Home > CCNA Access List Sim

CCNA Access List Sim

February 10th, 2014 Go to comments



Answer and Explanation

Note: If you are not sure about Access-list, please read my Access-list tutorial. You can also download this sim to practice (open with Packet Tracer) here: https://www.9tut.com/download/9tut.com_CCNA_Access_List_Sim.zip

For this question we only need to use the show running-config command to answer all the questions below

Router#show running-config




Question 1

How can we fix the problem but only allow ping to work while disabling telnet?

A – Correctly assign an IP address to interface fa0/1
B – Change the ip access-group command on fa0/0 from “in” to “out”
C – Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D – Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E – Remove access-group 106 in from interface fa0/0 and add access-group 104 in


Answer: E


Let’s have a look at the access list 104:


The question does not ask about ftp traffic so we don’t care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line “access-list 104 deny icmp any any echo-reply” will not affect our icmp traffic because the “echo-reply” message will be sent over the outbound direction.

Question 2

What will happen after issuing the command “ip access-group 114 in” to the fa0/0 interface?

A – Attempts to telnet to the router would fail
B – All traffic from the network would be allow to go through
C – TCP and UDP traffic are not allowed to pass
D – Routing protocol updates for the network would not be accepted from the fa0/0 interface


Answer: B


From the output of access-list 114: access-list 114 permit ip any we can easily understand that this access list allows all traffic (ip) from network

Question 3

What will happen after issuing the command “access-group 115 in” on the s0/0/1 interface?

A – Hosts cannot connect to Router through s0/0/1
B – Telnet and ping would work but routing updates would fail.
C – FTP, FTP-DATA, echo, and HTTP traffic would work but telnet would fail
D – Only traffic from the network would pass through the interface


Answer: A


First let’s see what was configured on interface S0/0/1:


Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).
B is not correct because if telnet and ping can work then routing updates can, too.
D is not correct because access-list 115 does not mention about network. So the most reasonable answer is A.

But here raise a question…

The wildcard mask of access-list 115, which is, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router through s0/0/1” seems right…

But what will happen if we don’t use a subnet mask of For example we can use an ip address of, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!

Please comment if you have any idea for this sim!

Comment pages
1 27 28 29 39
  1. Almarez
    October 5th, 2018

    @Rocky, out would not work because the request is coming from outside device so the request is going into router not outside the router.

  2. Acl 106
    October 6th, 2018

    Why is the switch not pinging the router but when I check the ACL 106, it’s only denying telnet requests? Icmp requests are permitted tho

Comment pages
1 27 28 29 39
Add a Comment