10 deny tcp any any eq 80 20 permit ip any any
A router interface applies this ACL inbound:
10 deny tcp any any eq 80 20 permit ip any any
A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
The ACL blocks all traffic because the first entry is a deny
The explicit deny affects only traffic that matches line 10, not all traffic.
The ACL blocks HTTP but allows ICMP
Correct. HTTP matches the deny, while ping is permitted by the later broad permit.
The ACL permits HTTP because line 20 overrides line 10
Later ACEs do not override earlier matches; first match wins.
The ACL blocks ping because ICMP is not explicitly permitted
ICMP is covered by the general permit ip any any statement on line 20.
Common exam trap
A frequent exam trap is believing that the permit statement on line 20 overrides the deny on line 10, allowing HTTP traffic through. Candidates may think that because the permit is broader and appears later, it cancels the earlier deny. However, Cisco ACLs process entries sequentially and stop at the first match. Since the HTTP traffic matches the deny on line 10, it is blocked immediately, and the permit on line 20 is never evaluated for that traffic. Misunderstanding this leads to incorrect conclusions about traffic flow and ACL behavior.
Technical deep dive
Access Control Lists (ACLs) are fundamental security tools in Cisco networking that filter traffic based on defined criteria. Each ACL consists of Access Control Entries (ACEs) that specify whether to permit or deny traffic matching certain protocols, IP addresses, or ports. When a packet arrives at an interface with an ACL applied inbound, the router evaluates the packet against each ACE in order, starting from the top. The first ACE that matches the packet determines the action taken, either permit or deny, and no further ACEs are checked. In this scenario, the ACL has two entries: line 10 denies TCP traffic destined for port 80, which corresponds to HTTP traffic, and line 20 permits all other IP traffic. When a user attempts to browse a web server by IP address, the HTTP request matches the deny statement and is blocked. However, ping uses ICMP, which is not TCP port 80, so it does not match the deny entry. Instead, it matches the permit ip any any statement, allowing the ping packets through. This behavior explains why ping works but web browsing fails. A common exam trap is misunderstanding how ACLs process entries and assuming later permit statements override earlier denies. In reality, the first matching ACE applies, so the deny on TCP port 80 effectively blocks HTTP traffic regardless of the permit that follows. Practically, this means network administrators must carefully order ACL entries to avoid unintentionally blocking desired traffic. This ACL behavior is critical for securing networks while maintaining legitimate communication paths.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practise DHCP scopes, relay, leases and troubleshooting.
Practise routing-table output, longest-prefix match, AD and route selection.
Practise trunk verification and VLAN forwarding across switches.
Practise WLAN security, authentication and wireless architecture concepts.
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
An ACL processes packets sequentially from the top down and applies the first matching ACE to the traffic.
The correct answer is: The ACL blocks HTTP but allows ICMP — ACLs are processed top down. Line 10 denies TCP destination port 80, which blocks HTTP. Line 20 then permits all remaining IP traffic, including ICMP echo packets used by ping.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.