we need to apply the ACL to Gi0/0 interface (which connects to
PC-1).

Note: TCP port 23 is used for Telnet.

Question 5

Refer to the exhibit. An administrator configures the following ACL in order to prevent devices on the
192.168.1.0 subnet from accessing the server at 10.1.1.5:

access-list 100 deny ip 192.168.1.0 0.0.0.255 host 10.1.1.5

access-list 100 permit ip any any

Where should the administrator place this ACL for the most efficient use of network resources?

A. inbound on router A Fa0/0

B. outbound on router B Fa0/0
C. outbound on router A Fa0/1
D. inbound on router B Fa0/1

https://www.9tut.com/access-list-questions-2 4/10
11:04, 16/06/2022 CCNA Training » Access-list Questions

Answer: A

Explanation

By placing the ACL closest to the source, we can reduce unnecessary traffic passing between two routers and the
processing time of the router.

Question 6

Refer to the exhibit. Which two configurations would be used to create and apply a standard access list on R1, so
that only the 10.0.70.0/25 network devices are allowed to access the internal database server? (Choose two)

A. R1(config)# interface GigabitEthernet0/0

R1(config-if)# ip access-group 5 out

B. R1(config)# access-list 5 permit 10.0.54.0 0.0.1.255

C. R1(config)# interface Serial0/0/0

R1(config-if)# ip access-group 5 in

D. R1(config)# access-list 5 permit 10.0.70.0 0.0.0.127

E. R1(config)# access-list 5 permit any

Answer: A D

Question 7

Refer to the exhibit.

interface GigabitEthernet0/1
ip address 192.168.1.2 255.255.255.0
ip access-group 2699 in
!
access-list 2699 deny icmp any 10.10.1.0 0.0.0.255 echo
access-list 2699 deny ip any 10.20.1.0 0.0.0.255
access-list 2699 permit ip any 10.10.1.0 0.0.0.255
access-list 2699 permit tcp any 10.20.1.0 0.0.0.127 eq 22

A network administrator must permit SSH access to remotely manage routers in a network. The operations team
resides on the 10.20.1.0/25 network. Which command will accomplish this task?
https://www.9tut.com/access-list-questions-2 5/10
11:04, 16/06/2022 CCNA Training » Access-list Questions

A. access-list 2699 permit udp 10.20.1.0 0.0.0.255

B. no access-list 2699 deny tcp any 10.20.1.0 0.0.0.127 eq 22
C. access-list 2699 permit tcp any 10.20.1.0 0.0.0.255 eq 22
D. no access-list 2699 deny ip any 10.20.1.0 0.0.0.255

Answer: D

Explanation

The operations team resides on 10.20.1.0/25 network which is a part of 10.20.1.0/24 network so we need to
remove the “deny” statement of the 10.20.1.0/25 network to allow SSH.

Comments (15) Comments

1. Mohammed
June 21st, 2020

Hello

2. Anonymous
June 29th, 2020

very good

3. Mouloud
October 22nd, 2020

very good , thank you

4. Question 1
March 4th, 2021

Hi Team

Question one has 10.30.0.0 as the host should it not be 10.20.0.0?

Thanks

5. test
March 6th, 2021

Hi @9tut, for question 7, isnt choice D more appropriate ?

6. test
March 6th, 2021

I meant choice B sorry, isnt B more correct ?

7. Garry
April 22nd, 2021

@9tut, In Q6, the option D is : R1(config)# access-list 5 permit 10.0.70.0 0.0.0.127

should not the subnet mask be 0.0.0.128 instead of 127 ?

https://www.9tut.com/access-list-questions-2 6/10
11:04, 16/06/2022 CCNA Training » Access-list Questions

8. Mitchell
May 3rd, 2021

@Garry yeah you are right…it should be 0.0.0.128 instead of 127…@9tut

9. Alex
May 12th, 2021

@9tut Q4 isn’t C the right answer ? Because it denies SSH access from any interface. If you configure the
ACL just on ethernet interface, we are not restricting access from he loopback interfaces.

10. Q A
July 1st, 2021

Hello

i can’t see the questions or the answers ?! only the explanation ,

anyone can see the Q and A or just me ?!

11. Shiva
July 28th, 2021

@9tut

I think Q4 ,D is correct.

Please explain.

12. 9tut
July 28th, 2021

@Shiva: To deny SSH, we must block TCP port 22 and we need to apply the ACL to Gi0/0 interface
(which connects to PC-1).

