Question 37 of 1,819
Network Services and SecurityhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the ACL blocks TCP port 80 instead of TCP port 443. This is correct because HTTPS traffic uses destination port 443, while the deny statement in the ACL is configured to match port 80, which is used by unencrypted HTTP. Since the ACL entry does not explicitly deny port 443, any HTTPS packets from the branch subnet to the server are permitted by the implicit permit any at the end of the access list. On the CCNA 200-301 v2 exam, this precision question tests your ability to read ACL syntax carefully and distinguish between common service ports, a frequent trap where candidates assume a “web” deny covers both HTTP and HTTPS. A solid memory tip is to remember that HTTPS is “S” for secure on port 443, while HTTP is plain on port 80—if you need to block the secure one, you must match the 443.

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: an extended ACL in Cisco IOS can filter traffic based on protocol type and specific TCP or UDP port numbers to control network access precisely.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Requirement:
- Block HTTPS from 10.44.44.0/24 to 172.16.8.20

Configured ACL entry:
deny tcp 10.44.44.0 0.0.0.255 host 172.16.8.20 eq 80

Based on the exhibit, why does the ACL still allow HTTPS traffic from the branch subnet to the server?

Question 1hardmultiple choice
Study the full ACL explanation →

Exhibit

Requirement:
- Block HTTPS from 10.44.44.0/24 to 172.16.8.20

Configured ACL entry:
deny tcp 10.44.44.0 0.0.0.255 host 172.16.8.20 eq 80

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The ACL blocks TCP port 80 instead of TCP port 443.

The ACL still allows the HTTPS traffic because the deny statement is matching TCP port 80, not TCP port 443. In practical terms, the entry blocks HTTP, not HTTPS. Since the requirement is specifically to block encrypted web traffic on TCP 443, the current line is aimed at the wrong service. This is a good precision question because it tests whether the candidate pays attention to the exact destination port rather than just seeing a generic web-related deny.

Key principle: An extended ACL in Cisco IOS can filter traffic based on protocol type and specific TCP or UDP port numbers to control network access precisely.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The ACL blocks TCP port 80 instead of TCP port 443.

    Why this is correct

    This is correct because HTTPS normally uses TCP port 443, not port 80.

    Related concept

    An extended ACL in Cisco IOS can filter traffic based on protocol type and specific TCP or UDP port numbers to control network access precisely.

  • HTTPS uses UDP port 443, so TCP matching can never work.

    Why it's wrong here

    This is wrong because HTTPS normally uses TCP, not UDP.

    When this WOULD be correct

    In a different scenario, if a question stated that a firewall was configured to filter UDP traffic and the exam asked about HTTPS traffic being blocked, this option could be correct if the context mistakenly assumed HTTPS could use UDP. This would highlight a misunderstanding about the protocols involved.

  • The ACL must deny all IP traffic to the server to stop HTTPS.

    Why it's wrong here

    This is wrong because a narrow service-specific deny is sufficient and preferable.

    When this WOULD be correct

    In a different scenario where the question states that the ACL is designed to deny all traffic except for specific protocols, and the context indicates that HTTPS must be explicitly denied, this option would be correct. For example, if the question asked what needs to be done to ensure HTTPS is blocked, then stating that all IP traffic must be denied would be valid.

  • ACLs cannot filter by destination port when a host keyword is used.

    Why it's wrong here

    This is wrong because host-based matches and port filters are both valid in extended ACL logic.

    When this WOULD be correct

    In a different scenario where the question specifies that ACLs are configured to only filter by IP address without considering port numbers, this option could be correct. For example, if the question states that the ACL is designed to block all traffic from a specific host without specifying port filtering capabilities.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

The ACL blocks TCP port 80 instead of TCP port 443.Correct answer

Why this is correct

This is correct because HTTPS normally uses TCP port 443, not port 80.

HTTPS uses UDP port 443, so TCP matching can never work.Wrong answer — click to see why

Why this is wrong here

HTTPS uses TCP port 443, not UDP. The statement that HTTPS uses UDP is factually incorrect; HTTPS relies on TCP for reliable, connection-oriented communication. Therefore, an ACL matching TCP can still filter HTTPS traffic if the correct port is specified.

★ When this WOULD be the correct answer

In a different scenario, if a question stated that a firewall was configured to filter UDP traffic and the exam asked about HTTPS traffic being blocked, this option could be correct if the context mistakenly assumed HTTPS could use UDP. This would highlight a misunderstanding about the protocols involved.

Why candidates choose this

Students might confuse HTTPS with DNS or other services that use UDP, or they might think that because TLS can theoretically run over UDP (as in DTLS), HTTPS commonly uses UDP. However, standard HTTPS always uses TCP.

The ACL must deny all IP traffic to the server to stop HTTPS.Wrong answer — click to see why

Why this is wrong here

A narrow, service-specific deny statement (e.g., deny tcp any any eq 443) is sufficient to block HTTPS traffic. Denying all IP traffic to the server would be overly broad and could block other necessary services, violating the principle of least privilege.

