Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← IPv4 Access Control Lists practice sets

300-410 IPv4 Access Control Lists • Complete Question Bank

300-410 IPv4 Access Control Lists — All Questions With Answers

Complete 300-410 IPv4 Access Control Lists question bank — all 0 questions with answers and detailed explanations.

67
Questions
Free
No signup
Certifications/300-410/Practice Test/IPv4 Access Control Lists/All Questions
Question 1mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show access-lists

Extended IP access list 101

10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (10 matches)
    
20 deny tcp any host 10.1.1.1 eq 22 (5 matches)
    
30 permit icmp any any (2 matches)
    
40 deny ip any any (1 match)

Based on this output, which statement is correct?

Question 2easymultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip interface GigabitEthernet0/1

GigabitEthernet0/1 is up, line protocol is up Internet address is 10.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 101 Inbound access list is not set

Based on this output, which statement is correct?

Question 3mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip access-lists

Extended IP access list 120

10 permit tcp 10.0.0.0 0.255.255.255 any eq www (1000 matches)
    
20 permit udp any any eq dns (500 matches)
    
30 deny ip any any (200 matches)

Based on this output, what is the problem?

Question 4easymultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip access-lists

Extended IP access list 130

10 deny ip 192.168.1.0 0.0.0.255 any (0 matches)
    
20 permit ip any any (1000 matches)

Based on this output, which statement is correct?

Question 5mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip access-lists

Extended IP access list 140

10 deny tcp any host 10.1.1.1 eq 23 (15 matches)
    
20 permit tcp any host 10.1.1.1 eq 22 (20 matches)
    
30 permit ip any any (5 matches)

Based on this output, what is the problem?

Question 6easymultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip access-lists

Extended IP access list 150

10 permit ip 10.0.0.0 0.255.255.255 any (500 matches)
    
20 deny ip any any (100 matches)

Based on this output, which statement is correct?

Question 7hardmultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip access-lists

Extended IP access list 160

10 permit tcp any any established (200 matches)
    
20 permit udp any any (100 matches)
    
30 deny ip any any (50 matches)

Based on this output, what is the problem?

Question 8mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip access-lists

Extended IP access list 170

10 permit icmp any any echo (100 matches)
    
20 permit icmp any any echo-reply (80 matches)
    
30 deny ip any any (10 matches)

Based on this output, which statement is correct?

Question 9mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip access-lists

Extended IP access list 180

10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (50 matches)
    
20 permit tcp 192.168.2.0 0.0.0.255 any eq 443 (30 matches)
    
30 deny ip any any (5 matches)

Based on this output, what is the problem?

Question 10mediummultiple choice
Study the full ACL explanation →

Consider the following partial configuration on router R1: ```

interface GigabitEthernet0/1
 ip access-group MY_ACL in

!

ip access-list extended MY_ACL
 permit tcp 10.1.1.0 0.0.0.255 any eq 80
 permit icmp any any echo
 deny   ip any any

``` What is the effect of this ACL when applied inbound on GigabitEthernet0/1?

Question 11mediummultiple choice
Study the full ACL explanation →

Examine the following configuration snippet: ```

interface GigabitEthernet0/0
 ip access-group BLOCK_TELNET out

!

ip access-list extended BLOCK_TELNET
 deny tcp any any eq 23
 permit ip any any

``` What is the effect of applying this ACL outbound on GigabitEthernet0/0?

Question 12mediummultiple choice
Study the full ACL explanation →

Given the following configuration: ```

interface GigabitEthernet0/2
 ip access-group FILTER_SSH in

!

ip access-list extended FILTER_SSH
 permit tcp any host 192.168.1.10 eq 22
 permit udp any host 192.168.1.10 eq 22

``` What is the issue with this ACL?

Question 13mediummultiple choice
Study the full ACL explanation →

Consider this configuration on router R2: ```

interface GigabitEthernet0/0
 ip access-group RESTRICT_ACCESS in

!

ip access-list extended RESTRICT_ACCESS
 permit ip 10.0.0.0 0.255.255.255 any
 deny   ip any any

``` What traffic will be permitted inbound on GigabitEthernet0/0?

