Question 63 of 1,819
Network Services and SecurityhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the ACL blocks HTTP but allows ping because ACLs are processed sequentially from top to bottom. Line 10 explicitly denies TCP traffic destined for port 80, which blocks all HTTP web browsing, while line 20 then permits all other IP traffic, including ICMP packets used by ping. This tests your understanding of ACL sequential processing and implicit deny—a core concept on the CCNA 200-301 v2 exam. A common trap is forgetting that even though line 20 permits “ip any any,” it only applies to traffic not already matched by earlier lines; ICMP is not TCP port 80, so it passes. To remember this, think of ACLs like a bouncer checking IDs in order: once a rule matches, the action is taken and no further rules are evaluated. A helpful memory tip: “First match wins—deny HTTP, then allow the rest, so ping gets through.”

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: an ACL processes packets sequentially from the top down and applies the first matching ACE to the traffic.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A router interface applies this ACL inbound:

10 deny tcp any any eq 80

20 permit ip any any

A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1hardmultiple choice
Study the full ACL explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The ACL blocks HTTP but allows ICMP

ACLs are processed top down. Line 10 denies TCP destination port 80, which blocks HTTP. Line 20 then permits all remaining IP traffic, including ICMP echo packets used by ping.

Key principle: An ACL processes packets sequentially from the top down and applies the first matching ACE to the traffic.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The ACL blocks all traffic because the first entry is a deny

    Why it's wrong here

    The explicit deny affects only traffic that matches line 10, not all traffic.

    When this WOULD be correct

    In a different scenario where an ACL has a single entry that denies all traffic, followed by a permit statement for a specific protocol, the first deny would indeed block all traffic, making this option correct. For example, if the ACL were structured as '10 deny ip any any' followed by '20 permit tcp any any', then the first entry would block all traffic.

  • The ACL blocks HTTP but allows ICMP

    Why this is correct

    Correct. HTTP matches the deny, while ping is permitted by the later broad permit.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    An ACL processes packets sequentially from the top down and applies the first matching ACE to the traffic.

  • The ACL permits HTTP because line 20 overrides line 10

    Why it's wrong here

    Later ACEs do not override earlier matches; first match wins.

    When this WOULD be correct

    In a different scenario where the ACL had the entries reversed (20 permit ip any any followed by 10 deny tcp any any eq 80), option C would be correct, as the permit rule would allow HTTP traffic before the deny rule is evaluated.

  • The ACL blocks ping because ICMP is not explicitly permitted

    Why it's wrong here

    ICMP is covered by the general permit ip any any statement on line 20.

    When this WOULD be correct

    In a different scenario where an ACL explicitly denies all ICMP traffic, such as '10 deny icmp any any', the statement would be correct if the question asked why ping fails while other traffic is allowed. Here, the ACL would block ping requests while allowing other protocols.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

The ACL blocks HTTP but allows ICMPCorrect answer

Why this is correct

Correct. HTTP matches the deny, while ping is permitted by the later broad permit.

The ACL blocks all traffic because the first entry is a denyWrong answer — click to see why

Why this is wrong here

The ACL does not block all traffic; it only denies TCP traffic destined for port 80 (HTTP). Other traffic, including ICMP, is permitted by the subsequent 'permit ip any any' statement.

★ When this WOULD be the correct answer

In a different scenario where an ACL has a single entry that denies all traffic, followed by a permit statement for a specific protocol, the first deny would indeed block all traffic, making this option correct. For example, if the ACL were structured as '10 deny ip any any' followed by '20 permit tcp any any', then the first entry would block all traffic.

Why candidates choose this

Students might think that the first deny entry blocks all traffic because they overlook the permit entry that follows, or they may misunderstand that ACLs process entries sequentially and stop at the first match.

The ACL permits HTTP because line 20 overrides line 10Wrong answer — click to see why

Why this is wrong here

Line 20 does not override line 10 because ACLs use first-match logic. Once a packet matches line 10 (TCP port 80), it is denied and no further processing occurs. Line 20 only applies to packets that do not match earlier entries.

