New CCNA ACLs Commonly asked Questions.

By | July 5, 2017

New CCNA – Access list Questions

This is an Updated commonly asked ACLs exam question (2016).
You might see a different IP addressing and configuration. Just try and figure out what the question actually need you to do.

Need a refresher? Read our Access List Tutorial.

Note: This ACLs questions is used for demonstration only, you may come accross different IP addressing, acls configuration and Port allocation in the real CCNA exam. But it all works the same way if you could just grasp the technique.

Question 1
Which of the following represents the standard IP ACL?
A. access-list 50 deny
B. access-list 110 permit ip any any
C. access-list 2500 deny tcp any host eq 22
D. access-list 101 deny tcp any host

Answer: A
The standard access lists are ranged from (1 to 99) then ( 1300 to 1999) so the only standard access list here is access list 50 , which fall between 1-99.

Question 2
A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks,,, and only.
Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)
A. access-list 10 permit ip
B. access-list 10 permit ip
C. access-list 10 permit ip
D. access-list 10 permit ip
E. access-list 10 permit ip
F. access-list 10 permit ip

Answer: A C
Lets look at the four networks,,, and
Lets convert the third network octet into binary to figure out the wildcards masks.
The third octet (146, 147)
146 = 10010010
147 = 10010011
There we go, the full wildcard mask here should be The last octet is “255” to cover all hosts in /24 range. And the “access-list 10 permit ip” can cover networks,


148, 149 so   (convert them into binary numbers too):
148 = 10010100
149 = 10010101
So the “access-list 10 permit ip” can cover these two networks(, and

However, you can use only one command in the access-list to work out all four masks same time:
146 = 10010010
147 = 10010011
148 = 10010100
149 = 10010101
-> Wildcard mask = 00000011 = 3
Then you can use one command “access-list 10 permit ip” to cover all four networks.

Question 3
Refer to the exhibit.

An attempt to deny web access to a subnet blocks all traffic from the subnet. Which interface command immediately removes the effect of ACL 103?
A. no ip access-class 103 in
B. no ip access-class 103 out
C. no ip access-group 103 in
D. no ip access-group 103 out
E. no ip access-list 103 in

Answer: D
Definition of terms:
For a router, these terms have these meanings.
Out—Traffic that has already been through the router and leaves the interface. The source is where it has been,                             on the other side of the router, and the destination is where it goes.
In—Traffic that arrives on the interface and then goes through the router. The source is where it has been and              the destination is where it goes, on the other side of the router.
To remove an ACL from an interface?
Go into configuration mode and enter no in front of the access-group command, as shown in this example, in order to remove an ACL from an interface.

Question 4
On which options are standard access lists based?
A. destination address and wildcard mask
B. destination address and subnet mask
C. source address and subnet mask
D. source address and wildcard mask

Answer: D
Standard ACL’s only examine the source IP address/mask to determine if a match is made.
Extended ACL’s examine the source and destination address, as well as port information.

Question 5
Refer to the exhibit.

Statements A, B, C, and D of ACL 20 have been entered in the shown order and applied to interface E0 inbound, to prevent all hosts (except those whose addresses are the first and last IP of subnet from accessing the network. But as is, the ACL does not restrict anyone from the network.
How can the ACL statements be re-arranged so that the system works as intended?

Answer: D
C. permit
D. permit
B. deny
A. permit any

An access-list is normally checked from the top to last statement. If a statement is matched then the check stops. Its highly recommended that when creating an access-list, spell out more specific matches first.
So from the above question; you need to:
* Permit hosts & (first & last IP of subnet
* Deny other hosts in subnet
* Permit anyone else
Note: the “permit/deny any any” statement is always put at the end of the access-list because it will be checked by the router and the check will end .
So in this case, the “permit any” statement will surely be at the end of the access-list.
You cant place statement B: “deny” before statement A: “permit” and statement C: “permit” because any IP that matches statement A & C will also match statement B and the check will stop immediately ->
statements A & C are never in order or matched.

Question 6
Which statement about access lists that are applied to an interface is true?
A. you can apply only one access list on any interface
B. you can configure one access list, per direction, per layer 3 protocol
C. you can place as many access lists as you want on any interface
D. you can configure one access list, per direction, per layer 2 protocol

Answer: B
There can only be 1 access list per protocol, per direction and per interface. And that means:
* There cannot be 2 inbound access lists on an interface
* ONLY 1 inbound and 1 outbound access list on an interface

Question 7
A network engineer wants to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet. Which ACL can be used?
A. reflexive
B. extended
C. standard
D. dynamic

Answer: D
You can use a dynamic access list to authenticate a remote user with a specific username and password. The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server. The configuration of dynamic ACL can be read here: