Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-401DomainsACLs and CoPP
350-401Free — No Signup

ACLs and CoPP

Practice 350-401 ACLs and CoPP questions with full explanations on every answer.

58questions

Start practicing

ACLs and CoPP — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

350-401 Domains

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationVirtual Machines and HypervisorsVRF and Path IsolationInfrastructureOSPFBGPEIGRPVLANs and TrunkingSpanning Tree ProtocolEtherChannelWireless InfrastructureMPLSWAN TechnologiesNAT and DHCPIP MulticastQoSNetwork AssuranceSNMP and SyslogNetFlow and TelemetrySPAN and RSPANIP SLASecurityAAA, RADIUS, and TACACS+ACLs and CoPP802.1X and TrustSecVPN TechnologiesInfrastructure SecurityAutomationPython for Network AutomationAnsible AutomationREST APIs and Data ModelsCisco DNA CenterModel-Driven Telemetry

Practice ACLs and CoPP questions

10Q20Q30Q50Q

All 350-401 ACLs and CoPP questions (58)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A network engineer is troubleshooting an issue where SSH access to a Cisco router from a specific management subnet (10.10.10.0/24) is intermittently failing. The router has a CoPP policy applied to the control plane. The engineer checks the CoPP statistics and sees that packets from the management subnet are being dropped by the control-plane service-policy. Which configuration change should the engineer make to allow SSH from the management subnet while still protecting the control plane?

2

An enterprise network uses a Cisco Catalyst 9300 switch as a distribution layer device. The network team notices that ICMP echo requests from a monitoring server (192.168.1.100) to the switch's management IP are being dropped intermittently. The switch has a CoPP policy that includes a class-map matching ICMP traffic. The engineer checks the CoPP statistics and sees that ICMP packets from the monitoring server are being dropped by the policy. What is the most likely cause of this issue?

3

A network engineer is configuring CoPP on a Cisco ASR 1000 router to protect the control plane from excessive traffic. The engineer wants to allow BGP traffic from a specific peer (10.0.0.1) while rate-limiting all other BGP traffic. The engineer creates an ACL that permits TCP port 179 from host 10.0.0.1 and denies all other BGP traffic. The CoPP class-map matches this ACL. However, after applying the policy, BGP sessions from other peers are still being established. What is the most likely reason?

4

A network engineer is troubleshooting a connectivity issue between two VLANs on a Cisco Catalyst 3850 switch. The switch has an ACL applied to VLAN 10 that permits traffic from VLAN 20 to VLAN 10, but denies all other traffic. Hosts in VLAN 20 can ping hosts in VLAN 10, but not vice versa. The engineer checks the ACL and finds that it is applied inbound on VLAN 10. What is the most likely cause of the issue?

5

A network engineer is configuring CoPP on a Cisco Nexus 9000 switch to protect the control plane from a potential DoS attack. The engineer creates a class-map that matches traffic with a specific DSCP value (AF41) and applies a police rate of 10 Mbps. After applying the policy, the engineer notices that legitimate traffic with DSCP AF41 is being dropped even though the traffic rate is only 5 Mbps. What is the most likely cause?

6

A network engineer is troubleshooting an issue where a Cisco router is not responding to SNMP polls from a network management station (NMS) at 192.168.1.50. The router has a CoPP policy that includes a class-map matching SNMP traffic (UDP port 161). The engineer checks the CoPP statistics and sees that SNMP packets from the NMS are being dropped. The engineer wants to allow SNMP from the NMS while still protecting the control plane. Which configuration change should the engineer make?

7

A network engineer is configuring ACLs on a Cisco router to filter traffic between two subnets. The engineer wants to allow HTTP traffic from subnet 10.1.1.0/24 to subnet 10.2.2.0/24, but deny all other traffic. The engineer applies an ACL inbound on the interface connected to subnet 10.1.1.0/24. The ACL has a permit statement for TCP port 80 from 10.1.1.0/24 to 10.2.2.0/24, followed by a deny ip any any. However, hosts in subnet 10.1.1.0/24 can still ping hosts in subnet 10.2.2.0/24. What is the most likely reason?

8

A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The engineer creates a class-map that matches traffic with a specific ACL that permits TCP port 22 (SSH) from a management subnet (192.168.1.0/24) and denies all other traffic. The CoPP policy applies a police rate of 1 Mbps to this class. After applying the policy, the engineer notices that SSH sessions from the management subnet are being dropped intermittently. The engineer checks the CoPP statistics and sees that the traffic rate is 500 kbps. What is the most likely cause?

9

A network engineer is troubleshooting an issue where a Cisco router is not forwarding traffic between two VLANs. The router has an ACL applied to the subinterface for VLAN 100 that permits traffic from VLAN 200 to VLAN 100, but denies all other traffic. Hosts in VLAN 200 can ping hosts in VLAN 100, but hosts in VLAN 100 cannot ping hosts in VLAN 200. The engineer checks the ACL and finds that it is applied inbound on the subinterface for VLAN 100. What is the most likely cause of the issue?

