Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Question on CCNA Exam re ACL 3

Status
Not open for further replies.

y2k1981

Programmer
Aug 2, 2002
773
IE
Hi All,

I've just sat and failed my CCNA for the second time today. First time I got 79% and the second time I got 82%. I got the exact same ACL simulation question both times, but I'm a little unsure on what they're asking, so if somebody could help me out, I'd really appreciate it. Or better still, if anybody's recently sat their CCNA and gotten this question, I'd really appreciate a response.

It's the usual physical setup, three routers connected in a line each with a switch and two workstations from the switch. The question goes something like this:

Configure and apply an access list to block telnet acces to all networks attached to router3. the list should contain no more than 3 lines etc etc etc

Let's assume that the E0 interface on Router 3 is 192.168.3.1 and S0 is 192.168.2.1. Should my access list read something like this:

access-list 101 deny tcp any 192.168.3.0 0.0.0.255 eq 23
access-list 101 deny tcp any 192.168.2.0 0.0.0.255 eq 23
access-list 101 permit ip any

and should it then be applied to the outbound traffic on E0 and S0?

I'd really appreciate any feedback on this as I can't locate a sample question similar to this anywhere. Any sample questions just ask that you prevent telnet access to the router itself.

Again, any feedback would be really appreciated.

Thanks in advance
 
Here's what I found in Cisco's FAQ's for the test:

Q:How will the simulations work on the Cisco exams?

A:Besides answering the usual multiple choice and fill in response questions, candidates will face a few performance simulation questions, which will approximate a networking environment. Candidates will be presented with a real-life scenario and a networking topology to address specific tasks through router commands. The responses that a candidate enters will need to be the same as those one would expect in a real-life networking situation.

Router simulation exams items will accept abbreviated commands that an actual Cisco router will understand. For example: 'Show Config' or ‘Sho Cofig’ or ‘Sh Conf’ and ‘Router #show ip protocol’ or ‘router # show ip prot’ would be acceptable. The exam commands must include the correct spacing, spelling and marks (#@!?).

The router simulation exam questions do not require candidates to save the configuration prior to exiting the simulation question to receive credit.

The exam simulation questions allow candidates to move back and forth within the simulation question to modify answers. Once the "Next" button is hit the exam will continue to the next question. Candidates will not be given the option to go back to review the simulation question or modify their answer. Please note Cisco Career Certification exams are delivered in sequence and do not allow skipping or marking a question to answer later.

Exam simulation questions carry greater weight than typical multiple-choice or fill-in-the-blank test questions in calculating a candidates' final exam score. At the end of the exam the overall score will be calculated and the candidate will be provided with a score report pinpointing areas of strength and weakness.

Only authorized Cisco Learning Partners offer Cisco simulation training necessary to properly prepare for the certification exams. Click Here to try a free course simulation. Use the Learning Locator to locate an authorized Learning Partner or learn more about Authorized Learning Partners.

An Exam Interface Tutorial is also provided for review at It is recommended that candidates become familiar with the exam functionality before sitting an exam so candidates are focused on the exam questions rather than how to correctly use the tools. The tutorial familiarizes users with the software tools used in the Career Certification exams.

Also check:
 
Just took my 640-801, failed with a 819 planning on taking it in two weeks, I also got stuck on that ACL sim. question, so it should go on the WAN interface and it should be 'ip access-group 110 in', so its inbound traffic?

thanks
Sal
 
I took and passed the test today with 870 (not by much),and got the same ACL sim.
I agree with the answer provided by rburke where you create three line of access-list and apply ACL to both E0 and S0 on the inbound traffic.
I don't think they take points away for any "un-necessary" commands in sims, as long as your final configuration is what they look for, because I messed up so bad on my ospf sim, I had to redo it several times, but if you get stuck on one question, time does become a concern, I had less than 5 minutes left when I finish the test.
 
