Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-401ScenariosAccess Control List (ACL) Scenarios
Scenario PracticeCisco · 350-401

350-401 Access Control List (ACL) Scenarios

ACL questions test your ability to read, write, and place access lists correctly. They appear as configuration tasks, troubleshooting scenarios, and exhibit-based questions showing ACL output. The CCNA covers standard and extended ACLs for both IPv4 and IPv6.

Start Scenario Practice

Other Scenarios

Refer to the ExhibitSW1 and SW2 VLAN TrunkingRouter R1 Cannot Reach R3Show IP Route OutputWhich Command Should the Administrator UseDrag and Drop Ordering QuestionsDrag and Drop Matching QuestionsSelect Two (Multi-Select) QuestionsPerformance-Based Questions (PBQs)Hard Difficulty QuestionsTroubleshooting Scenario QuestionsShow Command Output QuestionsOSPF Troubleshooting ScenariosVLAN and Inter-VLAN Routing ScenariosSpanning Tree Protocol ScenariosNAT and PAT Configuration ScenariosDHCP Troubleshooting ScenariosEtherChannel and LACP ScenariosWireless LAN and WLC ScenariosIPv6 Configuration Scenarios

Study Tools

Practice TestTopic PracticeMock Exam

Common Traps on Access Control List (ACL) Scenarios

  • ·Placing an extended ACL near the destination — this wastes bandwidth routing traffic that will be dropped.
  • ·Forgetting the implicit deny all — if you only permit specific traffic, everything else is silently dropped.
  • ·Writing the wildcard mask incorrectly: for /24 the wildcard is 0.0.0.255, NOT 255.255.255.0.
  • ·Applying the ACL in the wrong direction: 'in' blocks traffic AS IT ENTERS the interface from the outside.

Sample Questions

Practice all 15 →
1.

Drag and drop the steps to configure an extended access control list (ACL) on a Cisco router in the correct order.

Explanation: Extended ACLs filter based on source/destination IP, protocol, and port; must be applied to an interface.

2.

Which TWO features are part of Cisco TrustSec for providing role-based access control?

A.Security Group Access Control Lists (SGACLs)
B.Change of Authorization (CoA)
C.802.1X authentication
D.Security Group Tags (SGTs)

Explanation: Security Group Access Control Lists (SGACLs) are a core component of Cisco TrustSec, enforcing role-based access control by applying policies based on Security Group Tags (SGTs). SGACLs replace traditional IP-based ACLs, allowing dynamic, identity-aware traffic filtering that scales across the network.

3.

Based on the exhibit, which traffic will be permitted outbound on GigabitEthernet0/0?

A.HTTP and HTTPS traffic from 192.168.1.0/24
B.ICMP traffic from any source
C.FTP traffic from 192.168.1.0/24
D.SSH traffic from 192.168.1.0/24

Explanation: The exhibit shows an access control list (ACL) applied outbound on GigabitEthernet0/0. The ACL permits TCP traffic from source 192.168.1.0/24 to any destination with a destination port of 80 (HTTP) or 443 (HTTPS). Therefore, only HTTP and HTTPS traffic from the 192.168.1.0/24 network is permitted outbound.

4.

router bgp 65000 bgp router-id 10.0.0.1 neighbor 10.0.0.2 remote-as 65001 neighbor 10.0.0.2 route-map SET_ORIGIN in ! route-map SET_ORIGIN permit 10 set origin incomplete ! What is the effect of this configuration?

A.Routes received from 10.0.0.2 will have their origin set to incomplete, making them less preferred compared to IGP origin.
B.Routes sent to 10.0.0.2 will have their origin set to incomplete.
C.The router will not advertise any routes with origin incomplete to other peers.
D.The configuration is invalid because origin cannot be changed with a route-map.

Explanation: The route-map SET_ORIGIN is applied as an inbound filter to neighbor 10.0.0.2. When a route is received, the 'set origin incomplete' command changes the origin attribute to incomplete (value 2). In BGP path selection, origin incomplete is the least preferred origin type, making these routes less preferred than routes with IGP (value 0) or EGP (value 1) origin.

5.

A company has deployed a Cisco ASA firewall in transparent mode. The internal network uses VLAN 10 and the external network uses VLAN 20. The ASA is configured with two bridge groups: BVI 10 for inside and BVI 20 for outside. The security policy must allow HTTPS traffic from inside to outside. Which access-list entry is correct?

A.access-list INSIDE extended permit tcp 192.168.1.0 255.255.255.0 any eq 443 access-group INSIDE in interface inside
B.access-list GLOBAL extended permit ip 192.168.1.0 255.255.255.0 any
C.access-list GLOBAL extended permit tcp any any eq 443
D.access-list GLOBAL extended permit tcp 192.168.1.0 255.255.255.0 any eq 443

Explanation: In transparent mode, the ASA acts as a Layer 2 bridge, so traffic must be permitted by a global access list applied to the bridge group virtual interface (BVI). Option D correctly uses the GLOBAL access list to permit TCP traffic from the inside subnet (192.168.1.0/24) to any destination on port 443 (HTTPS), which satisfies the security policy.

+10 more scenario questions available

Practice all Access Control List (ACL) Scenarios

Related Topics

acl placementpermit deny rulesstandard vs extended acl

Frequently asked questions

How do "Access Control List (ACL) Scenarios" appear on the real 350-401?

ACL questions test your ability to read, write, and place access lists correctly. They appear as configuration tasks, troubleshooting scenarios, and exhibit-based questions showing ACL output. The CCNA covers standard and extended ACLs for both IPv4 and IPv6. These appear throughout the 350-401 and require you to apply your knowledge, not just recall facts.

How many scenario questions are on the 350-401 exam?

Cisco doesn't publish an exact breakdown, but scenario-based questions (especially exhibit and command-output formats) make up a significant portion of the 350-401. Practicing each scenario type ensures you're ready for any format.

Are these 350-401 scenario practice questions free?

Yes. Courseiva provides free 350-401 scenario practice across all official exam domains. The platform includes scenario-based questions, command-output interpretation, topic-based practice, mock exams, and readiness tracking — no account required.

Ready to practice this scenario type?

Launch a full Access Control List (ACL) Scenarios session with instant scoring and detailed explanations.

Start Scenario Practice →

Scenario Info

Type

Scenario Practice

Exam

350-401

Questions

15+