Question 14mediummultiple choice
Study the full ACL explanation →

Examine the following configuration: ```

interface GigabitEthernet0/3
 ip access-group WEB_ONLY out

!

ip access-list extended WEB_ONLY
 permit tcp any any eq 80
 permit tcp any any eq 443

``` What is the effect of this ACL when applied outbound on GigabitEthernet0/3?

Question 15mediummultiple choice
Study the full ACL explanation →

Given this configuration: ```

interface GigabitEthernet0/4
 ip access-group BLOCK_FTP in

!

ip access-list extended BLOCK_FTP
 deny tcp any any eq 21
 deny tcp any any eq

20

permit ip any any

``` What is the effect of this ACL when applied inbound on GigabitEthernet0/4?

Question 16easymultiple choice
Study the full ACL explanation →

What is the default behavior of an IPv4 access control list (ACL) when no explicit permit or deny statement matches a packet?

Question 17easymultiple choice
Study the full ACL explanation →

In a standard IPv4 ACL, what is the range of valid numbers for the access-list number?

Question 18mediummultiple choice
Study the full ACL explanation →

When using an extended ACL to filter traffic, which fields can be matched? (Choose the most complete answer.)

Question 19mediummulti select
Study the full ACL explanation →

Which TWO commands verify the application and content of an IPv4 access control list on a Cisco IOS router? (Choose TWO.)

Question 20mediummulti select
Study the full ACL explanation →

Which TWO statements about IPv4 extended access control lists are true? (Choose TWO.)

Question 21mediummulti select
Study the full ACL explanation →

Which TWO configuration steps are required to apply an IPv4 extended access list to an interface in Cisco IOS? (Choose TWO.)

Question 22hardmulti select
Study the full ACL explanation →

Which THREE symptoms indicate that an IPv4 access control list may be misconfigured or not applied correctly? (Choose THREE.)

Question 23hardmulti select
Study the full ACL explanation →

Which THREE statements about IPv4 access control list sequence numbers are true? (Choose THREE.)

Question 24hardmultiple choice
Study the full EIGRP explanation →

A large enterprise network uses EIGRP with route summarization. Router R1 has the following configuration: interface GigabitEthernet0/0, ip summary-address eigrp 100 10.0.0.0 255.255.252.0. Router R2 shows: show ip route eigrp includes 10.0.0.0/22 but not 10.0.3.0/24. What is the root cause?

Question 25hardmultiple choice
Review the full OSPF breakdown →

A network redistributes OSPF into EIGRP. Router R1 has: redistribute ospf 1 metric 10000 100 255 1 1500. Router R2 shows: show ip route eigrp includes some OSPF routes but not 192.168.1.0/24. What is the root cause?

Question 26hardmultiple choice
Open the full BGP breakdown →

BGP is used between two ISPs. Router R1 has: neighbor 10.0.0.2 route-map SET-MED in, route-map SET-MED permit 10, set metric 50. Router R2 shows: show ip bgp 172.16.0.0 includes MED 50 but the path is not preferred. What is the root cause?

Question 27hardmultiple choice
Review the full OSPF breakdown →

OSPF is configured on a multi-access link between R1 and R2. R1 has: interface GigabitEthernet0/0, ip ospf network point-to-point. R2 has default broadcast network type. R1 shows: show ip ospf neighbor includes R2 in FULL state, but R2 shows: show ip ospf neighbor includes R1 in INIT state. What is the root cause?

Question 28hardmultiple choice
Study the full EIGRP explanation →

EIGRP network is experiencing stuck-in-active (SIA) routes. Router R1 shows: show ip eigrp topology active includes 10.0.0.0/24. Router R2 has: interface GigabitEthernet0/0, ip summary-address eigrp 100 10.0.0.0 255.255.255.0. What is the root cause?

Question 29hardmultiple choice
Study the full ACL explanation →

DMVPN phase 2 network: spoke-to-spoke tunnels fail. Router Spoke1 has: tunnel source GigabitEthernet0/0, tunnel mode gre multipoint, ip nhrp network-id 1, ip nhrp nhs 10.0.0.1. Router Spoke2 shows: show dmvpn includes Spoke1 in NHRP cache but no spoke-to-spoke tunnel. What is the root cause?

Question 30hardmultiple choice
Read the full MPLS explanation →

MPLS network: LDP neighbors are down between R1 and R2. R1 shows: show mpls ldp neighbor includes nothing. R2 has: interface GigabitEthernet0/0, mpls ip, but R1 has no mpls ip on its interface. What is the root cause?

Question 31hardmultiple choice
Study the full ACL explanation →

Management traffic is being dropped. Router R1 has: access-list 100 deny ip any any log, applied to VTY lines. Remote access via SSH fails, but console works. What is the root cause?

Question 32hardmultiple choice
Review the full OSPF breakdown →

CoPP is rate-limiting legitimate routing traffic. Router R1 has: class-map match-any ROUTING, match protocol bgp, match protocol ospf, policy-map COPP, class ROUTING, police 10000 conform-action transmit exceed-action drop. BGP sessions flap. What is the root cause?

Question 33mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue:

R1# debug ip packet 100 detail
IP packet debugging is on for access list 100
*Mar  1 00:12:34.567: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto UDP, flags 0x0, sport 12345, dport 80, access list 100: matched line 10 permit udp host 10.1.1.1 host 10.2.2.2 eq 80
*Mar  1 00:12:35.123: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x2, sport 12346, dport 443, access list 100: matched line 
20 deny tcp host 10.1.1.1 host 10.2.2.2 eq 443
*Mar  1 00:12:35.124: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x10, sport 12346, dport 443, access list 100: matched line 
20 deny tcp host 10.1.1.1 host 10.2.2.2 eq 443

What does this output indicate?

Question 34easymultiple choice
Study the full ACL explanation →

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue:

R1# show ip access-lists 101

Extended IP access list 101

10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (12 matches)
    
20 deny tcp any any eq 443 (5 matches)
    
30 permit ip any any (100 matches)

What does this output indicate?

Question 35easymultiple choice
Study the full ACL explanation →

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue:

R1# show ip interface GigabitEthernet0/0 | include access list

Outgoing access list is 102 Inbound access list is not set

Then the engineer checks:

R1# show ip access-lists 102

Extended IP access list 102

10 deny tcp any any eq 23
    
20 permit ip any any

What does this output indicate?

Question 36mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue:

R1# debug ip packet 110
IP packet debugging is on for access list 110
*Mar  1 00:15:22.345: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x2, sport 12345, dport 23, access list 110: matched line 10 deny tcp host 10.1.1.1 host 10.2.2.2 eq 23
*Mar  1 00:15:22.346: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x10, sport 12345, dport 23, access list 110: matched line 
10 deny tcp host 10.1.1.1 host 10.2.2.2 eq 23

What does this output indicate?

Question 37easymultiple choice
Study the full ACL explanation →

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue:

R1# show access-lists 120

Extended IP access list 120

10 permit tcp 192.168.1.0 0.0.0.255 any eq 80
    
20 permit tcp 192.168.2.0 0.0.0.255 any eq 443
    
30 deny ip any any log

What does this output indicate?

Question 38mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue:

R1# show ip access-lists 130

Extended IP access list 130

10 deny ip host 10.1.1.1 host 10.2.2.2
    
20 permit ip any any

Then the engineer runs:

R1# debug ip packet 130
IP packet debugging is on for access list 130
*Mar  1 00:20:10.123: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto ICMP, access list 130: matched line 
10 deny ip host 10.1.1.1 host 10.2.2.2

What does this output indicate?

Question 39easymultiple choice
Study the full ACL explanation →

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue:

R1# show ip interface GigabitEthernet0/1 | include access list

Outgoing access list is 140 Inbound access list is not set

Then the engineer runs:

R1# show ip access-lists 140

Extended IP access list 140

10 deny icmp any any
    
20 permit ip any any

What does this output indicate?

Question 40mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue:

R1# debug ip packet 150
IP packet debugging is on for access list 150
*Mar  1 00:25:45.678: IP: s=192.168.1.1 (GigabitEthernet0/0), d=10.1.1.1, len 100, proto UDP, flags 0x0, sport 12345, dport 53, access list 150: matched line 10 permit udp host 192.168.1.1 host 10.1.1.1 eq 53
*Mar  1 00:25:45.679: IP: s=192.168.1.1 (GigabitEthernet0/0), d=10.1.1.1, len 100, proto TCP, flags 0x2, sport 12346, dport 53, access list 150: matched line 
20 permit tcp host 192.168.1.1 host 10.1.1.1 eq 53

What does this output indicate?

