ACL questions test your ability to read, write, and place access lists correctly. They appear as configuration tasks, troubleshooting scenarios, and exhibit-based questions showing ACL output. The CCNA covers standard and extended ACLs for both IPv4 and IPv6.
Start Scenario PracticeDrag and drop the steps to configure an extended access control list (ACL) on a Cisco router in the correct order.
Explanation: Extended ACLs filter based on source/destination IP, protocol, and port; must be applied to an interface.
Which TWO features are part of Cisco TrustSec for providing role-based access control?
Explanation: Security Group Access Control Lists (SGACLs) are a core component of Cisco TrustSec, enforcing role-based access control by applying policies based on Security Group Tags (SGTs). SGACLs replace traditional IP-based ACLs, allowing dynamic, identity-aware traffic filtering that scales across the network.
Based on the exhibit, which traffic will be permitted outbound on GigabitEthernet0/0?
Explanation: The exhibit shows an access control list (ACL) applied outbound on GigabitEthernet0/0. The ACL permits TCP traffic from source 192.168.1.0/24 to any destination with a destination port of 80 (HTTP) or 443 (HTTPS). Therefore, only HTTP and HTTPS traffic from the 192.168.1.0/24 network is permitted outbound.
router bgp 65000 bgp router-id 10.0.0.1 neighbor 10.0.0.2 remote-as 65001 neighbor 10.0.0.2 route-map SET_ORIGIN in ! route-map SET_ORIGIN permit 10 set origin incomplete ! What is the effect of this configuration?
Explanation: The route-map SET_ORIGIN is applied as an inbound filter to neighbor 10.0.0.2. When a route is received, the 'set origin incomplete' command changes the origin attribute to incomplete (value 2). In BGP path selection, origin incomplete is the least preferred origin type, making these routes less preferred than routes with IGP (value 0) or EGP (value 1) origin.
A company has deployed a Cisco ASA firewall in transparent mode. The internal network uses VLAN 10 and the external network uses VLAN 20. The ASA is configured with two bridge groups: BVI 10 for inside and BVI 20 for outside. The security policy must allow HTTPS traffic from inside to outside. Which access-list entry is correct?
Explanation: In transparent mode, the ASA acts as a Layer 2 bridge, so traffic must be permitted by a global access list applied to the bridge group virtual interface (BVI). Option D correctly uses the GLOBAL access list to permit TCP traffic from the inside subnet (192.168.1.0/24) to any destination on port 443 (HTTPS), which satisfies the security policy.
+10 more scenario questions available
Practice all Access Control List (ACL) ScenariosACL questions test your ability to read, write, and place access lists correctly. They appear as configuration tasks, troubleshooting scenarios, and exhibit-based questions showing ACL output. The CCNA covers standard and extended ACLs for both IPv4 and IPv6. These appear throughout the 350-401 and require you to apply your knowledge, not just recall facts.
Cisco doesn't publish an exact breakdown, but scenario-based questions (especially exhibit and command-output formats) make up a significant portion of the 350-401. Practicing each scenario type ensures you're ready for any format.
Yes. Courseiva provides free 350-401 scenario practice across all official exam domains. The platform includes scenario-based questions, command-output interpretation, topic-based practice, mock exams, and readiness tracking — no account required.
Launch a full Access Control List (ACL) Scenarios session with instant scoring and detailed explanations.
Start Scenario Practice →