★ When this WOULD be the correct answer

In a different scenario where the question states that the ACL is designed to deny all traffic except for specific protocols, and the context indicates that HTTPS must be explicitly denied, this option would be correct. For example, if the question asked what needs to be done to ensure HTTPS is blocked, then stating that all IP traffic must be denied would be valid.

Why candidates choose this

Students might think that because HTTPS is encrypted, a specific port deny might not work, or they might believe that a blanket deny is simpler and more effective. However, proper ACL design uses specific denies to minimize impact.

ACLs cannot filter by destination port when a host keyword is used.Wrong answer — click to see why

Why this is wrong here

Extended ACLs can filter by both source/destination IP addresses (including host keyword) and port numbers. The host keyword is simply a shorthand for a /32 mask and does not prevent port filtering. The statement is technically incorrect.

★ When this WOULD be the correct answer

In a different scenario where the question specifies that ACLs are configured to only filter by IP address without considering port numbers, this option could be correct. For example, if the question states that the ACL is designed to block all traffic from a specific host without specifying port filtering capabilities.

Why candidates choose this

Students might confuse the capabilities of standard ACLs (which cannot filter by port) with extended ACLs, or they might think that using a host keyword limits the ACL to only IP-based filtering. In reality, extended ACLs support both.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

A common exam trap is assuming that blocking TCP port 80 also blocks HTTPS traffic. Candidates may see a deny statement for port 80 and mistakenly conclude that all web traffic is blocked. However, HTTPS uses TCP port 443, so if the ACL does not explicitly deny port 443, HTTPS traffic will still be allowed. This trap tests attention to detail and understanding of port assignments for common services. Overlooking the exact port number leads to incorrect conclusions about ACL effectiveness and network security.

Detailed technical explanation

How to think about this question

Access Control Lists (ACLs) are fundamental security tools in Cisco networking that filter traffic based on defined criteria such as source/destination IP addresses, protocols, and port numbers. Extended ACLs specifically allow filtering by protocol and port numbers, enabling precise control over traffic types like HTTP or HTTPS. HTTPS traffic typically uses TCP port 443, while HTTP uses TCP port 80, so ACLs must match the correct port to effectively permit or deny traffic. When configuring ACLs to block or allow traffic, the exact port number is critical. A deny statement targeting TCP port 80 will block HTTP but not HTTPS traffic, which uses port 443. Cisco devices evaluate ACL entries sequentially, so if the ACL only denies port 80 and permits other traffic, HTTPS traffic will pass through. This behavior underscores the importance of matching the correct port in ACL rules to enforce intended security policies. The exam trap arises when candidates assume blocking HTTP (port 80) also blocks HTTPS (port 443), which is incorrect. Practically, this means encrypted web traffic remains allowed if the ACL does not explicitly deny port 443. Understanding this distinction is vital for both exam success and real-world network security, as misconfigured ACLs can leave sensitive traffic unfiltered and vulnerable.

KKey Concepts to Remember

  • An extended ACL in Cisco IOS can filter traffic based on protocol type and specific TCP or UDP port numbers to control network access precisely.
  • HTTPS traffic uses TCP port 443 by default, so ACL rules must explicitly reference port 443 to block or permit HTTPS connections.
  • Denying TCP port 80 in an ACL only blocks HTTP traffic and does not affect HTTPS traffic, which uses a different port.
  • Cisco ACLs process entries in sequential order and stop at the first match, so the order and specificity of rules impact traffic filtering.
  • Using the 'host' keyword in ACLs allows matching a specific IP address, and this can be combined with port filtering for granular control.
  • Misconfiguring ACLs by targeting incorrect ports is a common mistake that results in unintended traffic being allowed or blocked.
  • ACLs do not implicitly block traffic unless a deny statement matches; traffic not explicitly denied is permitted by default or by an implicit deny at the end.
  • Understanding the difference between TCP and UDP ports is essential when writing ACLs to ensure correct protocol filtering.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

An extended ACL in Cisco IOS can filter traffic based on protocol type and specific TCP or UDP port numbers to control network access precisely.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Review an extended ACL in Cisco IOS can filter traffic based on protocol type and specific TCP or UDP port numbers to control network access precisely., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — An extended ACL in Cisco IOS can filter traffic based on protocol type and specific TCP or UDP port numbers to control network access precisely..

What is the correct answer to this question?

The correct answer is: The ACL blocks TCP port 80 instead of TCP port 443. — The ACL still allows the HTTPS traffic because the deny statement is matching TCP port 80, not TCP port 443. In practical terms, the entry blocks HTTP, not HTTPS. Since the requirement is specifically to block encrypted web traffic on TCP 443, the current line is aimed at the wrong service. This is a good precision question because it tests whether the candidate pays attention to the exact destination port rather than just seeing a generic web-related deny.

What should I do if I get this 200-301 question wrong?

Review an extended ACL in Cisco IOS can filter traffic based on protocol type and specific TCP or UDP port numbers to control network access precisely., then practise related 200-301 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

An extended ACL in Cisco IOS can filter traffic based on protocol type and specific TCP or UDP port numbers to control network access precisely.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 200-301 practice questions

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.