Question 41mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue:

R1# show ip access-lists 160

Extended IP access list 160

10 permit tcp 10.0.0.0 0.255.255.255 any eq 22
    
20 permit tcp 172.16.0.0 0.15.255.255 any eq 22
    
30 permit tcp 192.168.0.0 0.0.255.255 any eq 22
    
40 deny ip any any

What does this output indicate?

Question 42easymultiple choice
Study the full ACL explanation →

By default in Cisco IOS-XE, what is the behavior of an IPv4 ACL when no entries match and the ACL is applied to an inbound interface?

Question 43mediummultiple choice
Study the full ACL explanation →

What is the default behavior of an IPv4 ACL regarding the order of evaluation when multiple entries match a packet?

Question 44mediummultiple choice
Study the full ACL explanation →

In a standard IPv4 ACL, what is the default wildcard mask if none is explicitly configured?

Question 45easymultiple choice
Study the full ACL explanation →

Which statement is true about the implicit deny any at the end of an IPv4 ACL?

Question 46hardmultiple choice
Study the full ACL explanation →

What is the maximum number of entries that can be configured in a single IPv4 ACL in Cisco IOS?

Question 47mediummultiple choice
Study the full ACL explanation →

In an extended IPv4 ACL, what is the default action if only a source and destination are specified without a protocol?

Question 48easymultiple choice
Study the full ACL explanation →

Which of the following is true regarding the placement of an IPv4 ACL to filter traffic between two internal subnets?

Question 49hardmultiple choice
Study the full ACL explanation →

What is the default behavior for an IPv4 ACL applied to an outbound interface when the packet is generated by the router itself (e.g., ping from the router)?

Question 50hardmultiple choice
Study the full ACL explanation →

When using the 'access-group' command to apply an ACL to an interface, what is the default direction if none is specified?

Question 51mediumdrag order
Study the full ACL explanation →

Drag and drop the steps to apply and verify an extended IPv4 ACL on a router interface into the correct order, from first to last.

Question 52harddrag order
Study the full ACL explanation →

Drag and drop the steps to troubleshoot IPv4 ACL adjacency or connectivity failures into the correct order, from first to last.

Question 53mediumdrag order
Study the full ACL explanation →

Drag and drop the steps to verify and validate the operational state of IPv4 ACLs into the correct order, from first to last.

Question 54hardmulti select
Study the full ACL explanation →

Which TWO statements about the behavior of IPv4 ACLs with the 'established' keyword are true? (Choose TWO.)

Question 55hardmulti select
Study the full ACL explanation →

Which TWO statements about the 'ip access-group' command and its interaction with ACLs are correct? (Choose TWO.)

Question 56hardmulti select
Study the full ACL explanation →

Which TWO statements about the 'ip access-list resequence' command are true? (Choose TWO.)

Question 57hardmulti select
Study the full ACL explanation →

Which TWO statements about the 'log' keyword in IPv4 ACL entries are correct? (Choose TWO.)

Question 58hardmulti select
Study the full ACL explanation →

Which TWO statements about the 'time-range' feature in IPv4 ACLs are correct? (Choose TWO.)

Question 59hardmultiple choice
Review the full OSPF breakdown →

An engineer configures an IPv4 ACL with a deny statement for OSPF protocol (IP protocol 89) on a router's serial interface inbound. OSPF neighbors are established, but routes are not exchanged and the neighbor state remains in EXSTART. What is the most likely explanation?

Question 60hardmultiple choice
Study the full EIGRP explanation →

An engineer configures an EIGRP named mode with an offset-list applied to the delay metric on a serial interface. The offset-list increases the delay by 1000 microseconds. However, the feasible distance (FD) updates correctly, but the advertised distance (AD) does not change. What is the most likely explanation?

