Home > ICND2 – Drag and Drop

ICND2 – Drag and Drop

April 9th, 2015 in ICND2 200-101 Go to comments

Here you will find answers to ICND 2 – Drag And Drop Questions

Question 1

1) Prevent all users from outside the enterprise network from accessing the server: permit ip 0.0 0.255 host
2) Block a user from R1 e0 network from accessing the server: deny ip host
3) Block only the users attached to the e0 interface of the R2 router from accessing the server: deny ip host

Question 2

1) protocol: ip
2) address:
3) mask:


The syntax of extended access-list:

access-list 100-199 {permit|deny} {ip|tcp|udp|icmp} source source-mask [lt|gt|eq|neq] [source-port] destination dest-mask [lt|gt|eq|neq] [dest-port]

By telling the router to drop traffic originated from host C (source), we can guarantee that host C can just communicate with hosts inside its own subnet (because this kind of traffic does not need to pass the router and will not be prevented).

Question 3

Data Link Layer:

+ Encapsulation PPP
+ Line protocol is up

Physical Layer:

+ Serial 1/0 is up
+ Hardware is CD2430 in sync mode

Question 4

Access Port:

+ carries traffic for a single VLAN
+ uses a straight-through cable to connect a device
+ connects an end-user workstation to a switch

Trunk Port:

+ carries traffic for a multiple VLAN
+ Facilitates interVLAN communications when connected to a Layer 3 device
+ uses 802.1q to identify traffic from different VLANs

Question 5

Next hop

Next hop

Next hop

Comments (46) Comments
  1. Maged
    November 3rd, 2013

    Anyone explain Question 5 ?

  2. if_only_i_had_one
    November 4th, 2013

    Remember the routing table process more specific routes first. Another way is to think that the routing table process routes with more bits in the network part of the address first. So a /32 will be process before a /31 and a /31 before a /30 and …

    R1(config)# ip route
    R1(config)# ip route
    R1(config)# ip route

    So when these routes get put in to the routing table more specific routes get processed first. So what you need to do is look at the three routes and go okay what is my most specific.

    In this case it will be the ip route so anything in then 10.1.0.X/24 network will go to

    Then work your way out so the next least specific route is the ip route which is saying anything to the 10.1.X.X/16 network goes to So in this case it will be anything that is in 10.1.X.X/16 but isn’t in 10.1.0.X/24 (because we have a more specific route) goes into this box

    Finally you have your default route ip route which is saying anything not listed needs to go to me so put your remaining entries into this box.

  3. anon
    December 7th, 2013

    excellent explanation

  4. Joseph
    December 19th, 2013

    I agree.

  5. Joe
    December 24th, 2013

    Question 1: deny the individual host (#2) needs to come before permit all internal hosts (#1).

  6. Happy
    January 26th, 2014

    @Joe is right.
    1st command permit ip 0.0 0.255 host permits traffic from host to web server.
    deny ip host should be first.

  7. Texas
    February 6th, 2014

    Yea Q1 kind of threw me for a loop.

    Allowing the whole class C encompasses all the networks in the diagram. So it should be

    Deny ip host correct? (Preventing all users from outside the enterprise network from accessing the server)

  8. Texas
    February 6th, 2014

    Or maybe just let us know the definition of Enterprise, because to me the two different locations are 2 different Enterprises…unless you are only looking at the networks then it would be the correct answer.

  9. Mike
    February 17th, 2014

    Question, if…”In this case it will be the ip route so anything in then 10.1.0.X/24 network will go to” is the case, shouldn’t the IPs that go to the “Next hop” be:


  10. abc
    February 18th, 2014

    Correct me if I am wrong, ACL has been removed from ICND2 and moved to ICND1.

  11. Anonymous
    February 20th, 2014

    I thought so too, yet it still in the ICND2 section.

  12. CertBound
    March 13th, 2014

    ACL Theroy is in ICND1. ACL Theroy and Configuration is in ICND2.

  13. Andrew
    March 25th, 2014

    IN Question (1)

    The answer to “Block only users from e0 network on R2 ” is WEONG

    It’s not :deny ip host

    The solution:

    The e0 interface ip address is :
    so the Subnet ID for this network is :

    so the ACL command should be:
    (1) deny ip host

    or it may be to be as close as the above choices:(2) deny ip host

    (1) and (2) are the same , the decimal number 16 will be ignored anyway.