★ When this WOULD be the correct answer

In a different scenario where the ACL had the entries reversed (20 permit ip any any followed by 10 deny tcp any any eq 80), option C would be correct, as the permit rule would allow HTTP traffic before the deny rule is evaluated.

Why candidates choose this

Students may confuse ACL processing with other rules where later entries override earlier ones, or they may think that a permit statement always overrides a deny statement.

The ACL blocks ping because ICMP is not explicitly permittedWrong answer — click to see why

Why this is wrong here

ICMP is not explicitly blocked; it is permitted by the 'permit ip any any' statement on line 20, which covers all IP protocols including ICMP. The user's ping works, confirming this.

★ When this WOULD be the correct answer

In a different scenario where an ACL explicitly denies all ICMP traffic, such as '10 deny icmp any any', the statement would be correct if the question asked why ping fails while other traffic is allowed. Here, the ACL would block ping requests while allowing other protocols.

Why candidates choose this

Students might think that only explicitly permitted protocols are allowed, forgetting that 'permit ip any any' permits all IP traffic, including ICMP.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

Remember that ACLs are processed sequentially; the first match dictates the action, not subsequent lines.

Detailed technical explanation

How to think about this question

Access Control Lists (ACLs) are fundamental security tools in Cisco networking that filter traffic based on defined criteria. Each ACL consists of Access Control Entries (ACEs) that specify whether to permit or deny traffic matching certain protocols, IP addresses, or ports. When a packet arrives at an interface with an ACL applied inbound, the router evaluates the packet against each ACE in order, starting from the top. The first ACE that matches the packet determines the action taken, either permit or deny, and no further ACEs are checked. In this scenario, the ACL has two entries: line 10 denies TCP traffic destined for port 80, which corresponds to HTTP traffic, and line 20 permits all other IP traffic. When a user attempts to browse a web server by IP address, the HTTP request matches the deny statement and is blocked. However, ping uses ICMP, which is not TCP port 80, so it does not match the deny entry. Instead, it matches the permit ip any any statement, allowing the ping packets through. This behavior explains why ping works but web browsing fails. A common exam trap is misunderstanding how ACLs process entries and assuming later permit statements override earlier denies. In reality, the first matching ACE applies, so the deny on TCP port 80 effectively blocks HTTP traffic regardless of the permit that follows. Practically, this means network administrators must carefully order ACL entries to avoid unintentionally blocking desired traffic. This ACL behavior is critical for securing networks while maintaining legitimate communication paths.

KKey Concepts to Remember

  • An ACL processes packets sequentially from the top down and applies the first matching ACE to the traffic.
  • A deny ACE in an ACL blocks only the specific traffic that matches its criteria and does not block all traffic.
  • A permit ACE in an ACL allows traffic that matches its criteria to pass through the interface.
  • The ACL entry 'deny tcp any any eq 80' blocks all TCP traffic destined for port 80, which is standard HTTP traffic.
  • The ACL entry 'permit ip any any' permits all remaining IP traffic, including ICMP packets used by ping.
  • ICMP traffic is allowed by the general permit IP statement, so ping requests and replies are not blocked by this ACL.
  • In Cisco ACLs, once a packet matches an ACE, no further ACEs are evaluated for that packet.
  • The implicit deny at the end of every ACL blocks any traffic not explicitly permitted by earlier ACEs.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

An ACL processes packets sequentially from the top down and applies the first matching ACE to the traffic.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Review an ACL processes packets sequentially from the top down and applies the first matching ACE to the traffic., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — An ACL processes packets sequentially from the top down and applies the first matching ACE to the traffic..

What is the correct answer to this question?

The correct answer is: The ACL blocks HTTP but allows ICMP — ACLs are processed top down. Line 10 denies TCP destination port 80, which blocks HTTP. Line 20 then permits all remaining IP traffic, including ICMP echo packets used by ping.

What should I do if I get this 200-301 question wrong?

Review an ACL processes packets sequentially from the top down and applies the first matching ACE to the traffic., then practise related 200-301 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

An ACL processes packets sequentially from the top down and applies the first matching ACE to the traffic.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.