CCNA – Access list Questions
Note: If you are not sure about Access list, please read our Access List Tutorial.
Question 1
Explanation
The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only access list 50 is a standard access list.
Question 2
Explanation
We see the difference of the four networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 is at the third octet (146, 147, 148, 149) so we need to convert them into binary numbers (the different bit is underlined):
146 = 10010010
147 = 10010011
We see only the last bit is different so a wildcard mask can be created to cover them with XOR operation:
Wildcard mask = 10010010 XOR 10010011 = 00000001 = 1
Note: The XOR operation here means “if two compared bits are same, write 0; if two compared bits are different, write 1”. Remember, for the wildcard mask, 1 means “I DON’T CARE”, and 0 means “I CARE” |
Therefore the full wildcard mask should be 0.0.1.255. The last octet is “255” to cover all hosts in /24 range. And the “access-list 10 permit ip 192.168.146.0 0.0.1.255” can cover networks 192.168.146.0, 192.168.147.0.
Do the same for two remaining networks:
148 = 10010100
149 = 10010101
So the “access-list 10 permit ip 192.168.148.0 0.0.1.255” can cover these two networks.
Note:
If we want to use only one command in the access-list, we can compare all four networks at the same time:
146 = 10010010
147 = 10010011
148 = 10010100
149 = 10010101
-> Wildcard mask = 00000011 = 3
Therefore we can use one command “access-list 10 permit ip 192.168.146.0 0.0.3.255” to cover all four networks.
Question 3
Question 4
Question 5
Explanation
An access-list will be checked from the first to last statement. If a statement is matched then the check will finish immediately. A rule of thumb when creating an access-list is writing more specific matches first. So for this question we need to:
+ Permit hosts 172.21.1.129 & 172.21.1.142 (first & last IP of subnet 172.21.1.128/28)
+ Deny other hosts in subnet 172.21.1.128/28
+ Permit anyone else
Remember another rule of thumb: the “permit/deny anyone else” statement is always put at the end of the access-list because it will be matched surely and the check will finish immediately (so any statements under this statement cannot be checked -> they are useless). Therefore in this case, the “permit any” statement will surely be at the end of the access-list.
We cannot place statement B: “deny 172.21.1.128 0.0.0.15” before statement A: “permit 172.21.1.129 0.0.0.0” and statement C: “permit 172.21.1.142 0.0.0.0” because any IP that matches statement A & C will surely match statement B and the check will finish immediately -> statements A & C are never been matched. Therefore statements A & C must be placed on top of statement B.
Question 6
Explanation
We can have only 1 access list per protocol, per direction and per interface. It means:
+ We can not have 2 inbound access lists on an interface
+ We can have 1 inbound and 1 outbound access list on an interface
Question 7
Explanation
We can use a dynamic access list to authenticate a remote user with a specific username and password. The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server. The configuration of dynamic ACL can be read here: http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml