Question 1mediummulti select
Full question →mediummulti selectObjective-mapped
A network team wants an ACL that permits HTTPS from 10.1.50.0/24 to a web server at 203.0.113.10 and denies all Telnet traffic from that subnet to any destination. Which two ACEs are required?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
permit tcp 10.1.50.0 0.0.0.255 host 203.0.113.10 eq 443
This permits HTTPS from that subnet to the specific web server.
B
Best answer
deny tcp 10.1.50.0 0.0.0.255 any eq 23
This blocks Telnet from that subnet to any destination.
C
Distractor review
permit udp 10.1.50.0 0.0.0.255 host 203.0.113.10 eq 443
HTTPS uses TCP, not UDP.
D
Distractor review
deny tcp any 10.1.50.0 0.0.0.255 eq 23
That blocks inbound Telnet toward the subnet, not outbound sessions from it.
E
Distractor review
permit ip any any
That would be too broad as part of the stated requirement.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is confusing the source and destination IP addresses or ports in ACL statements. For example, denying TCP traffic with the destination as the subnet 10.1.50.0/24 instead of the source will block inbound Telnet traffic to that subnet, not outbound Telnet traffic originating from it. Another trap is using UDP instead of TCP for HTTPS, which causes the permit ACE to fail since HTTPS runs over TCP port 443. These mistakes cause the ACL to either block legitimate traffic or fail to block unwanted traffic, leading to incorrect ACL behavior that does not meet the question’s requirements.
Technical deep dive
How to think about this question
Access Control Lists (ACLs) are fundamental security tools in Cisco networking that filter traffic based on defined criteria such as source and destination IP addresses, protocols, and port numbers. In this scenario, the ACL must permit HTTPS traffic (TCP port 443) from the 10.1.50.0/24 subnet to a specific web server at 203.0.113.10, while simultaneously denying all Telnet traffic (TCP port 23) originating from that subnet to any destination. ACLs process Access Control Entries (ACEs) sequentially, so the order and specificity of these ACEs directly affect traffic filtering behavior. The correct ACEs include a permit statement that explicitly allows TCP traffic from the 10.1.50.0/24 subnet to the host 203.0.113.10 on port 443, ensuring HTTPS sessions are allowed. The deny statement blocks any TCP traffic from the same subnet to any destination on port 23, effectively preventing Telnet sessions. The use of wildcard masks (0.0.0.255) correctly matches the entire subnet. The ACL implicitly denies all other traffic not explicitly permitted, so no additional deny statements are necessary for Telnet or other protocols. A common exam trap is confusing source and destination fields or misplacing port numbers in ACL statements. For example, denying TCP traffic with the destination as the subnet instead of the source will block inbound Telnet traffic rather than outbound, which does not meet the requirement. Also, using UDP instead of TCP for HTTPS is incorrect because HTTPS operates over TCP. Understanding the exact direction of traffic and the role of source/destination IPs and ports in ACLs is critical to avoid such mistakes and to implement precise security policies in Cisco environments.
KKey Concepts to Remember
- ACLs filter network traffic by matching source and destination IP addresses, protocols, and port numbers in sequential Access Control Entries (ACEs).
- An ACE that permits TCP traffic to a specific host and port explicitly allows that traffic, overriding implicit denies for that flow.
- Deny ACEs targeting a source subnet and destination port block unwanted traffic such as Telnet from that subnet to any destination.
- The wildcard mask in ACLs specifies which bits of the IP address to match, with 0.0.0.255 matching all hosts in a /24 subnet.
- ACLs implicitly deny all traffic not explicitly permitted, so careful ordering of permit and deny statements is essential.
- Port numbers in ACLs must correspond to the correct transport protocol; HTTPS uses TCP port 443, not UDP.
- Source and destination IP addresses in ACLs must be correctly identified to control traffic direction accurately.
- Misplacing source and destination fields or using incorrect protocols or ports leads to ACLs that do not enforce the intended security policy.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
ACLs filter network traffic by matching source and destination IP addresses, protocols, and port numbers in sequential Access Control Entries (ACEs).
What is the correct answer to this question?
The correct answer is: permit tcp 10.1.50.0 0.0.0.255 host 203.0.113.10 eq 443 — To meet the requirement, one ACE must explicitly permit TCP destination port 443 to the web server, and another must deny TCP destination port 23 to any destination. CCNA multi-select questions often test whether you understand source, destination, and well-known port placement.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.