10

A network engineer runs the following command on Router R1: R1# show access-lists Extended IP access list 101 10 permit tcp host 10.1.1.1 host 192.168.1.100 eq 80 (4 matches) 20 deny tcp any host 192.168.1.100 eq 80 (12 matches) 30 permit ip any any (8 matches) Based on this output, what can be concluded?

11

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-POLICY Class-map: ICMP-CLASS (match-all) 10 packets, 1000 bytes 5 minute offered rate 0 bps Match: access-group name ICMP-ACL police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 10 packets, 1000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: SSH-CLASS (match-all) 5 packets, 500 bytes 5 minute offered rate 0 bps Match: access-group name SSH-ACL police: cir 16000 bps, bc 3000 bytes, be 3000 bytes conformed 5 packets, 500 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: class-default (match-any) 20 packets, 2000 bytes 5 minute offered rate 0 bps Match: any police: cir 64000 bps, bc 8000 bytes, be 8000 bytes conformed 20 packets, 2000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Based on this output, what can be concluded?

12

A network engineer runs the following command on Router R1: R1# show ip interface GigabitEthernet0/0 | include access list Inbound access list is 101 Outbound access list is not set R1# show access-lists 101 Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (100 matches) 20 deny tcp any any eq 80 (50 matches) 30 permit ip any any (200 matches) Based on this output, what can be concluded?

13

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 120 10 permit tcp 10.0.0.0 0.255.255.255 any eq 22 (5 matches) 20 permit tcp 172.16.0.0 0.0.255.255 any eq 22 (3 matches) 30 deny tcp any any eq 22 (2 matches) 40 permit ip any any (10 matches) Based on this output, what can be concluded?

14

A network engineer runs the following command on Router R1: R1# show access-lists 130 Extended IP access list 130 10 permit icmp host 10.1.1.1 any echo (8 matches) 20 permit icmp host 10.1.1.1 any echo-reply (5 matches) 30 deny icmp any any (3 matches) 40 permit ip any any (12 matches) Based on this output, what can be concluded?

15

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-POLICY Class-map: MGMT-CLASS (match-all) 100 packets, 5000 bytes 5 minute offered rate 1000 bps Match: access-group name MGMT-ACL police: cir 32000 bps, bc 4000 bytes, be 4000 bytes conformed 80 packets, 4000 bytes; actions: transmit exceeded 15 packets, 750 bytes; actions: drop violated 5 packets, 250 bytes; actions: drop Class-map: class-default (match-any) 200 packets, 10000 bytes 5 minute offered rate 2000 bps Match: any police: cir 64000 bps, bc 8000 bytes, be 8000 bytes conformed 200 packets, 10000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Based on this output, what can be concluded?

16

A network engineer runs the following command on Router R1: R1# show ip interface GigabitEthernet0/1 | include access list Inbound access list is not set Outbound access list is 140 R1# show access-lists 140 Extended IP access list 140 10 permit tcp 192.168.1.0 0.0.0.255 any eq 443 (25 matches) 20 deny tcp any any eq 443 (10 matches) 30 permit ip any any (50 matches) Based on this output, what can be concluded?

17

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 150 10 permit tcp 10.0.0.0 0.255.255.255 any eq 23 (2 matches) 20 deny tcp any any eq 23 (8 matches) 30 permit tcp 172.16.0.0 0.0.255.255 any eq 22 (4 matches) 40 deny tcp any any eq 22 (1 match) 50 permit ip any any (15 matches) Based on this output, what can be concluded?

18

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-POLICY Class-map: BGP-CLASS (match-all) 50 packets, 2500 bytes 5 minute offered rate 500 bps Match: access-group name BGP-ACL police: cir 64000 bps, bc 8000 bytes, be 8000 bytes conformed 50 packets, 2500 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: SNMP-CLASS (match-all) 200 packets, 10000 bytes 5 minute offered rate 2000 bps Match: access-group name SNMP-ACL police: cir 16000 bps, bc 2000 bytes, be 2000 bytes conformed 150 packets, 7500 bytes; actions: transmit exceeded 40 packets, 2000 bytes; actions: drop violated 10 packets, 500 bytes; actions: drop Class-map: class-default (match-any) 100 packets, 5000 bytes 5 minute offered rate 1000 bps Match: any police: cir 32000 bps, bc 4000 bytes, be 4000 bytes conformed 100 packets, 5000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Based on this output, what can be concluded?

19

Examine the following configuration snippet: interface GigabitEthernet0/1 ip access-group FILTER_IN in ! ip access-list extended FILTER_IN deny icmp any any echo permit ip any any What is the effect of this configuration?

20

Consider the following configuration: ip access-list extended BLOCK_TELNET deny tcp any any eq 23 permit ip any any ! interface GigabitEthernet0/2 ip access-group BLOCK_TELNET out Which statement is true?

21

Given the following CoPP configuration: class-map match-all COPP_ICMP match access-group name ICMP_ACL ! policy-map COPP_POLICY class COPP_ICMP police 8000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP_POLICY What is the effect?

