(Updated from real CCNA exam on 07-March-2009)
I copy this sim from http://9tut.com. And I created a Packet Tracer 5.1 pka file to verify the answers, because I was confused with question 3 (I am still confused now). You can download this pka file from here: http://www.valit.ca/lab/ccna_access_list_sim.zip. I hope it can help you to understand this sim. Please use Packet Tracer 5.1, the pka file seems not woking in version 5.0.
Question:
An administrator is trying to ping and telnet from Switch to Router with the results shown below:
Switch>
Switch> ping 10.4.4.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds:
.U.U.U.
Success rate is 0 percent (0/5)
Switch>
Switch> telnet 10.4.4.3
Trying 10.4.4.3 ...
% Destination unreachable; gateway or host down
Switch>
Click the console connected to Router and issue the appropriate commands to answer the questions.
Answer and Explanation:
For this question we only need to use the show running-config command to answer all the questions below
Router>enable
Router#show running-config
interface Loopback1
ip address 172.16.4.1 255.255.255.0
no shutdown
!
interface Loopback2
ip address 10.145.145.1 255.255.255.0
ipv6 address 2001:410:2:3::/64 eui-64
no shutdown
!
interface FastEthernet0/0
ip address 10.4.4.3 255.255.255.0
ip access-group 106 in
duplex auto
speed auto
no shutdown
!
interface Serial0/0/0
bandwidth 64
no ip address
ip access-group 102 out
encapsulation frame-relay
ip ospf authentication
ip ospf authentication-key san-fran
no shutdown
!
interface Serial0/0/0.1 point-to-point
ip address 10.140.3.2 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 icndchain
frame-relay interface-dlci 120
!
interface Serial0/0/1
bandwidth 64
ip address 10.45.45.1 255.255.255.0
ip access-group 102 in
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 icndchain
ip ospf authentication
ip ospf authentication-key san-fran
ipv6 address 2001:410:2:10::/64 eui-64
no shutdown
!
router eigrp 100
network 10.0.0.0
network 172.16.0.0
network 192.168.2.0
no auto-summary
!
router ospf 100
log-adjacency-changes
network 10.4.4.3 0.0.0.0 area 0
network 10.45.45.1 0.0.0.0 area 0
network 10.140.3.2 0.0.0.0 area 0
network 192.168.2.62 0.0.0.0 area 0
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
!
ip default-gateway 10.1.1.2
!
!
ip http server
no ip http secure-server
!
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq ftp-data
access-list 102 deny tcp any any eq telnet
access-list 102 deny icmp any any echo-reply
access-list 102 permit ip any any
access-list 104 permit tcp any any eq ftp
access-list 104 permit tcp any any eq ftp-data
access-list 104 deny tcp any any eq telnet
access-list 104 permit icmp any any echo
access-list 104 deny icmp any any echo-reply
access-list 104 permit ip any any
access-list 106 permit tcp any any eq ftp
access-list 106 permit tcp any any eq ftp-data
access-list 106 deny tcp any any eq telnet
access-list 106 permit icmp any any echo-reply
access-list 110 permit udp any any eq domain
access-list 110 permit udp any eq domain any
access-list 110 permit tcp any any eq domain
access-list 110 permit tcp any eq domain any
access-list 110 permit tcp any any
access-list 114 permit ip 10.4.4.0 0.0.0.255 any
access-list 115 permit ip 0.0.0.0 255.255.255.0 any
access-list 122 deny tcp any any
access-list 122 deny icmp any any echo-reply
access-list 122 permit ip any any
!
Question 1:
Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?
A - Correctly assign an IP address to interface fa0/1
B - Change the ip access-group command on fa0/0 from "in" to "out"
C - Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D - Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E - Remove access-group 106 in from interface fa0/0 and add access-group 104 in
Answer: E
Explanation:
Let's have a look at the access list 104:
access-list 104 permit tcp any any eq ftp
access-list 104 permit tcp any any eq ftp-data
access-list 104 deny tcp any any eq telnet
access-list 104 permit icmp any any echo
access-list 104 deny icmp any any echo-reply
access-list 104 permit ip any any
The question does not ask about ftp traffic so we don't care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line "access-list 104 deny icmp any any echo-reply" will not affect our icmp traffic because the "echo-reply" message will be sent over the outbound direction.
Question 2:
What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?
A - Attempts to telnet to the router would fail
B - It would allow all traffic from the 10.4.4.0 network
C - IP traffic would be passed through the interface but TCP and UDP traffic would not
D - Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface
Answer: B
Explanation:
From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network
Question 3:
What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?
A - No host could connect to Router through s0/0/1
B - Telnet and ping would work but routing updates would fail.
C - FTP, FTP-DATA, echo, and www would work but telnet would fail
D - Only traffic from the 10.4.4.0 network would pass through the interface
Answer: A
Explanation:
First let's see what was configured on interface S0/0/1:
interface Serial0/0/1
bandwidth 64
ip address 10.45.45.1 255.255.255.0
ip access-group 102 in
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 icndchain
ip ospf authentication
ip ospf authentication-key san-fran
ipv6 address 2001:410:2:10::/64 eui-64
Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).
B is not correct because if telnet and ping can work then routing updates can, too.
D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.
But here raise a question…
The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router through s0/0/1” seems right…
But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!
Please comment if you have any idea for this sim!
I am really confused with this question 3. 9tut is right, we can assign x.x.x.0 to a host, check the figure below:
I assigned 10.46.46.0 and 3.3.3.0 to 2 PCs, so “A - No host could connect to Router through s0/0/1” is incorrect; In PC 10.46.46.0 and 3.3.3.0, I can telnet and ping 10.45.45.1, I turn one of the routers off and then turn it on, the EIGRP routing updates seem no problem at all!
It seems none of the answers are correct. You can download the pka file and play around, if you find the right answer, please let me know.
No comments:
Post a Comment