Question 61hardmultiple choice
Open the full BGP breakdown →

A network engineer configures an inbound IPv4 ACL on a router's interface to filter BGP updates from an eBGP neighbor. The ACL permits only specific prefixes. After applying the ACL, the BGP session remains established, but the router does not install any routes from that neighbor. What is the most likely explanation?

Question 62hardmultiple choice
Review the full OSPF breakdown →

An engineer configures mutual redistribution between OSPF and EIGRP on a router. Both protocols have routes for the same prefix. The engineer also applies an inbound ACL on the OSPF interface to deny certain routes from being learned via OSPF. After the ACL is applied, the router still has the prefix in the routing table, but it is learned via EIGRP instead of OSPF. What is the most likely explanation?

Question 63hardmultiple choice
Study the full ACL explanation →

On a DMVPN Phase 2 hub-and-spoke network, an engineer applies an inbound IPv4 ACL on the tunnel interface of a spoke router to permit only traffic from specific spoke IPs. After the ACL is applied, the spoke cannot establish a direct spoke-to-spoke tunnel with another spoke, even though NHRP resolution succeeds. What is the most likely explanation?

Question 64hardmultiple choice
Study the full ACL explanation →

An engineer configures an IPsec VPN between two routers using a transform-set with ESP encryption (AES 256) and ESP authentication (SHA-256). The engineer also applies an IPv4 ACL to define interesting traffic that matches all IP traffic. After configuration, the VPN tunnel comes up, but only ICMP traffic is encrypted; other traffic like HTTP is sent in clear text. What is the most likely explanation?

Question 65hardmultiple choice
Review the full OSPF breakdown →

A network engineer configures Control Plane Policing (CoPP) on a router with a policy-map that applies a rate-limit of 10000 pps to the class-default class. After applying the policy, the router's CPU utilization spikes and OSPF neighbors go down. What is the most likely explanation?

Question 66hardmultiple choice
Study the full ACL explanation →

An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on an interface connected to a customer network. The customer has a default route pointing to the router. After enabling uRPF, the router drops traffic from the customer that has a source IP address that is not in the routing table as a directly connected or static route. What is the most likely explanation?

Question 67hardmultiple choice
Study the full ACL explanation →

An engineer configures an IPv4 ACL on a router's interface to permit only HTTP traffic (TCP port 80) from a specific subnet. The ACL is applied inbound. After applying, the router's web interface (HTTPS) becomes unreachable from the same subnet. What is the most likely explanation?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

300-410 Practice Test 1 — 10 Questions→300-410 Practice Test 2 — 10 Questions→300-410 Practice Test 3 — 10 Questions→300-410 Practice Test 4 — 10 Questions→300-410 Practice Test 5 — 10 Questions→300-410 Practice Exam 1 — 20 Questions→300-410 Practice Exam 2 — 20 Questions→300-410 Practice Exam 3 — 20 Questions→300-410 Practice Exam 4 — 20 Questions→Free 300-410 Practice Test 1 — 30 Questions→Free 300-410 Practice Test 2 — 30 Questions→Free 300-410 Practice Test 3 — 30 Questions→300-410 Practice Questions 1 — 50 Questions→300-410 Practice Questions 2 — 50 Questions→300-410 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Layer 3 TechnologiesEIGRP TroubleshootingOSPF Troubleshooting (v2/v3)BGP TroubleshootingRoute RedistributionPolicy-Based Routing (PBR)VRF-LiteRoute Maps and Route FilteringAdministrative DistanceRoute SummarizationBidirectional Forwarding Detection (BFD)VPN TechnologiesMPLS OperationsMPLS L3VPNDMVPNIPsec Site-to-Site VPNIPv6 Tunneling TechniquesInfrastructure SecurityDevice Access ControlIPv4 Access Control ListsIPv6 Traffic Filtering and uRPFControl Plane Policing (CoPP)IPv6 First Hop SecurityInfrastructure ServicesDevice ManagementSNMP TroubleshootingNetwork Logging and SyslogEmbedded Event Manager (EEM)IP SLANetFlow and Flexible NetFlowSPAN, RSPAN, and ERSPANDHCP (IPv4 and IPv6)NAT and PAT

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All IPv4 Access Control Lists setsAll IPv4 Access Control Lists questions300-410 Practice Hub