1. Which of the following is true regarding access lists applied to an to execute the commandshow running-configuration.

How
interface? can you view and confirm the access lists that have been applied to the
Ethernet 0 interface on your router?
You can place as many access lists as you want on any interface
A.
until you run out of memory. A. show access-lists

B. You can apply only one access list on any interface. B. show interface Ethernet 0

One access list may be configured, per direction, for each layer C. show ip access-lists
C.
3 protocol configured on an interface.
D. show ip interface Ethernet 0
D. You can apply two access lists to any interface.
Answer & Explanation
Answer & Explanation Answer: Option D
Answer: Option C Explanation:
Explanation: The only command that shows which access lists have been applied to
A Cisco router has rules regarding the placement of access lists on a an interface is show ip interface Ethernet 0. The
router interface. You can place one access list per direction for each command show access-lists displays all configured access lists,
layer 3 protocol configured on an interface. and show ip access-lists displays all configured IP access lists,
View Answer Workspace Report Discuss in Forum but neither command indicates whether the displayed access lists have
been applied to an interface.
2. Which command would you use to apply an access list to a router 6. What command will permit SMTP mail to only host 1.1.1.1?
interface? A. access-list 10 permit smtp host 1.1.1.1
A. ip access-list 101 out
B. access-list 110 permit ip smtp host 1.1.1.1
B. access-list ip 101 in
access-list 10 permit tcp any host 1.1.1.1
C. eq smtp
C. ip access-group 101 in
access-list 110 permit tcp any host 1.1.1.1
D. access-group ip 101 in D. eq smtp
Answer & Explanation
Answer & Explanation
Answer: Option C
Answer: Option D
Explanation:
Explanation:
To apply an access list, the proper command is ip access-group
When trying to find the best answer to an access-list question, always
101 in.
check the access-list number and then the protocol. When filtering to
View Answer Workspace Report Discuss in Forum
an upper-layer protocol, you must use an extended list, numbers 100-
199 and 2000-2699. Also, when you filter to an upper-layer protocol,
3. Which of the following is an example of a standard IP access list? you must use either tcp or udp in the protocol field. If it says ip in
A. access-list 110 permit host 1.1.1.1 the protocol field, you cannot filter to an upper-layer protocol. SMTP
uses TCP.
B. access-list 1 deny 172.16.10.1 0.0.0.0 View Answer Workspace Report Discuss in Forum

