20+ practice questions focused on IPv4 Access Control Lists — one of the most tested topics on the Cisco CCNP ENARSI 300-410 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start IPv4 Access Control Lists PracticeA network engineer runs the following command on Router R1: R1# show access-lists Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (10 matches) 20 deny tcp any host 10.1.1.1 eq 22 (5 matches) 30 permit icmp any any (2 matches) 40 deny ip any any (1 match) Based on this output, which statement is correct?
Explanation: Option A is correct because the ACL shows 10 matches for line 10, which permits TCP traffic from the 192.168.1.0/24 network to any destination on port 80 (HTTP). The match counter accurately reflects the number of packets that have matched this specific entry, confirming that permitted traffic is being counted correctly.
A network engineer runs the following command on Router R1: R1# show ip interface GigabitEthernet0/1 GigabitEthernet0/1 is up, line protocol is up Internet address is 10.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 101 Inbound access list is not set Based on this output, which statement is correct?
Explanation: The command output shows 'Outgoing access list is 101', which indicates that ACL 101 is applied to filter traffic leaving the GigabitEthernet0/1 interface. This is confirmed by the absence of an 'Inbound access list' entry, meaning no ACL is applied to incoming traffic. Therefore, ACL 101 filters traffic leaving the interface.
A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 120 10 permit tcp 10.0.0.0 0.255.255.255 any eq www (1000 matches) 20 permit udp any any eq dns (500 matches) 30 deny ip any any (200 matches) Based on this output, what is the problem?
Explanation: Option B is correct because the ACL explicitly permits only TCP port 80 (www) and UDP port 53 (dns) traffic, while the final deny ip any any statement blocks all other traffic. With only 1000 matches for web and 500 for DNS, the ACL is likely too restrictive for a production network, as it would drop essential traffic such as routing protocols, management traffic (e.g., SSH, SNMP), or other application flows. The output shows the ACL is present and has hit counts, but its restrictive nature is the problem.
A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 130 10 deny ip 192.168.1.0 0.0.0.255 any (0 matches) 20 permit ip any any (1000 matches) Based on this output, which statement is correct?
Explanation: Option B is correct because the ACL processes packets sequentially: line 10 denies traffic from 192.168.1.0/24 but has 0 matches, meaning no packets from that source have been evaluated. Line 20 permits all other traffic and has 1000 matches, so traffic from 192.168.1.0/24 is implicitly permitted by the permit any any statement since it is never denied.
A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 140 10 deny tcp any host 10.1.1.1 eq 23 (15 matches) 20 permit tcp any host 10.1.1.1 eq 22 (20 matches) 30 permit ip any any (5 matches) Based on this output, what is the problem?
Explanation: Option B is correct because the ACL explicitly denies TCP traffic to host 10.1.1.1 on port 23 (Telnet) with line 10, and the match count of 15 confirms that Telnet attempts are being blocked. While this may be intentional to enforce secure management via SSH (permitted on port 22), the question asks for the problem, and the output shows Telnet is being denied. The ACL does not block SSH (line 20 permits it), so the issue is specifically that Telnet access is denied.
+15 more IPv4 Access Control Lists questions available
Practice all IPv4 Access Control Lists questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of IPv4 Access Control Lists. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
IPv4 Access Control Lists questions on the 300-410 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. IPv4 Access Control Lists is tested as part of the Cisco CCNP ENARSI 300-410 blueprint. Practicing with targeted IPv4 Access Control Lists questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free 300-410 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but IPv4 Access Control Lists is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full IPv4 Access Control Lists practice session with instant scoring and detailed explanations.
Start IPv4 Access Control Lists Practice →