    I hope some one confirm my answer as well πŸ™‚


  14. Andrew
    March 25th, 2014


    the answer is right , i made my calculations on a /26 mask not /28

    I’m Relly sorry , the answer provided by 9tut is right .

    sorry one more time πŸ™‚

  15. sh
    March 26th, 2014

    To all those who have already made ​​the ICND2
    Drag and Drop
    It still valid?

  16. Anthony
    April 8th, 2014

    All you guys have to do to validate what material is still on the exam is refer to Cisco’s homepage.

    They give you the whole material outline here: http://www.cisco.com/web/learning/exams/docs/200-101_icnd2.pdf

    VTP and ACLs have been removed completely. And I personally have not encountered a single associated question both times I took the test.

  17. Shawn
    April 23rd, 2014

    Mike// Refer to the explanation by if_only_i_had_one. Simply saying, longest subnet mask comes first. & meet every condition of ip route command so the longest subnet mask ‘R1(config)# ip route’ is considered first.

  18. i474
    April 28th, 2014

    I can’t understand Q1 second answer:
    2) Block a user from R1 e0 network from accessing the server: deny ip host

    Can somebody explain “deny ip” – this part ?

    Thank you.

  19. i474
    April 28th, 2014

    I’m sorry guys.
    I’ve missed “Block a USER from…”
    Just missed word “user” and got confused what the ip is))

  20. i474
    April 28th, 2014

    Can we write in Q2
    access-list 100 deny ip
    is it right?

  21. fez
    May 8th, 2014

    Passed today my ICND@2 by 1000. Got different configuration of the Eigrp & frame Relay labs where there were different DLCIs and IP addresses, but same process was used to get answers (show commands, show ip protocols, show ip interface brief ).

    A question about GLBP and a question about netflow were on my test. You can find them here: http://www.examtut.com/2013/09/new-questions-in-ccna-200-120-hsrp-vrrp.html

    Study 9tut and this guy i found him really helpful. He has unique way of teaching http://www.danscourses.com If you can do all his videos again and again. Trust me you will get the concept. Also one thing i learned today is if you don’t know the concept it’ll be hard for you in the exam.

    All the best to every one in their path. Keep me in your good wishes.

  22. fez
    May 8th, 2014

    none of these were there today

  23. Anonymous
    May 29th, 2014

    you should get free dumps and many other helping materials from [ http://adf.ly/o7ba3 ]
    Its a direct and safe download and the download speed is ultra high.
    Also the dumps is super easy to download.

  24. izzarazzu
    June 28th, 2014

    Took the exam today. Pass 986/1000. nothing of this were on there.
    Thanks 9tut.

  25. Dan
    August 5th, 2014

    Just duplicated the environment in question 1 and although its true that in a normal situation you would need to list the “deny” commands first before the “permit” command – that is not what the question is actually asking. What it is asking is if you can identify the right command with the action that it will take. IE: The first listing says “to prevent all users from outside the enterprise network from entering the server” So you need to match up the right command string with that first listing and put it in the first box next to it. This is not about knowing what order the commands should be in. It is about knowing what each command actually does. That is why it is correct as shown on 9tut.

  26. Ant
    August 20th, 2014

    Tested today, 8/20. None of these were on there.

  27. Mr. Kramer
    August 30th, 2014

    Do any of the dumps have actual drag and drop questions to practice? If not, i’ll have to go the pencil and paper low tech way.

  28. question on the password again
    November 2nd, 2014

    on question 1, block A user why the subnet mask of all zero’s. to identify a singe user?

    the entire enterprise has networks in the 192.168.30 0.0.0 255 range, since there is an implicit deny, allowing all users within this range will keep everyone else out because of the implicit deny at the end of the acl statement?

    this seems like a trick question in that the choice for denying is using a permit statement to allow all the addresses within the range of the ip addresses in the enterprise access, without having a choice of statements to deny all addresses outside of this range, but because of the implicit deny, all addresses outside of this range will be denied??

  29. Ipvcloud
    December 13th, 2014

    Regarding Question #1

    I think the questions that state “Block only the users attached to the e0 interface of the R2 router from accessing the server: deny ip host”.
    Answer should be:

    deny ip

    If you breaking down the wildcard mask, it should be because it is only the “users”.