access-list 1 permit 172.16.10.1 7. You want to create a standard access list that denies the subnet of the
C. 255.255.0.0 following host: 172.16.50.172/20. Which of the following would you
start your list with?
D. access-list standard 1.1.1.1
access-list 10 deny 172.16.48.0
Answer & Explanation A. 255.255.240.0
Answer: Option B
Explanation: B. access-list 10 deny 172.16.0.0 0.0.255.255
Standard IP access lists use the numbers 1-99 and 1300-1999 and filter
based on source IP address only. Option C is incorrect because the C. access-list 10 deny 172.16.64.0 0.0.31.255
mask must be in wildcard format.
View Answer Workspace Report Discuss in Forum D. access-list 10 deny 172.16.48.0 0.0.15.255
Answer & Explanation
4. You need to create an access list that will prevent hosts in the network Answer: Option D
range of 192.168.160.0 to 192.168.191.0. Which of the following lists Explanation:
will you use? First, you must know that a /20 is 255.255.240.0, which is a block size
access-list 10 deny 192.168.160.0 of 16 in the third octet. Counting by 16s, this makes our subnet 48 in
A. 255.255.224.0 the third octet, and the wildcard for the third octet would be 15 since
the wildcard is always one less than the block size.
access-list 10 deny 192.168.160.0 View Answer Workspace Report Discuss in Forum
B. 0.0.191.255
8. What router command allows you to determine whether an IP access
access-list 10 deny 192.168.160.0
C. 0.0.31.255 list is enabled on a particular interface?
A. show ip port
D. access-list 10 deny 192.168.0.0 0.0.31.255
B. show access-lists
View Answer Workspace Report Discuss in Forum
C. show ip interface
5. You are working on a router that has established privilege levels that
restrict access to certain functions. You discover that you are not able D. show access-lists interface
 Answer & Explanation
A. access-list 10 deny 172.16.192.0 0.0.31.255
Answer: Option C
Explanation:
B. access-list 10 deny 172.16.0.0 0.0.255.255
Only the show ip interface command will tell you which
interfaces have access lists applied. show access-lists will not C. access-list 10 deny 172.16.172.0 0.0.31.255
show you which interfaces have an access list applied.
View Answer Workspace Report Discuss in Forum D. access-list 10 deny 172.16.188.0 0.0.15.255
Answer & Explanation
9. You have created a named access list called Blocksales. Which of the
Answer: Option A
following is a valid command for applying this to packets trying to enter
Explanation:
interface s0 of your router?
First, you must know that a /19 is 255.255.224.0, which is a block size
A. (config)# ip access-group 110 in of 32 in the third octet. Counting by 32, this makes our subnet 192 in
the third octet, and the wildcard for the third octet would be 31 since
B. (config-if)# ip access-group 110 in the wildcard is always one less than the block size.
View Answer Workspace Report Discuss in Forum
C. (config-if)# ip access-group Blocksales in
13. If you wanted to deny all Telnet connections to only network
D. (config-if)# blocksales ip access-list in 192.168.10.0, which command could you use?
Answer & Explanation access-list 100 deny tcp 192.168.10.0
Answer: Option C A. 255.255.255.0 eq telnet
Explanation:
Using a named access list just replaces the number used when applying access-list 100 deny tcp 192.168.10.0
B. 0.255.255.255 eq telnet
the list to the router's interface. ip access-group Blocksales
in is correct.
View Answer Workspace Report Discuss in Forum access-list 100 deny tcp any 192.168.10.0
C. 0.0.0.255 eq 23

10. You want to create a standard access list that denies the subnet of the access-list 100 deny 192.168.10.0 0.0.0.255
following host: 172.16.144.17/21. Which of the following would you D. any eq 23
start your list with?
Answer & Explanation
access-list 10 deny 172.16.48.0 Answer: Option C
A. 255.255.240.0 Explanation:
The extended access list ranges are 100-199 and 2000-2699, so the
B. access-list 10 deny 172.16.144.0 0.0.7.255 access-list number of 100 is valid. Telnet uses TCP, so the protocol TCP
is valid. Now you just need to look for the source and destination
C. access-list 10 deny 172.16.64.0 0.0.31.255
address. Only the third option has the correct sequence of parameters.
Answer B may work, but the question specifically states "only" to
D. access-list 10 deny 172.16.136.0 0.0.15.255
network 192.168.10.0, and the wildcard in answer B is too broad.
Answer & Explanation View Answer Workspace Report Discuss in Forum
Answer: Option B
Explanation: 14. Which router command allows you to view the entire contents of all
First, you must know that a /21 is 255.255.248.0, which is a block size access lists?
of 8 in the third octet. Counting by eight, this makes our subnet 144 in
the third octet, and the wildcard for the third octet would be 7 since A. Router# show interface
the wildcard is always one less than the block size.
11. You configure the following access list: B. Router> show ip interface
access-list 110 deny tcp 10.1.1.128 0.0.0.63 any
eq smtp C. Router# show access-lists
access-list 110 deny tcp any eq 23
int ethernet 0 D. Router> show all access-lists
ip access-group 110 out
What will the result of this access list be? Answer & Explanation
Answer: Option C
A. Email and Telnet will be allowed out E0. Explanation:
The show access-lists command will allow you to view the
B. Email and Telnet will be allowed in E0. entire contents of all access lists, but it will not show you the interfaces
to which the access lists are applied.
C. Everything but email and Telnet will be allowed out E0. View Answer Workspace Report Discuss in Forum