22

Review the ACL configuration: ip access-list extended TEST permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit tcp 192.168.1.0 0.0.0.255 any eq 443 deny ip any any ! interface GigabitEthernet0/3 ip access-group TEST in What is missing or incorrect?

23

Examine the CoPP configuration: class-map match-any COPP_SSH match access-group name SSH_ACL ! policy-map COPP_POLICY class COPP_SSH police 10000 conform-action transmit exceed-action drop class class-default police 5000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP_POLICY Which statement is true?

24

Given the following configuration: ip access-list extended FILTER permit tcp any host 10.1.1.1 eq 22 permit icmp any any echo-reply ! interface GigabitEthernet0/4 ip access-group FILTER in What traffic is permitted?

25

What is the default OSPF hello interval on a broadcast multi-access network (e.g., Ethernet)?

26

Which BGP attribute is preferred when it has the lowest value?

27

What is the maximum hop count for EIGRP?

28

Drag and drop the steps of CoPP policy evaluation order into the correct order, from first to last.

29

Drag and drop the steps of deploying a CoPP policy on a Cisco IOS-XE router into the correct order, from first to last.

30

Drag and drop the steps of configuring a standard ACL for traffic filtering on a Cisco IOS router into the correct order, from first to last.

31

Drag and drop the steps of IPv6 ACL configuration and application into the correct order, from first to last.

32

Drag and drop the steps of ACL reflexive access list (dynamic inspection) flow into the correct order, from first to last.

33

Drag and drop the steps of named ACL modification using sequence numbers into the correct order, from first to last.

34

Drag and drop the steps of uRPF (Unicast Reverse Path Forwarding) verification into the correct order, from first to last.

35

Drag and drop the steps of CoPP class-map match criteria and rate-limit application into the correct order, from first to last.

36

Drag and drop the steps of IPv6 ACL configuration and application into the correct order, from first to last.

37

Drag and drop the steps of ACL reflexive access list (dynamic inspection) flow into the correct order, from first to last.

38

Drag and drop the steps of named ACL modification using sequence numbers into the correct order, from first to last.

39

Drag and drop the steps of uRPF (Unicast Reverse Path Forwarding) verification into the correct order, from first to last.

40

Drag and drop the steps of CoPP class-map match criteria and rate-limit application into the correct order, from first to last.

41

Drag and drop each ACL type on the left to its matching capability on the right.

42

Drag and drop each protocol number on the left to its matching protocol on the right.

43

Drag and drop each CoPP class on the left to its matching traffic type on the right.

44

Drag and drop each ACL action on the left to its matching result on the right.

45

Drag and drop each IPv6 ACL feature on the left to its matching IPv4 equivalent on the right.

46

Drag and drop each ACL type on the left to its matching capability on the right.

47

Drag and drop each protocol number on the left to its matching protocol on the right.

48

Drag and drop each CoPP class on the left to its matching traffic type on the right.

49

Drag and drop each ACL action on the left to its matching result on the right.

50

Drag and drop each IPv6 ACL feature on the left to its matching IPv4 ACL equivalent on the right.

51

Which two statements about Control Plane Policing (CoPP) are true? (Choose two.)

52

Which three statements about extended ACLs on Cisco IOS are true? (Choose three.)

53

Which two statements about the 'ip access-group' command are true? (Choose two.)

54

Which three statements about CoPP configuration and operation are true? (Choose three.)

55

Which two statements about Control Plane Policing (CoPP) are true? (Choose two.)

56

Which three statements about IPv4 ACLs on Cisco IOS are true? (Choose three.)

57

Which two statements about the interaction between ACLs and CoPP are true? (Choose two.)

58

Which three statements about named ACLs and their configuration are true? (Choose three.)

Practice all 58 ACLs and CoPP questions

Other 350-401 exam domains

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationVirtual Machines and HypervisorsVRF and Path IsolationInfrastructureOSPFBGPEIGRPVLANs and TrunkingSpanning Tree ProtocolEtherChannelWireless InfrastructureMPLSWAN TechnologiesNAT and DHCPIP MulticastQoSNetwork AssuranceSNMP and SyslogNetFlow and TelemetrySPAN and RSPANIP SLASecurityAAA, RADIUS, and TACACS+802.1X and TrustSecVPN TechnologiesInfrastructure SecurityAutomationPython for Network AutomationAnsible AutomationREST APIs and Data ModelsCisco DNA CenterModel-Driven Telemetry

Frequently asked questions

What does the ACLs and CoPP domain cover on the 350-401 exam?

The ACLs and CoPP domain covers the key concepts tested in this area of the 350-401 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-401 domains — no account required.

How many ACLs and CoPP questions are in the 350-401 question bank?

The Courseiva 350-401 question bank contains 58 questions in the ACLs and CoPP domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice ACLs and CoPP for 350-401?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only ACLs and CoPP questions for 350-401?

Yes — the session launcher on this page draws questions exclusively from the ACLs and CoPP domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your 350-401 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide