Practice 300-410 IPv4 Access Control Lists questions with full explanations on every answer.
Start practicing
IPv4 Access Control Lists — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A network engineer runs the following command on Router R1: R1# show access-lists Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (10 matches) 20 deny tcp any host 10.1.1.1 eq 22 (5 matches) 30 permit icmp any any (2 matches) 40 deny ip any any (1 match) Based on this output, which statement is correct?
2A network engineer runs the following command on Router R1: R1# show ip interface GigabitEthernet0/1 GigabitEthernet0/1 is up, line protocol is up Internet address is 10.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 101 Inbound access list is not set Based on this output, which statement is correct?
3A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 120 10 permit tcp 10.0.0.0 0.255.255.255 any eq www (1000 matches) 20 permit udp any any eq dns (500 matches) 30 deny ip any any (200 matches) Based on this output, what is the problem?
4A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 130 10 deny ip 192.168.1.0 0.0.0.255 any (0 matches) 20 permit ip any any (1000 matches) Based on this output, which statement is correct?
5A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 140 10 deny tcp any host 10.1.1.1 eq 23 (15 matches) 20 permit tcp any host 10.1.1.1 eq 22 (20 matches) 30 permit ip any any (5 matches) Based on this output, what is the problem?
6A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 150 10 permit ip 10.0.0.0 0.255.255.255 any (500 matches) 20 deny ip any any (100 matches) Based on this output, which statement is correct?
7A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 160 10 permit tcp any any established (200 matches) 20 permit udp any any (100 matches) 30 deny ip any any (50 matches) Based on this output, what is the problem?
8A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 170 10 permit icmp any any echo (100 matches) 20 permit icmp any any echo-reply (80 matches) 30 deny ip any any (10 matches) Based on this output, which statement is correct?
9A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 180 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (50 matches) 20 permit tcp 192.168.2.0 0.0.0.255 any eq 443 (30 matches) 30 deny ip any any (5 matches) Based on this output, what is the problem?
10Consider the following partial configuration on router R1: ``` interface GigabitEthernet0/1 ip access-group MY_ACL in ! ip access-list extended MY_ACL permit tcp 10.1.1.0 0.0.0.255 any eq 80 permit icmp any any echo deny ip any any ``` What is the effect of this ACL when applied inbound on GigabitEthernet0/1?
11Examine the following configuration snippet: ``` interface GigabitEthernet0/0 ip access-group BLOCK_TELNET out ! ip access-list extended BLOCK_TELNET deny tcp any any eq 23 permit ip any any ``` What is the effect of applying this ACL outbound on GigabitEthernet0/0?
12Given the following configuration: ``` interface GigabitEthernet0/2 ip access-group FILTER_SSH in ! ip access-list extended FILTER_SSH permit tcp any host 192.168.1.10 eq 22 permit udp any host 192.168.1.10 eq 22 ``` What is the issue with this ACL?
13Consider this configuration on router R2: ``` interface GigabitEthernet0/0 ip access-group RESTRICT_ACCESS in ! ip access-list extended RESTRICT_ACCESS permit ip 10.0.0.0 0.255.255.255 any deny ip any any ``` What traffic will be permitted inbound on GigabitEthernet0/0?
14Examine the following configuration: ``` interface GigabitEthernet0/3 ip access-group WEB_ONLY out ! ip access-list extended WEB_ONLY permit tcp any any eq 80 permit tcp any any eq 443 ``` What is the effect of this ACL when applied outbound on GigabitEthernet0/3?
15Given this configuration: ``` interface GigabitEthernet0/4 ip access-group BLOCK_FTP in ! ip access-list extended BLOCK_FTP deny tcp any any eq 21 deny tcp any any eq 20 permit ip any any ``` What is the effect of this ACL when applied inbound on GigabitEthernet0/4?
16What is the default behavior of an IPv4 access control list (ACL) when no explicit permit or deny statement matches a packet?
17In a standard IPv4 ACL, what is the range of valid numbers for the access-list number?
18When using an extended ACL to filter traffic, which fields can be matched? (Choose the most complete answer.)
19Which TWO commands verify the application and content of an IPv4 access control list on a Cisco IOS router? (Choose TWO.)
20Which TWO statements about IPv4 extended access control lists are true? (Choose TWO.)
21Which TWO configuration steps are required to apply an IPv4 extended access list to an interface in Cisco IOS? (Choose TWO.)
22Which THREE symptoms indicate that an IPv4 access control list may be misconfigured or not applied correctly? (Choose THREE.)
23Which THREE statements about IPv4 access control list sequence numbers are true? (Choose THREE.)
24A large enterprise network uses EIGRP with route summarization. Router R1 has the following configuration: interface GigabitEthernet0/0, ip summary-address eigrp 100 10.0.0.0 255.255.252.0. Router R2 shows: show ip route eigrp includes 10.0.0.0/22 but not 10.0.3.0/24. What is the root cause?
25A network redistributes OSPF into EIGRP. Router R1 has: redistribute ospf 1 metric 10000 100 255 1 1500. Router R2 shows: show ip route eigrp includes some OSPF routes but not 192.168.1.0/24. What is the root cause?
26BGP is used between two ISPs. Router R1 has: neighbor 10.0.0.2 route-map SET-MED in, route-map SET-MED permit 10, set metric 50. Router R2 shows: show ip bgp 172.16.0.0 includes MED 50 but the path is not preferred. What is the root cause?
27OSPF is configured on a multi-access link between R1 and R2. R1 has: interface GigabitEthernet0/0, ip ospf network point-to-point. R2 has default broadcast network type. R1 shows: show ip ospf neighbor includes R2 in FULL state, but R2 shows: show ip ospf neighbor includes R1 in INIT state. What is the root cause?
28EIGRP network is experiencing stuck-in-active (SIA) routes. Router R1 shows: show ip eigrp topology active includes 10.0.0.0/24. Router R2 has: interface GigabitEthernet0/0, ip summary-address eigrp 100 10.0.0.0 255.255.255.0. What is the root cause?
29DMVPN phase 2 network: spoke-to-spoke tunnels fail. Router Spoke1 has: tunnel source GigabitEthernet0/0, tunnel mode gre multipoint, ip nhrp network-id 1, ip nhrp nhs 10.0.0.1. Router Spoke2 shows: show dmvpn includes Spoke1 in NHRP cache but no spoke-to-spoke tunnel. What is the root cause?
30MPLS network: LDP neighbors are down between R1 and R2. R1 shows: show mpls ldp neighbor includes nothing. R2 has: interface GigabitEthernet0/0, mpls ip, but R1 has no mpls ip on its interface. What is the root cause?
31Management traffic is being dropped. Router R1 has: access-list 100 deny ip any any log, applied to VTY lines. Remote access via SSH fails, but console works. What is the root cause?
32CoPP is rate-limiting legitimate routing traffic. Router R1 has: class-map match-any ROUTING, match protocol bgp, match protocol ospf, policy-map COPP, class ROUTING, police 10000 conform-action transmit exceed-action drop. BGP sessions flap. What is the root cause?
33A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# debug ip packet 100 detail IP packet debugging is on for access list 100 *Mar 1 00:12:34.567: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto UDP, flags 0x0, sport 12345, dport 80, access list 100: matched line 10 permit udp host 10.1.1.1 host 10.2.2.2 eq 80 *Mar 1 00:12:35.123: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x2, sport 12346, dport 443, access list 100: matched line 20 deny tcp host 10.1.1.1 host 10.2.2.2 eq 443 *Mar 1 00:12:35.124: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x10, sport 12346, dport 443, access list 100: matched line 20 deny tcp host 10.1.1.1 host 10.2.2.2 eq 443 What does this output indicate?
34A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip access-lists 101 Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (12 matches) 20 deny tcp any any eq 443 (5 matches) 30 permit ip any any (100 matches) What does this output indicate?
35A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip interface GigabitEthernet0/0 | include access list Outgoing access list is 102 Inbound access list is not set Then the engineer checks: R1# show ip access-lists 102 Extended IP access list 102 10 deny tcp any any eq 23 20 permit ip any any What does this output indicate?
36A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# debug ip packet 110 IP packet debugging is on for access list 110 *Mar 1 00:15:22.345: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x2, sport 12345, dport 23, access list 110: matched line 10 deny tcp host 10.1.1.1 host 10.2.2.2 eq 23 *Mar 1 00:15:22.346: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x10, sport 12345, dport 23, access list 110: matched line 10 deny tcp host 10.1.1.1 host 10.2.2.2 eq 23 What does this output indicate?
37A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show access-lists 120 Extended IP access list 120 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 20 permit tcp 192.168.2.0 0.0.0.255 any eq 443 30 deny ip any any log What does this output indicate?
38A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip access-lists 130 Extended IP access list 130 10 deny ip host 10.1.1.1 host 10.2.2.2 20 permit ip any any Then the engineer runs: R1# debug ip packet 130 IP packet debugging is on for access list 130 *Mar 1 00:20:10.123: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto ICMP, access list 130: matched line 10 deny ip host 10.1.1.1 host 10.2.2.2 What does this output indicate?
39A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip interface GigabitEthernet0/1 | include access list Outgoing access list is 140 Inbound access list is not set Then the engineer runs: R1# show ip access-lists 140 Extended IP access list 140 10 deny icmp any any 20 permit ip any any What does this output indicate?
40A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# debug ip packet 150 IP packet debugging is on for access list 150 *Mar 1 00:25:45.678: IP: s=192.168.1.1 (GigabitEthernet0/0), d=10.1.1.1, len 100, proto UDP, flags 0x0, sport 12345, dport 53, access list 150: matched line 10 permit udp host 192.168.1.1 host 10.1.1.1 eq 53 *Mar 1 00:25:45.679: IP: s=192.168.1.1 (GigabitEthernet0/0), d=10.1.1.1, len 100, proto TCP, flags 0x2, sport 12346, dport 53, access list 150: matched line 20 permit tcp host 192.168.1.1 host 10.1.1.1 eq 53 What does this output indicate?
41A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip access-lists 160 Extended IP access list 160 10 permit tcp 10.0.0.0 0.255.255.255 any eq 22 20 permit tcp 172.16.0.0 0.15.255.255 any eq 22 30 permit tcp 192.168.0.0 0.0.255.255 any eq 22 40 deny ip any any What does this output indicate?
42By default in Cisco IOS-XE, what is the behavior of an IPv4 ACL when no entries match and the ACL is applied to an inbound interface?
43What is the default behavior of an IPv4 ACL regarding the order of evaluation when multiple entries match a packet?
44In a standard IPv4 ACL, what is the default wildcard mask if none is explicitly configured?
45Which statement is true about the implicit deny any at the end of an IPv4 ACL?
46What is the maximum number of entries that can be configured in a single IPv4 ACL in Cisco IOS?
47In an extended IPv4 ACL, what is the default action if only a source and destination are specified without a protocol?
48Which of the following is true regarding the placement of an IPv4 ACL to filter traffic between two internal subnets?
49What is the default behavior for an IPv4 ACL applied to an outbound interface when the packet is generated by the router itself (e.g., ping from the router)?
50When using the 'access-group' command to apply an ACL to an interface, what is the default direction if none is specified?
51Drag and drop the steps to apply and verify an extended IPv4 ACL on a router interface into the correct order, from first to last.
52Drag and drop the steps to troubleshoot IPv4 ACL adjacency or connectivity failures into the correct order, from first to last.
53Drag and drop the steps to verify and validate the operational state of IPv4 ACLs into the correct order, from first to last.
54Which TWO statements about the behavior of IPv4 ACLs with the 'established' keyword are true? (Choose TWO.)
55Which TWO statements about the 'ip access-group' command and its interaction with ACLs are correct? (Choose TWO.)
56Which TWO statements about the 'ip access-list resequence' command are true? (Choose TWO.)
57Which TWO statements about the 'log' keyword in IPv4 ACL entries are correct? (Choose TWO.)
58Which TWO statements about the 'time-range' feature in IPv4 ACLs are correct? (Choose TWO.)
59An engineer configures an IPv4 ACL with a deny statement for OSPF protocol (IP protocol 89) on a router's serial interface inbound. OSPF neighbors are established, but routes are not exchanged and the neighbor state remains in EXSTART. What is the most likely explanation?
60An engineer configures an EIGRP named mode with an offset-list applied to the delay metric on a serial interface. The offset-list increases the delay by 1000 microseconds. However, the feasible distance (FD) updates correctly, but the advertised distance (AD) does not change. What is the most likely explanation?
61A network engineer configures an inbound IPv4 ACL on a router's interface to filter BGP updates from an eBGP neighbor. The ACL permits only specific prefixes. After applying the ACL, the BGP session remains established, but the router does not install any routes from that neighbor. What is the most likely explanation?
62An engineer configures mutual redistribution between OSPF and EIGRP on a router. Both protocols have routes for the same prefix. The engineer also applies an inbound ACL on the OSPF interface to deny certain routes from being learned via OSPF. After the ACL is applied, the router still has the prefix in the routing table, but it is learned via EIGRP instead of OSPF. What is the most likely explanation?
63On a DMVPN Phase 2 hub-and-spoke network, an engineer applies an inbound IPv4 ACL on the tunnel interface of a spoke router to permit only traffic from specific spoke IPs. After the ACL is applied, the spoke cannot establish a direct spoke-to-spoke tunnel with another spoke, even though NHRP resolution succeeds. What is the most likely explanation?
64An engineer configures an IPsec VPN between two routers using a transform-set with ESP encryption (AES 256) and ESP authentication (SHA-256). The engineer also applies an IPv4 ACL to define interesting traffic that matches all IP traffic. After configuration, the VPN tunnel comes up, but only ICMP traffic is encrypted; other traffic like HTTP is sent in clear text. What is the most likely explanation?
65A network engineer configures Control Plane Policing (CoPP) on a router with a policy-map that applies a rate-limit of 10000 pps to the class-default class. After applying the policy, the router's CPU utilization spikes and OSPF neighbors go down. What is the most likely explanation?
66An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on an interface connected to a customer network. The customer has a default route pointing to the router. After enabling uRPF, the router drops traffic from the customer that has a source IP address that is not in the routing table as a directly connected or static route. What is the most likely explanation?
67An engineer configures an IPv4 ACL on a router's interface to permit only HTTP traffic (TCP port 80) from a specific subnet. The ACL is applied inbound. After applying, the router's web interface (HTTPS) becomes unreachable from the same subnet. What is the most likely explanation?
The IPv4 Access Control Lists domain covers the key concepts tested in this area of the 300-410 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 300-410 domains — no account required.
The Courseiva 300-410 question bank contains 67 questions in the IPv4 Access Control Lists domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the IPv4 Access Control Lists domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included