D. No IP traffic will be allowed out E0.

15. Which of the following access lists will allow only HTTP traffic into
Answer & Explanation network 196.15.7.0?
Answer: Option D
access-list 100 permit tcp any 196.15.7.0
Explanation: A. 0.0.0.255 eq www
If you add an access list to an interface and you do not have at least
one permitstatement, then you will effectively shut down the access-list 10 deny tcp any 196.15.7.0 eq
interface because of the implicitdeny any at the end of every list. B. www
View Answer Workspace Report Discuss in Forum
access-list 100 permit 196.15.7.0 0.0.0.255
C. eq www
12. You want to create a standard access list that denies the subnet of the
following host: 172.16.198.94/19. Which of the following would you
access-list 110 permit ip any 196.15.7.0
start your list with? D. 0.0.0.255
 access-list 110 permit www 196.15.7.0 172.16.1.1
E. 0.0.0.255 Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 10 out
Answer & Explanation
Answer: Option A Lab_A(config)#access-list 10 permit
Explanation: 172.16.1.1
The first thing to check in a question like this is the access-list number. C. Lab_A(config)#line vty 0 4
Right away, you can see that the second option is wrong because it is Lab_A(config-line)#access-class 10 in
using a standard IP access-list number. The second thing to check is the
protocol. If you are filtering by upper-layer protocol, then you must be Lab_A(config)#access-list 10 permit
using either UDP or TCP; this eliminates the fourth option. The third 172.16.1.1
D. Lab_A(config)#line vty 0 4
and last answers have the wrong syntax.
16. Which of the following are valid ways to refer only to host 172.16.30.55 Lab_A(config-line)#ip access-group 10 in
in an IP access list? Answer & Explanation
172.16.30.55 0.0.0.255 Answer: Option C
172.16.30.55 0.0.0.0 Explanation:
any 172.16.30.55 Telnet access to the router is restricted by using either a standard or
host 172.16.30.55 extended IP access list inbound on the VTY lines of the router. The
0.0.0.0 172.16.30.55 command access-class is used to apply the access list to the VTY
ip any 172.16.30.55 lines.
A. 1 and 4 View Answer Workspace Report Discuss in Forum

B. 2 and 4 19. Which of the following commands connect access list 110 inbound to
interface ethernet0?
C. 1, 4 and 6
A. Router(config)# ip access-group 110 in
D. 3 and 5
B. Router(config)# ip access-list 110 in
Answer & Explanation
Answer: Option B C. Router(config-if)# ip access-group 110 in
Explanation:
The wildcard 0.0.0.0 tells the router to match all four octets. This D. Router(config-if)# ip access-list 110 in
wildcard format alone can be replaced with the host command.
View Answer Workspace Report Discuss in Forum Answer & Explanation
Answer: Option C
Explanation:
17. If you wanted to deny FTP access from network 200.200.10.0 to To place an access list on an interface, use the ip access-
network 200.199.11.0 but allow everything else, which of the following group command in interface configuration mode.
command strings is valid?
access-list 110 deny 200.200.10.0 to
network 200.199.11.0 eq ftp
A. access-list 111 permit ip any 0.0.0.0
255.255.255.255

access-list 1 deny ftp 200.200.10.0

B. 200.199.11.0 any any

access-list 100 deny tcp 200.200.10.0

C. 0.0.0.255 200.199.11.0 0.0.0.255 eq ftp

access-list 198 deny tcp 200.200.10.0

0.0.0.255 200.199.11.0 0.0.0.255 eq ftp
D. access-list 198 permit ip any 0.0.0.0
255.255.255.255
Answer & Explanation
Answer: Option D
Explanation:
Extended IP access lists use numbers 100-199 and 2000-2699 and filter
based on source and destination IP address, protocol number, and port
number. The last option is correct because of the second line that
specifies permit ip any any. (I used 0.0.0.0 255.255.255.255, which is
the same as the any option.) The third option does not have this, so it
would deny access but not allow everything else.
View Answer Workspace Report Discuss in Forum

18. Which of the following series of commands will restrict Telnet access to
the router?
Lab_A(config)#access-list 10 permit
172.16.1.1
A. Lab_A(config)#line con 0
Lab_A(config-line)#ip access-group 10 in

B. Lab_A(config)#access-list 10 permit