- A
Because the ACL must distinguish traffic by protocol or destination port, not just by source address.
This is correct because Telnet-versus-SSH filtering requires extended matching capability.
- B
Because standard ACLs can match destination TCP ports just as well.
Why wrong: This is wrong because standard ACLs do not provide that level of granularity.
- C
Because extended ACLs are required for every router login policy regardless of criteria.
Why wrong: This is wrong because the need depends on the matching requirement.
- D
Because SSH and Telnet always use the same port number.
Why wrong: This is wrong because they use different TCP ports.
Quick Answer
The answer is that an extended ACL is appropriate because the ACL must distinguish traffic by protocol or destination port, not just by source address. This is the core technical distinction: a standard ACL can only filter based on the source IP, which would either block or permit all traffic from the 10.1.1.0/24 subnet, including both Telnet and SSH. An extended ACL, however, can match on the protocol field (TCP) and the destination port (23 for Telnet vs. 22 for SSH), allowing you to block Telnet while explicitly permitting SSH to the router’s VTY lines. On the CCNA 200-301 v2 exam, this scenario tests your understanding of ACL granularity—a common trap is choosing a standard ACL because you see a single source subnet, forgetting that the policy requires application-layer differentiation. Remember the memory tip: “Standard sees the who, Extended sees the what and where.”
CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: an extended ACL filters traffic based on source and destination IP addresses, protocol types, and TCP/UDP port numbers, enabling precise traffic control.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
An ACL is intended to block Telnet from 10.1.1.0/24 to router VTY access while still allowing SSH from the same subnet. Which statement best explains why an extended ACL is appropriate here?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"best"Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Because the ACL must distinguish traffic by protocol or destination port, not just by source address.
An extended ACL is appropriate because the requirement is based not only on source address but also on the specific protocol and application port involved. In practical terms, the policy must distinguish Telnet from SSH even though both originate from the same source subnet. A standard ACL would be too limited because it mainly matches only on source address. This is the kind of requirement that shows why extended ACLs exist. They allow more granular traffic control by matching protocol and destination details, not just who sent the packet.
Key principle: An extended ACL filters traffic based on source and destination IP addresses, protocol types, and TCP/UDP port numbers, enabling precise traffic control.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Because the ACL must distinguish traffic by protocol or destination port, not just by source address.
- ✗
Because standard ACLs can match destination TCP ports just as well.
Why it's wrong here
This is wrong because standard ACLs do not provide that level of granularity.
When this WOULD be correct
In a different scenario where the question states that both Telnet and SSH traffic are being filtered based solely on source IP addresses, and there is no requirement to distinguish between protocols or ports, option B could be correct. For example, if the question asked if a standard ACL could block all traffic from a specific subnet without regard to protocol, this option would apply.
- ✗
Because extended ACLs are required for every router login policy regardless of criteria.
Why it's wrong here
This is wrong because the need depends on the matching requirement.
When this WOULD be correct
In a different exam scenario, if the question stated that all types of ACLs must be extended for any login policy regardless of the criteria involved, then option C would be correct. For example, if the question specified that only extended ACLs can be used for any form of access control, then this option would apply.
- ✗
Because SSH and Telnet always use the same port number.
Why it's wrong here
This is wrong because they use different TCP ports.
When this WOULD be correct
In a different scenario where the question states that both SSH and Telnet are configured to use the same port number for some reason, such as a misconfiguration or a specific lab setup, then this option could be correct. The question would need to specify that both protocols are intentionally set to operate on the same port.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓Because the ACL must distinguish traffic by protocol or destination port, not just by source address.Correct answer▾
Why this is correct
This is correct because Telnet-versus-SSH filtering requires extended matching capability.
✗Because standard ACLs can match destination TCP ports just as well.Wrong answer — click to see why▾
Why this is wrong here
Standard ACLs can only filter based on source IP address, not destination ports or protocols. They lack the granularity to distinguish between Telnet and SSH traffic.
★ When this WOULD be the correct answer
In a different scenario where the question states that both Telnet and SSH traffic are being filtered based solely on source IP addresses, and there is no requirement to distinguish between protocols or ports, option B could be correct. For example, if the question asked if a standard ACL could block all traffic from a specific subnet without regard to protocol, this option would apply.
Why candidates choose this
Students may confuse standard ACLs with extended ACLs, thinking they can match ports, but standard ACLs are limited to source addresses only.
✗Because extended ACLs are required for every router login policy regardless of criteria.Wrong answer — click to see why▾
Why this is wrong here
Extended ACLs are not required for every router login policy; they are only needed when filtering must consider protocol or port information. Simple source-based filtering can use standard ACLs.
★ When this WOULD be the correct answer
In a different exam scenario, if the question stated that all types of ACLs must be extended for any login policy regardless of the criteria involved, then option C would be correct. For example, if the question specified that only extended ACLs can be used for any form of access control, then this option would apply.
Why candidates choose this
The phrase 'required for every router login policy' might mislead students into thinking extended ACLs are mandatory for VTY access, but the need depends on the specific filtering criteria.
✗Because SSH and Telnet always use the same port number.Wrong answer — click to see why▾
Why this is wrong here
SSH uses TCP port 22, while Telnet uses TCP port 23. They are distinct ports, so an ACL can differentiate them based on destination port.
