Friday, March 13, 2009

Packet Tracer file for new CCNA Access List Sim


(Updated from real CCNA exam on 07-March-2009)

I copy this sim from http://9tut.com. And I created a Packet Tracer 5.1 pka file to verify the answers, because I was confused with question 3 (I am still confused now). You can download this pka file from here: http://www.valit.ca/lab/ccna_access_list_sim.zip. I hope it can help you to understand this sim. Please use Packet Tracer 5.1, the pka file seems not woking in version 5.0.

Question:


An administrator is trying to ping and telnet from Switch to Router with the results shown below:

Switch>
Switch> ping 10.4.4.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds:
.U.U.U.
Success rate is 0 percent (0/5)
Switch>
Switch> telnet 10.4.4.3
Trying 10.4.4.3 ...
% Destination unreachable; gateway or host down
Switch>

Click the console connected to Router and issue the appropriate commands to answer the questions.

Answer and Explanation:

For this question we only need to use the show running-config command to answer all the questions below

Router>enable
Router#show running-config

interface Loopback1

 ip address 172.16.4.1 255.255.255.0

 no shutdown

!

interface Loopback2

 ip address 10.145.145.1 255.255.255.0

 ipv6 address 2001:410:2:3::/64 eui-64

 no shutdown

!

interface FastEthernet0/0

 ip address 10.4.4.3 255.255.255.0

 ip access-group 106 in

 duplex auto

 speed auto

 no shutdown

!

interface Serial0/0/0

 bandwidth 64

 no ip address

 ip access-group 102 out

 encapsulation frame-relay

 ip ospf authentication

 ip ospf authentication-key san-fran

 no shutdown

!

interface Serial0/0/0.1 point-to-point

 ip address 10.140.3.2 255.255.255.0

 ip authentication mode eigrp 100 md5

 ip authentication key-chain eigrp 100 icndchain

 frame-relay interface-dlci 120

!

interface Serial0/0/1

 bandwidth 64

 ip address 10.45.45.1 255.255.255.0

 ip access-group 102 in

 ip authentication mode eigrp 100 md5

 ip authentication key-chain eigrp 100 icndchain

 ip ospf authentication

 ip ospf authentication-key san-fran

 ipv6 address 2001:410:2:10::/64 eui-64

 no shutdown

!

router eigrp 100

 network 10.0.0.0

 network 172.16.0.0

 network 192.168.2.0

 no auto-summary

!

router ospf 100

 log-adjacency-changes

 network 10.4.4.3 0.0.0.0 area 0

 network 10.45.45.1 0.0.0.0 area 0

 network 10.140.3.2 0.0.0.0 area 0

 network 192.168.2.62 0.0.0.0 area 0

!

router rip

 version 2

 network 10.0.0.0

 network 172.16.0.0

!

ip default-gateway 10.1.1.2

!

!

ip http server

no ip http secure-server

!

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq ftp-data

access-list 102 deny tcp any any eq telnet

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

 

access-list 104 permit tcp any any eq ftp

access-list 104 permit tcp any any eq ftp-data

access-list 104 deny tcp any any eq telnet

access-list 104 permit icmp any any echo

access-list 104 deny icmp any any echo-reply

access-list 104 permit ip any any

 

access-list 106 permit tcp any any eq ftp

access-list 106 permit tcp any any eq ftp-data

access-list 106 deny tcp any any eq telnet

access-list 106 permit icmp any any echo-reply

 

access-list 110 permit udp any any eq domain

access-list 110 permit udp any eq domain any

access-list 110 permit tcp any any eq domain

access-list 110 permit tcp any eq domain any

access-list 110 permit tcp any any

 

access-list 114 permit ip 10.4.4.0 0.0.0.255 any

 

access-list 115 permit ip 0.0.0.0 255.255.255.0 any

 

access-list 122 deny tcp any any

access-list 122 deny icmp any any echo-reply

access-list 122 permit ip any any

!

 

Question 1:

Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?

A - Correctly assign an IP address to interface fa0/1
B - Change the ip access-group command on fa0/0 from "in" to "out"
C - Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D - Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E - Remove access-group 106 in from interface fa0/0 and add access-group 104 in

 

Answer: E

 

Explanation:

Let's have a look at the access list 104:

access-list 104 permit tcp any any eq ftp

access-list 104 permit tcp any any eq ftp-data

access-list 104 deny tcp any any eq telnet

access-list 104 permit icmp any any echo

access-list 104 deny icmp any any echo-reply

access-list 104 permit ip any any

 

The question does not ask about ftp traffic so we don't care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line "access-list 104 deny icmp any any echo-reply" will not affect our icmp traffic because the "echo-reply" message will be sent over the outbound direction.

Question 2:

What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?

A - Attempts to telnet to the router would fail
B - It would allow all traffic from the 10.4.4.0 network
C - IP traffic would be passed through the interface but TCP and UDP traffic would not
D - Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface

 

Answer: B

Explanation:

From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network

Question 3:

What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?

A - No host could connect to Router through s0/0/1
B - Telnet and ping would work but routing updates would fail.
C - FTP, FTP-DATA, echo, and www would work but telnet would fail
D - Only traffic from the 10.4.4.0 network would pass through the interface

 

Answer: A

Explanation:

First let's see what was configured on interface S0/0/1:

interface Serial0/0/1

 bandwidth 64

 ip address 10.45.45.1 255.255.255.0

 ip access-group 102 in

 ip authentication mode eigrp 100 md5

 ip authentication key-chain eigrp 100 icndchain

 ip ospf authentication

 ip ospf authentication-key san-fran

 ipv6 address 2001:410:2:10::/64 eui-64

 

Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).

B is not correct because if telnet and ping can work then routing updates can, too.

D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.

 

But here raise a question…

 

The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router through s0/0/1” seems right…

 

But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!

 

Please comment if you have any idea for this sim!

 

I am really confused with this question 3. 9tut is right, we can assign x.x.x.0 to a host, check the figure below:


 

I assigned 10.46.46.0 and 3.3.3.0 to 2 PCs, so “A - No host could connect to Router through s0/0/1” is incorrect; In PC 10.46.46.0 and 3.3.3.0, I can telnet and ping 10.45.45.1, I turn one of the routers off and then turn it on, the EIGRP routing updates seem no problem at all!

 

It seems none of the answers are correct. You can download the pka file and play around, if you find the right answer, please let me know.

No comments:

Post a Comment