Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
An ACL is intended to block Telnet from 10.1.1.0/24 to router VTY access while still allowing SSH from the same subnet. Which statement best explains why an extended ACL is appropriate here?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Because the ACL must distinguish traffic by protocol or destination port, not just by source address.
This is correct because Telnet-versus-SSH filtering requires extended matching capability.
B
Distractor review
Because standard ACLs can match destination TCP ports just as well.
This is wrong because standard ACLs do not provide that level of granularity.
C
Distractor review
Because extended ACLs are required for every router login policy regardless of criteria.
This is wrong because the need depends on the matching requirement.
D
Distractor review
Because SSH and Telnet always use the same port number.
This is wrong because they use different TCP ports.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A common exam trap is selecting a standard ACL to block Telnet while allowing SSH from the same subnet. Standard ACLs only filter by source IP address and cannot differentiate between protocols or ports. This leads to either blocking all traffic from the subnet or permitting both Telnet and SSH, failing the requirement. Candidates may mistakenly believe that standard ACLs can match TCP port numbers, but this is incorrect. Understanding the limitations of standard ACLs and the capabilities of extended ACLs is crucial to avoid this mistake.
Technical deep dive
How to think about this question
Access Control Lists (ACLs) are fundamental tools in Cisco networking used to filter traffic based on defined criteria. Standard ACLs filter traffic solely based on source IP addresses, making them suitable for broad filtering but insufficient for traffic that requires protocol or port-based distinctions. Extended ACLs, on the other hand, provide granular control by allowing filtering based on source and destination IP addresses, as well as Layer 4 protocol types and port numbers. This capability is essential when differentiating between services like Telnet and SSH, which use different TCP ports but may originate from the same subnet. When implementing an ACL to block Telnet access while permitting SSH from the same subnet, an extended ACL is necessary because it can specify the protocol (TCP) and destination port numbers (Telnet uses port 23, SSH uses port 22). This specificity enables the router to selectively deny Telnet traffic while allowing SSH traffic from the 10.1.1.0/24 subnet to the router's VTY lines. A standard ACL cannot achieve this because it only filters based on source IP addresses without regard to protocol or port, thus either blocking or permitting all traffic from that subnet indiscriminately. A common exam trap is assuming that standard ACLs can differentiate traffic by port or protocol, which they cannot. This misunderstanding leads to incorrect ACL design and failure to meet security requirements. Practically, extended ACLs provide the necessary granularity to enforce security policies on router management access, ensuring that only authorized protocols like SSH are allowed while insecure protocols like Telnet are blocked, enhancing network security and compliance with best practices.
KKey Concepts to Remember
- An extended ACL filters traffic based on source and destination IP addresses, protocol types, and TCP/UDP port numbers, enabling precise traffic control.
- Standard ACLs filter traffic only by source IP address and cannot distinguish between different protocols or application ports.
- Telnet uses TCP port 23, while SSH uses TCP port 22, allowing extended ACLs to differentiate and selectively block or permit these protocols.
- Extended ACLs are essential when security policies require blocking specific protocols from the same source subnet without affecting other allowed protocols.
- Applying an extended ACL to router VTY lines can restrict management access by protocol, enhancing security by permitting SSH but blocking Telnet.
- Standard ACLs are insufficient for protocol-specific filtering and may inadvertently block all traffic from a source subnet if used incorrectly.
- Cisco routers process ACLs sequentially, so ordering extended ACL entries correctly is critical to allow SSH while denying Telnet.
- Using extended ACLs for router login policies prevents unauthorized access and aligns with Cisco best practices for secure device management.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
An extended ACL filters traffic based on source and destination IP addresses, protocol types, and TCP/UDP port numbers, enabling precise traffic control.
What is the correct answer to this question?
The correct answer is: Because the ACL must distinguish traffic by protocol or destination port, not just by source address. — An extended ACL is appropriate because the requirement is based not only on source address but also on the specific protocol and application port involved. In practical terms, the policy must distinguish Telnet from SSH even though both originate from the same source subnet. A standard ACL would be too limited because it mainly matches only on source address. This is the kind of requirement that shows why extended ACLs exist. They allow more granular traffic control by matching protocol and destination details, not just who sent the packet.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.