★ When this WOULD be the correct answer
In a different scenario where the question states that both SSH and Telnet are configured to use the same port number for some reason, such as a misconfiguration or a specific lab setup, then this option could be correct. The question would need to specify that both protocols are intentionally set to operate on the same port.
Why candidates choose this
Students might mistakenly think both services use the same port due to their similar function (remote login), but they are separate protocols with different port numbers.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
Do not confuse the ability to filter by protocol and port with filtering by IP address alone; extended ACLs are required for the former.
Detailed technical explanation
How to think about this question
Access Control Lists (ACLs) are fundamental tools in Cisco networking used to filter traffic based on defined criteria. Standard ACLs filter traffic solely based on source IP addresses, making them suitable for broad filtering but insufficient for traffic that requires protocol or port-based distinctions. Extended ACLs, on the other hand, provide granular control by allowing filtering based on source and destination IP addresses, as well as Layer 4 protocol types and port numbers. This capability is essential when differentiating between services like Telnet and SSH, which use different TCP ports but may originate from the same subnet. When implementing an ACL to block Telnet access while permitting SSH from the same subnet, an extended ACL is necessary because it can specify the protocol (TCP) and destination port numbers (Telnet uses port 23, SSH uses port 22). This specificity enables the router to selectively deny Telnet traffic while allowing SSH traffic from the 10.1.1.0/24 subnet to the router's VTY lines. A standard ACL cannot achieve this because it only filters based on source IP addresses without regard to protocol or port, thus either blocking or permitting all traffic from that subnet indiscriminately. A common exam trap is assuming that standard ACLs can differentiate traffic by port or protocol, which they cannot. This misunderstanding leads to incorrect ACL design and failure to meet security requirements. Practically, extended ACLs provide the necessary granularity to enforce security policies on router management access, ensuring that only authorized protocols like SSH are allowed while insecure protocols like Telnet are blocked, enhancing network security and compliance with best practices.
KKey Concepts to Remember
- An extended ACL filters traffic based on source and destination IP addresses, protocol types, and TCP/UDP port numbers, enabling precise traffic control.
- Standard ACLs filter traffic only by source IP address and cannot distinguish between different protocols or application ports.
- Telnet uses TCP port 23, while SSH uses TCP port 22, allowing extended ACLs to differentiate and selectively block or permit these protocols.
- Extended ACLs are essential when security policies require blocking specific protocols from the same source subnet without affecting other allowed protocols.
- Applying an extended ACL to router VTY lines can restrict management access by protocol, enhancing security by permitting SSH but blocking Telnet.
- Standard ACLs are insufficient for protocol-specific filtering and may inadvertently block all traffic from a source subnet if used incorrectly.
- Cisco routers process ACLs sequentially, so ordering extended ACL entries correctly is critical to allow SSH while denying Telnet.
- Using extended ACLs for router login policies prevents unauthorized access and aligns with Cisco best practices for secure device management.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
An extended ACL filters traffic based on source and destination IP addresses, protocol types, and TCP/UDP port numbers, enabling precise traffic control.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
What to study next
Got this wrong? Here's your next step.
Review an extended ACL filters traffic based on source and destination IP addresses, protocol types, and TCP/UDP port numbers, enabling precise traffic control., then practise related 200-301 questions on the same topic to reinforce the concept.
- →
Network Services and Security — study guide chapter
Learn the concepts, then practise the questions
- →
Network Services and Security practice questions
Targeted practice on this topic area only
- →
All 200-301 questions
1,819 questions across all exam domains
- →
CCNA 200-301 v2 study guide
Full concept coverage aligned to exam objectives
- →
200-301 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Infrastructure and Connectivity practice questions
Practise 200-301 questions linked to Network Infrastructure and Connectivity.
Switching and Network Access practice questions
Practise 200-301 questions linked to Switching and Network Access.
IP Routing practice questions
Practise 200-301 questions linked to IP Routing.
Network Services and Security practice questions
Practise 200-301 questions linked to Network Services and Security.
AI and Network Operations practice questions
Practise 200-301 questions linked to AI and Network Operations.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practice this exam
Start a free 200-301 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 200-301 question test?
Network Services and Security — This question tests Network Services and Security — An extended ACL filters traffic based on source and destination IP addresses, protocol types, and TCP/UDP port numbers, enabling precise traffic control..
What is the correct answer to this question?
The correct answer is: Because the ACL must distinguish traffic by protocol or destination port, not just by source address. — An extended ACL is appropriate because the requirement is based not only on source address but also on the specific protocol and application port involved. In practical terms, the policy must distinguish Telnet from SSH even though both originate from the same source subnet. A standard ACL would be too limited because it mainly matches only on source address. This is the kind of requirement that shows why extended ACLs exist. They allow more granular traffic control by matching protocol and destination details, not just who sent the packet.
What should I do if I get this 200-301 question wrong?
Review an extended ACL filters traffic based on source and destination IP addresses, protocol types, and TCP/UDP port numbers, enabling precise traffic control., then practise related 200-301 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
What is the key concept behind this question?
An extended ACL filters traffic based on source and destination IP addresses, protocol types, and TCP/UDP port numbers, enabling precise traffic control.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: May 17, 2026
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.