CCNA And CCENT Practice Exam: Access Lists
Today’s CCNA 200-125 and CCENT 100-105 practice exam deals with a major topic on both exams… access lists. If you have any questions or comments about this test, you can quickly reach me at Twitter and Facebook. Let’s have at it!
Question 1: You have to have your ACL ranges down cold for the exam. With that in mind, name the two standard ACL ranges and the two extended ACL ranges. No choices on this one.
Question 2: Which of these wildcard masks can be replaced by the single word host in a standard or extended ACL?
Question 3: You’re planning to write an ACL on R1 that will block traffic sourced from any interface on R3 if that same traffic is destined for R1’s loopback. Which of the following best describes the ACL types you should use here?
A. You could use a standard or extended ACL.
B. A standard ACL really isn’t a good choice here. You should go with an extended ACL.
C. Neither a standard nor an extended ACL will work here. Go with a VLAN-based ACL instead.
D. A standard ACL will do just fine here, so go with one of those. Since it’s shorter, there’s less chance of mis-typing an entry.
Question 4: What is the net effect of the ACL shown in this command output?
R1#show ip access-list Extended IP access list 111 10 deny ip 22.214.171.124 0.0.0.255 126.96.36.199 0.0.0.255
Question 5: Which two of the following ACL lines include a legal usage of any?
A. R1(config)#access-list 117 permit ip any any
B. R1(config)#access-list 48 permit ip any any
C. R1(config)#access-list 2111 permit ip any any
D. R1(config)#access-list 1999 permit ip any any
And now, the dreaded Dormammu answers!
Answer 1: The all-important numeric ranges are 1-99 and 1300-1999 for standard ACLs and 100 – 199 and 2000 – 2699 for extended ACLs.
Answer 2: The ACL option host represents the wildcard mask 0.0.0.0 (choice B). The following two ACL lines have the same effect. You’ll need to put host in front of the address where the 0.0.0.0 mask goes behind the address.
R5(config)#access-list 7 permit host 188.8.131.52 R5(config)#access-list 7 permit 184.108.40.206 0.0.0.0
Answer 3: Choice B is correct. Extended ACLs match on source and destination IP addresses by default, and since we only want to block traffic from 220.127.116.11 if the traffic is destined for 18.104.22.168, an extended ACL is our only choice. If we put a standard ACL on R1, it will block all traffic from 22.214.171.124, as standard ACLs can only match on source IP addresses.
Answer 4: That ACL denies all traffic. Remember, there’s an implicit deny at the end of every ACL, and explicit deny statements do not negate the implicit deny. Any traffic not denied by the one line in the ACL will be denied by the implicit deny.
Answer 5: Lines A and C are legal. When you see any twice, the first represents the source IP address and the second represents the destination IP address. Extended ACLs match on source and destination, but standard ACLs do not. We know lines A and C belong to extended ACLs because of their numbers (117 and 2111). The other two lines have ACL numbers that fall in the standard ACL ranges.
Take these other CCNA and CCENT tests while you’re here, and visit my main CCNA and CCENT Practice Exam page tomorrow for another new test!