Note: TCP port 23 is used for Telnet.

13. @9tut
July 29th, 2021

Thank for your help

14. Sammy
December 29th, 2021

@9tut, Q1. The answer mentioned is B:

config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
permit ip any any
int vlan 20
ip access-group wwwblock in

Should it not be deny tcp 10.20.0.0 0.0.0.255 host 10.30.0.100 eq 80 ?

15. sipoy
April 9th, 2022
https://www.9tut.com/access-list-questions-2 7/10
11:04, 16/06/2022 CCNA Training » Access-list Questions

Good questions. Thank you guys.

Add a Comment
Name

Tôi không phải là người

máy reCAPTCHA
Bảo mật - Điều khoản

Submit Comment
Subscribe to comments feed
CCNAv7 (2020) – New Questions Part 5 Drag Drop Quiz 3

Premium Member Zone

Welcome Hai Minh!

Welcome Premium Member

CCNA – New Questions Part 5
CCNA – New Questions Part 6
CCNA – New Questions Part 7
CCNA – New Questions Part 8
CCNA – New Questions Part 9
CCNA – New Questions Part 10
Composite Quizzes
IP Services Sim
Static Routing Configuration Sim
Static Routing Configuration Sim 2
OSPF Configuration Sim

Logout

CCNA 200-301
Basic Questions
Topology Architecture Questions
Cloud & Virtualization Questions
CDP & LLDP Questions
Switch Questions
VLAN & Trunking Questions
VLAN & Trunking Questions 2
STP & VTP Questions
EtherChannel Questions
TCP & UDP Questions
IP Address & Subnetting Questions
IP Routing Questions
https://www.9tut.com/access-list-questions-2 8/10
11:04, 16/06/2022 CCNA Training » Access-list Questions

IP Routing Questions 2
OSPF Questions
OSPF Questions 2
EIGRP Questions
NAT Questions
NTP Questions
Syslog Questions
HSRP Questions
Access-list Questions
AAA Questions
Security Questions
Security Questions 2
DAI Questions
IPv6 Questions
DNS Questions
QoS Questions
Port Security Questions
Wireless Questions
Wireless Questions 2
SDN Questions
DNA Center Questions
Drag Drop Questions
Drag Drop Questions 2
Drag Drop Questions 3
VPN Questions
DHCP Questions
Automation Questions
Miscellaneous Questions
CCNA FAQs & Tips
Share your new CCNA Experience

CCNA Self-Study
Practice CCNA GNS3 Labs
CCNA Knowledge
CCNA Lab Challenges
Puppet Tutorial
Chef Tutorial
Ansible Tutorial
JSON Tutorial
Layer 2 Threats and Security Features
AAA TACACS+ and RADIUS Tutorial
STP Root Port Election Tutorial
GRE Tunnel Tutorial
Basic MPLS Tutorial
TCP and UDP Tutorial
Border Gateway Protocol BGP Tutorial
Point to Point Protocol (PPP) Tutorial
WAN Tutorial
DHCP Tutorial
Simple Network Management Protocol SNMP Tutorial
Syslog Tutorial
Gateway Load Balancing Protocol GLBP Tutorial
https://www.9tut.com/access-list-questions-2 9/10
11:04, 16/06/2022 CCNA Training » Access-list Questions

EtherChannel Tutorial
Hot Standby Router Protocol HSRP Tutorial
InterVLAN Routing Tutorial
Cisco Command Line Interface CLI
Cisco Router Boot Sequence Tutorial
OSI Model Tutorial
Subnetting Tutorial – Subnetting Made Easy
Frame Relay Tutorial
Wireless Tutorial
Virtual Local Area Network VLAN Tutorial
VLAN Trunking Protocol VTP Tutorial
IPv6 Tutorial
Rapid Spanning Tree Protocol RSTP Tutorial
Spanning Tree Protocol STP Tutorial
Network Address Translation NAT Tutorial
Access List Tutorial
RIP Tutorial
EIGRP Tutorial
OSPF Tutorial

Network Resources
Free Router Simulators
CCNA Website
ENCOR Website
ENSDWI Website
ENARSI Website
DevNet Website
CCIE R&S Website
Security Website
Wireless Website
Design Website
Data Center Website
Service Provider Website
Collaboration Website

Top

Copyright © 2021 CCNA Training

Site Privacy Policy. Valid XHTML 1.1 and CSS 3.H

https://www.9tut.com/access-list-questions-2 10/10