CCNA And CCENT Practice Exam: Access Lists

Today’s CCNA 200-125 and CCENT 100-105 practice exam deals with a major topic on both exams… access lists.   If you have any questions or comments about this test, you can quickly reach me at Twitter and Facebook.    Let’s have at it!

Question 1:   You have to have your ACL ranges down cold for the exam.  With that in mind, name the two standard ACL ranges and the two extended ACL ranges.    No choices on this one.

Question 2:   Which of these wildcard masks can be replaced by the single word host in a standard or extended ACL?

A.   255.255.255.255

B.   0.0.0.0

C.   255.255.255.0

D.  0.0.0.255

Question 3:   You’re planning to write an ACL on R1 that will block traffic sourced from any interface on R3 if that same traffic is destined for R1’s loopback.  Which of the following best describes the ACL types you should use here?

ACL Lab Topology

A.  You could use a standard or extended ACL.

B.   A standard ACL really isn’t a good choice here.  You should go with an extended ACL.

C.  Neither a standard nor an extended ACL will work here.   Go with a VLAN-based ACL instead.

D.  A standard ACL will do just fine here, so go with one of those.  Since it’s shorter, there’s less chance of mis-typing an entry.

Question 4:   What is the net effect of the ACL shown in this command output?

R1#show ip access-list

Extended IP access list 111

10 deny ip 3.3.3.0 0.0.0.255 11.11.11.0 0.0.0.255

Question 5:    Which two of the following ACL lines include a legal usage of any?

A.   R1(config)#access-list 117 permit ip any any

B.   R1(config)#access-list 48 permit ip any any

C.   R1(config)#access-list 2111 permit ip any any

D.   R1(config)#access-list 1999 permit ip any any

And now, the dreaded Dormammu answers!

Answer 1:   The all-important numeric ranges are 1-99 and 1300-1999 for standard ACLs and 100 – 199 and 2000 – 2699 for extended ACLs.

Answer 2:   The ACL option host represents the wildcard mask 0.0.0.0 (choice B).  The following two ACL lines have the same effect.   You’ll need to put host in front of the address where the 0.0.0.0 mask goes behind the address.

R5(config)#access-list 7 permit host 172.12.12.3

R5(config)#access-list 7 permit 172.12.12.3 0.0.0.0

Answer 3:  Choice B is correct.  Extended ACLs match on source and destination IP addresses by default, and since we only want to block traffic from 3.3.3.3 if the traffic is destined for 1.1.1.1, an extended ACL is our only choice.  If we put a standard ACL on R1, it will block all traffic from 3.3.3.3,  as standard ACLs can only match on source IP addresses.

Standard ACL Is Unacceptable

Answer 4:  That ACL denies all traffic.   Remember, there’s an implicit deny at the end of every ACL, and explicit deny statements do not negate the implicit deny.   Any traffic not denied by the one line in the ACL will be denied by the implicit deny.

Answer 5:   Lines A and C are legal.  When you see any twice, the first represents the source IP address and the second represents the destination IP address.   Extended ACLs match on source and destination, but standard ACLs do not.   We know lines A and C belong to extended ACLs because of their numbers (117 and 2111).   The other two lines have ACL numbers that fall in the standard ACL ranges.

Take these other CCNA and CCENT tests while you’re here, and visit my main CCNA and CCENT Practice Exam page tomorrow for another new test!

CCENT Practice Exam:  TCP and UDP

CCNA Practice Exam:  EIGRP Fundamentals

CCNA Practice Exam:   RAM, ROM, NVRAM, And Flash