    There is only 14 users for that subnet plus the subnet number and broadcast for that number.
    —-> —Subnet Number
    —-> —First Usable Address
    —-> —Last usable Address
    —-> –Broadcast.

    Even though, if I am wrong, please somebody correct me. Thank you.

  30. Jp
    December 22nd, 2014

    Q5 was on my exam on 21st of dec

  31. Trekker14
    January 2nd, 2015

    #5 seems confusing to some. Just find the addresses on the same subnet.

    R1(config)# ip route
    Destination addresses and are on different subnets completely than the /24 & /16 routes so traffic is sent using the default route to

    R1(config)# ip route
    Destination addresses and are on the same subnet 10.1.0.x —->
    Subnet , Valid Hosts , Broadcast , to ,

    R1(config)# ip route
    Destination addresses and are on the same subnet 10.1.x.x —->
    Subnet , Valid Hosts , Broadcast , to ,

  32. Chris
    January 10th, 2015

    #1 The term enterprise integrates both main office and a satellite office. The question says to prevent the users from outside the enterprise, that is to say block all the users whose ip address does not fall within Its because enterprise (both main office and the satellite office) uses the subnetted ip address of /24. The permit ip 0.0 0.255 host statement permit all the users of the enterprise while the implicit deny statement at the end of ACL prevents other users from accessing the server,

    so 9tut is right..:)

  33. Joe
    March 13th, 2015

    #1 statement #1 makes no sense. If you permit all the LA office would get in also..CMON PEOPLE WAKE UP

    April 16th, 2015


  35. Orla Brian
    April 18th, 2015

    hi, for the ICND 2 exam, will I have to configure any routers?

  36. 5280Buckeye
    April 25th, 2015

    @ Orla Brian, good question! In INCD2 are we only troubleshooting in Sim (as in icnd1) or do we have to configure too??

  37. metacortex
    May 2nd, 2015

    Because ACLs are processed top/down we should deny the most specific host first, then deny the more specific segment, then permit only the required block. The implicit deny will handle the rest.

    June 2nd, 2015

    For Question 2, why would you use the .34 address? its a /27 so a new network is formed every 32 address so with the range being .32 – .63 shouldn’t the address used be Would that not prevent the host from communicating outside its subnet as the question has asked you to do?

    June 4th, 2015

    You’ve misread the question. Its to block a single host not a range.

  40. penis
    July 6th, 2015

    I hate these kind of questions…. and drag and drop… the way they want us to reorder numbers and shit… don’t cisco have the actual drag and drop, wouldn’t that be much easier?

  41. 9tut
    July 13th, 2015

    @all: We had to move all the questions and answers out of 9tut. We can only keep the explanation. You can download the questions and answers at: https://mega.co.nz/#!oIdESYbD!yyu33vygrfKPy4rcmcbV6qW2fxINNoTokuDM3CjA_og

  42. Leila Kruger
    August 8th, 2015

    Hi guys!
    I think, Question 1 is wrong. First of all, in my opinion, we have to consider these 3 entries not as 3 entries of one single ACL, but as 3 separate ACL’s, each containing one single entry.

    1) Prevent all users from outside the enterprise network from accessing the server: permit ip 0.0 0.255 host – this seems to be OK.
    2) Block a user from R1 e0 network from accessing the server.

    e0 interface ip address on R1 is , so subnet address is The answer should be: deny ip host

    3) Block only the users attached to the e0 interface of the R2 router from accessing the server

    e0 interface ip address on R2 is , so subnet address is The range of valid host addresses in this subnet is from to The answer should be: deny ip host

  43. Marco
    October 16th, 2015

    Passed on the 9th of October 2015 and had Q 4 and 5

  44. Inder
    November 18th, 2015

    I am in agreement with Leila:

    For Question 1, Answer 2: Block a user from R1 e0 network from accessing the server: deny ip host

    The subnet displayed for R1 port e0 is The subnet in the answer does not match the subnet of R1 port e0, it but it does match an host address on R2 port e0.

    Also of note, the subnet listed as answer 3 does not match the subnet for R2 port e0 (it matches R1 port e0).

  45. FooF
    December 6th, 2015

    Question 1 is correct but its from the expired 640-816 exam. probably will never see it again

  46. jorge
    May 19th, 2016

    FooF u r correct again! Q1 is correct for all u kids who think it’s wrong go back and study ACL’s seems your getting the networks mixed up with a single IP address. OUT