I know this thread is an older one, but if anyone notices me down here :) please please respond. I sat my CCNA exam on Friday and missed certification by one question :-(. I've been working really hard, and I was soooo disappointed. What made it worse was that I couldn't get one of the questions to work. I got the acl sim, and everytime I tried to put in the commands it told me I was putting in an invalid command with a marker pointing to the word "access". I tried everything I could think of, but nothing worked. It simply would not accept my commands- it kept saying the word access was invalid. The exact same thing happened when I took the test about a month ago. I'm taking it again on Wednesday and I don't know what to do. Am I putting the commands in wrong somehow? Or could it be something going on with the question itself? Is this the right way to create an acl (for example to permit ip): router(config)#access-list 110 permit ip any any ? Any help you can give me on this would be much appreciated- I'm at a complete loss.
Thank you,
Ca Girl
 
I had a similar problem on my CCNA-exam 2 months ago.
It was also on a ACL-sim. It gave me an "invalid command" on words like deny and host and I'm sure the syntax was right and also my spelling.
I kept trying and trying and ended up typing it one word at a time followed by a ? and <CR> ,and then typing the next word on the next line followed by a ? and so on.
Finaly I ended up with the same line that I had tryed first, and now it accepted it!
This is something you should consult your testsenter with, if you fail because of something like this.

good luck on your next (and hopefully final) exam :)
 
Thank you so much for responding so quickly. I hate to hear that you had to deal with that issue too, but it is good to know that I'm not imagining things! ;-) I intend to talk to the testing center first thing tomorrow morning- I don't know if there's much they can do- (but they definitely won't do anything about it if I don't ask!) I do have one question though: are you saying you actually had to type in the <CR>?
Thanks again,
Ca Girl
 
this happened to me too in one of my sittings of my CCNA, I put a note on the question saying that the question wouldn't accept my command and told the test centre admin when I came out. Next time I went back he said that he had contacted VUE and that they were supposed to have contacted me ... but they never did.

As it turned out, I was in the wrong (although at the time I was 110% sure that I was right !!). When i was applying the ACL to the interface, I was putting access-group 101 out ... instead of ip access-group 101 out. Is it poss you made the same mistake? I know it used to confuse me, cos to create the ACL you say access-list - no IP !!

anyway, just my $0.02 for what it's worth. Good luck with your CCNA
 
No, I typed one word, like "access-list" then the ? and hit the enter-key, then i got the list of available options.
Then I typed "access-list 101" and the ? and hit the enter-key again, and so on.
Sounds stupid yes, but it worked for me,so...
I thought at first that I had spelled it wrong, so I tried
a different line, but got an error on that to.
Then I tried the word-by-word approach, and got lucky.

 
Hey Y2K1980- I appreciate the response! I would say that's possible, except for the fact that this is the second time this has happened to me. The first time it happened I thought it was probably because I was doing it wrong. So after the test, I went back home and studied those access lists again. (I used to get confused about when to put "ip" in front of it too. :)) So when I sat the test for the second time- I was ready for that question! What happened was exactly the same thing that you described Geirendre. And your solution is about the only thing I didn't try! I'm talking to Cisco about it right now- I can keep you posted on what they say if you like. And thanks again!!
 
I had that same ACL error message. It was comforting reading the recent posts that I'm not the only one. I took the test twice and failed, but studied my access lists and thought I'd nail it the second time. I'm thinking of going to a different test center altogether. So would you agree the access-list should be:
access-list 101 deny tcp 192.168.3.0 0.0.0.255 any eq 23
access-list 101 deny tcp 192.168.2.0 0.0.0.255 any eq 23
access-list 101 permit ip any
?

I've been getting the same problem and it's only when i'm trying to apply the access-list... guaranteed that I put IP in the front of the command as well.

Any other tips for passing??? Great advice. I read every post.

Thanks
 
Nevada17,
If you're trying to block telnet access to those networks, I would say that it should be more like:
access-list 101 deny tcp any 192.168.3.0 0.0.0.255 eq 23
access-list 101 deny tcp any 192.168.2.0 0.0.0.255 eq 23
access-list 101 permit ip any any
Because if you place the "any" after the ip, you're saying that those networks are not allowed to telnet- when what you actually want to do is prevent everyone else from telnetting to them.

I would advise you to read the Sybex book for 640-801 by Todd Lammle. It was really informative and broke down the topics in a way that was easy to understand.
Hope this helps!
RaiderFan
 
What would happen if you did it like this:
access-list 101 deny tcp any any eq 23
access-list 101 permit ip any any
Then on s0: ip access-group 101 in
Would that also work?
 
this is so easy ,i am always a ccna,and is preparing for the ccnp.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top