How to answer Cisco CCNA exam questions

As a
Cisco certified professional with years of industry-proven experience both as
an instructor and a practicing engineer with a leading internet service
provider in West Africa, I get asked a lot of questions by young and
experienced engineers. One of the areas I have discovered that students at the
CCNA level find difficult is access control list, informally referred to as
ACL. So I have chosen to address the most dreaded question in the CCNA
simulation. The question goes thus:
Using an ACL with not more than three lines
of statements do the followings:
>> Permit PC0 http access to server 1
>> All other forms of access from PC0
to server 1 should be denied
>> All forms of access from other
users in the LAN or internet to server 1 should be denied 
>> Because there are services
available on the internet, other forms of access should be permit for users in
the LAN.
Solution:
To answer this question, you have to think
deep and have the following in mind
>> You are to use not more than three
ACL statements
>> The best interface to place the
ACL
>> What ACL to use (standard or
extended)
 First, permit PC0 http access to
server 1. PC0’s IP is 192.168.2.2 while server1 is 192.168.11.2 and http port
is 80. SO lets implement that.
>> TimiGate(config)#access-list
101 permit tcp host 192.168.2.2 host 192.168.11.2 eq 80
Next, we need to deny PC0 other forms of
access to server1, but look carefully, you will see that the third requirement
says that other forms access from the LAN to server1 should also be denied. Giving
that we are asked not to use more than three lines of statements, we can use a
line to accomplish these two tasks. Here is how .
>> TimiGate(config)#access-list 101
deny ip any host 192.168.11.2
The last requirement is to permit all other
forms of access within the network. This will allow users access the internet
and other available resources.
TimiGate(config)#access-list 101 permit ip
any any ( this line is needed because of the implicit deny at the end of every
access-list)
Next you choose the interface to place your
ACL. The chosen interface will determine if it’s going to be in or out. 
To make sure that the server is protected
from users in the LAN and over the internet, the best interface for the ACL is
the interface leading to the servers. This is because both users from the LAN
and internet will pass through this interface to get to the servers.
TimiGate(config)#int f0/0
TimiGate(config-if)#ip access-group 101 out
TimiGate(config-if)#
It is out because any packet going to the
server through that interface is exiting the router. Let’s see output clips from the test.
PC0 can access server1 via http. First objective accomplished 

All forms of access for other users to server1 should be denied. As can be seen in the images above, PC0 can not have any other form of access to the server. The other users can not have any form of access, be it http or icmp access to the server. Objectives 2 and 3 accomplished. 
HTTP access to server4 from PC2 is successful. Objective 4 accomplished. So that’s it. If you have any questions on any CCNA topic, kindly drop it in the comment session and I will reply you. Thanks.
Spread the love

Leave a Comment