CCNA Training Access-List Questions
CCNA Training Access-List Questions
Access-list Questions
January 13th, 2021 Go to comments
Premium Member: You can test your knowledge with these questions first via this link (via HTML).
Note: If you are not sure about Access list, please read our Access List Tutorial.
Question 1
Refer to the exhibit. A network engineer must block access for all computers on VLAN 20 to the web server via
HTTP. All other computers must be able to access the web server. Which configuration when applied to switch
A accomplishes this task?
A.
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
int vlan 100
ip access-group wwwblock in
B.
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
permit ip any any
int vlan 20
ip access-group wwwblock in
https://www.9tut.com/access-list-questions-2 1/10
11:04, 16/06/2022 CCNA Training » Access-list Questions
C. config t
ip access-list extended wwwblock
permit ip any any
deny tcp any host 10.30.0.100 eq 80
int vlan 30
ip access-group wwwblock in
D.
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
int vlan 20
ip access-group wwwblock in
Answer: B
Explanation
The “deny tcp any host 10.30.0.100 eq 80” command means “block all (any) traffic from accessing web server at
10.30.0.100 on port 80”. And since it is applied to VLAN 20 interface so only computers on VLAN 20 are
affected.
In summary, just notice that 10.30.0.100 here is the destination IP address, not source address.
Note: The traffic flow from hosts in VLAN 20 to the Web Server is: host in VLAN 20 -> Interface VLAN 20 ->
Interface VLAN 30 -> Web Server. If we place the ACL: host in VLAN 20 -> (ACL Inbound) Interface VLAN
20 -> Interface VLAN 30 -> Web Server. Therefore the ACL can block traffic from VLAN 20.
Question 2
Refer to the exhibit. An extended ACL has been configured and applied to router R2. The configuration failed to
work as intended. Which two changes stop outbound traffic on TCP ports 25 and 80 to 10.0.20.0/26 from the
10.0.10.0/26 subnet while still allowing all other traffic? (Choose two)
R2#config t
R2(config)#access-list 101 deny tcp 10.0.20.0 0.0.0.63 10.0.10.0 0.0.0.63 eq smtp
R2(config)#access-list 101 deny tcp 10.0.20.0 0.0.0.63 10.0.10.0 0.0.0.63 eq www
R2(config)#int gi0/2
R2(config-if)#ip access-group 101 in
https://www.9tut.com/access-list-questions-2 2/10
11:04, 16/06/2022 CCNA Training » Access-list Questions
A. Add a “permit ip any any” statement to the beginning of ACL 101 for allowed traffic
B. Add a “permit ip any any” statement at the end of ACL 101 for allowed traffic
C. The source and destination IPs must be swapped in ACL 101
D. The ACL must be configured the Gi0/2 interface inbound on R1
E. The ACL must be moved to the Gi0/1 interface outbound on R2
Answer: B C
Question 3
While examining excessive traffic on the network, it is noted that all incoming packets on an interface appear to
be allowed even though an IPv4 ACL is applied to the interface. Which two misconfigurations cause this
behavior? (Choose two)
Answer: B C
Explanation
If we have a matching permit statement too high in the access list then it will be matched first before we can
deny it. If a matching permit statement is too broadly defined (for example if we only want to permit TCP traffic
then we should not permit “ip” traffic, which includes both TCP and UDP).
Question 4
Refer to the exhibit. What configuration on R1 denies SSH access from PC-1 to any R1 interface and allows all
other traffic?
https://www.9tut.com/access-list-questions-2 3/10
11:04, 16/06/2022 CCNA Training » Access-list Questions
C. line vty 0 15
access-class 100 in
access-list 100 deny tcp host 172.16.1.33 any eq 23
access-list 100 permit ip any any
interface GigabitEthernet0/0
ip access-group 100 in
Answer: A
Explanation
To deny SSH, we must block TCP port 22 and we need to apply the ACL to Gi0/0 interface (which connects to
PC-1).
Question 5
Refer to the exhibit. An administrator configures the following ACL in order to prevent devices on the
192.168.1.0 subnet from accessing the server at 10.1.1.5:
Where should the administrator place this ACL for the most efficient use of network resources?
https://www.9tut.com/access-list-questions-2 4/10
11:04, 16/06/2022 CCNA Training » Access-list Questions
Answer: A
Explanation
By placing the ACL closest to the source, we can reduce unnecessary traffic passing between two routers and the
processing time of the router.
Question 6
Refer to the exhibit. Which two configurations would be used to create and apply a standard access list on R1, so
that only the 10.0.70.0/25 network devices are allowed to access the internal database server? (Choose two)
Answer: A D
Question 7
interface GigabitEthernet0/1
ip address 192.168.1.2 255.255.255.0
ip access-group 2699 in
!
access-list 2699 deny icmp any 10.10.1.0 0.0.0.255 echo
access-list 2699 deny ip any 10.20.1.0 0.0.0.255
access-list 2699 permit ip any 10.10.1.0 0.0.0.255
access-list 2699 permit tcp any 10.20.1.0 0.0.0.127 eq 22
A network administrator must permit SSH access to remotely manage routers in a network. The operations team
resides on the 10.20.1.0/25 network. Which command will accomplish this task?
https://www.9tut.com/access-list-questions-2 5/10
11:04, 16/06/2022 CCNA Training » Access-list Questions
Answer: D
Explanation
The operations team resides on 10.20.1.0/25 network which is a part of 10.20.1.0/24 network so we need to
remove the “deny” statement of the 10.20.1.0/25 network to allow SSH.
1. Mohammed
June 21st, 2020
Hello
2. Anonymous
June 29th, 2020
very good
3. Mouloud
October 22nd, 2020
4. Question 1
March 4th, 2021
Hi Team
Thanks
5. test
March 6th, 2021
6. test
March 6th, 2021
7. Garry
April 22nd, 2021
https://www.9tut.com/access-list-questions-2 6/10
11:04, 16/06/2022 CCNA Training » Access-list Questions
8. Mitchell
May 3rd, 2021
9. Alex
May 12th, 2021
@9tut Q4 isn’t C the right answer ? Because it denies SSH access from any interface. If you configure the
ACL just on ethernet interface, we are not restricting access from he loopback interfaces.
10. Q A
July 1st, 2021
Hello
11. Shiva
July 28th, 2021
@9tut
I think Q4 ,D is correct.
Please explain.
12. 9tut
July 28th, 2021
@Shiva: To deny SSH, we must block TCP port 22 and we need to apply the ACL to Gi0/0 interface
(which connects to PC-1).
13. @9tut
July 29th, 2021
14. Sammy
December 29th, 2021
15. sipoy
April 9th, 2022
https://www.9tut.com/access-list-questions-2 7/10
11:04, 16/06/2022 CCNA Training » Access-list Questions
Add a Comment
Name
Submit Comment
Subscribe to comments feed
CCNAv7 (2020) – New Questions Part 5 Drag Drop Quiz 3
Logout
CCNA 200-301
Basic Questions
Topology Architecture Questions
Cloud & Virtualization Questions
CDP & LLDP Questions
Switch Questions
VLAN & Trunking Questions
VLAN & Trunking Questions 2
STP & VTP Questions
EtherChannel Questions
TCP & UDP Questions
IP Address & Subnetting Questions
IP Routing Questions
https://www.9tut.com/access-list-questions-2 8/10
11:04, 16/06/2022 CCNA Training » Access-list Questions
IP Routing Questions 2
OSPF Questions
OSPF Questions 2
EIGRP Questions
NAT Questions
NTP Questions
Syslog Questions
HSRP Questions
Access-list Questions
AAA Questions
Security Questions
Security Questions 2
DAI Questions
IPv6 Questions
DNS Questions
QoS Questions
Port Security Questions
Wireless Questions
Wireless Questions 2
SDN Questions
DNA Center Questions
Drag Drop Questions
Drag Drop Questions 2
Drag Drop Questions 3
VPN Questions
DHCP Questions
Automation Questions
Miscellaneous Questions
CCNA FAQs & Tips
Share your new CCNA Experience
CCNA Self-Study
Practice CCNA GNS3 Labs
CCNA Knowledge
CCNA Lab Challenges
Puppet Tutorial
Chef Tutorial
Ansible Tutorial
JSON Tutorial
Layer 2 Threats and Security Features
AAA TACACS+ and RADIUS Tutorial
STP Root Port Election Tutorial
GRE Tunnel Tutorial
Basic MPLS Tutorial
TCP and UDP Tutorial
Border Gateway Protocol BGP Tutorial
Point to Point Protocol (PPP) Tutorial
WAN Tutorial
DHCP Tutorial
Simple Network Management Protocol SNMP Tutorial
Syslog Tutorial
Gateway Load Balancing Protocol GLBP Tutorial
https://www.9tut.com/access-list-questions-2 9/10
11:04, 16/06/2022 CCNA Training » Access-list Questions
EtherChannel Tutorial
Hot Standby Router Protocol HSRP Tutorial
InterVLAN Routing Tutorial
Cisco Command Line Interface CLI
Cisco Router Boot Sequence Tutorial
OSI Model Tutorial
Subnetting Tutorial – Subnetting Made Easy
Frame Relay Tutorial
Wireless Tutorial
Virtual Local Area Network VLAN Tutorial
VLAN Trunking Protocol VTP Tutorial
IPv6 Tutorial
Rapid Spanning Tree Protocol RSTP Tutorial
Spanning Tree Protocol STP Tutorial
Network Address Translation NAT Tutorial
Access List Tutorial
RIP Tutorial
EIGRP Tutorial
OSPF Tutorial
Network Resources
Free Router Simulators
CCNA Website
ENCOR Website
ENSDWI Website
ENARSI Website
DevNet Website
CCIE R&S Website
Security Website
Wireless Website
Design Website
Data Center Website
Service Provider Website
Collaboration Website
Top
https://www.9tut.com/access-list-questions-2 10/10