- A
It is permitted because the source subnet is allowed.
Why wrong: The ACL is not permitting the source subnet broadly; it is permitting only TCP 443 from that subnet.
- B
It is denied by the implicit deny.
The packet does not match either permit entry, so the implicit deny drops it.
- C
It is translated by NAT before the ACL is checked.
Why wrong: NAT behavior depends on placement and is not the point of this ACL question.
- D
It is converted to HTTPS automatically.
Why wrong: Routers do not rewrite application protocols in that way.
Quick Answer
The answer is that the HTTP packet is denied by the implicit deny rule at the end of the ACL. This occurs because the ACL only permits TCP traffic on port 443 (HTTPS) and ICMP packets, while HTTP uses TCP port 80, which is not explicitly permitted. The implicit deny is a fundamental security feature of all standard and extended ACLs, acting as a catch-all rule that drops any traffic not matched by a preceding permit statement. On the CCNA 200-301 v2 exam, this concept tests your understanding of how ACLs process packets sequentially and the critical role of the invisible final entry. A common trap is assuming that permitting ICMP or a similar protocol will allow unrelated TCP traffic, or forgetting that the implicit deny applies even when no explicit deny statement is written. Remember the mnemonic: "If it's not permitted, it's submitted to the bit bucket."
CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: aCLs process packets sequentially and apply the first matching permit or deny rule encountered in the list.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
An ACL on R1 contains only these entries:
access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 443 access-list 101 permit icmp any any
What happens to an HTTP packet sourced from 10.10.10.25 and destined for 198.51.100.10 if ACL 101 is applied in the traffic path?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
It is denied by the implicit deny.
HTTP uses TCP port 80, not 443. Because the ACL does not include a permit for that traffic, it is dropped by the implicit deny at the end of the ACL. The ICMP entry is irrelevant because the packet is TCP.
Key principle: ACLs process packets sequentially and apply the first matching permit or deny rule encountered in the list.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
It is permitted because the source subnet is allowed.
- ✓
It is denied by the implicit deny.
Why this is correct
The packet does not match either permit entry, so the implicit deny drops it.
Related concept
ACLs process packets sequentially and apply the first matching permit or deny rule encountered in the list.
- ✗
It is translated by NAT before the ACL is checked.
When this WOULD be correct
In a different scenario where the question specifies that NAT is configured on the router and the ACL is applied after NAT processing, an HTTP packet could be translated to a different address before being evaluated by the ACL. In this case, the packet might be permitted or denied based on the translated address.
- ✗
It is converted to HTTPS automatically.
Why it's wrong here
Routers do not rewrite application protocols in that way.
When this WOULD be correct
In a different scenario, if the question stated that the network device has a feature that automatically upgrades HTTP traffic to HTTPS based on specific configurations, then this option could be correct. For example, if the device was configured to enforce secure connections for all HTTP traffic, the packet could be converted to HTTPS before being processed.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓It is denied by the implicit deny.Correct answer▾
Why this is correct
The packet does not match either permit entry, so the implicit deny drops it.
✗It is permitted because the source subnet is allowed.Wrong answer — click to see why▾
Why this is wrong here
This option is wrong because the ACL only permits TCP traffic on port 443 and ICMP traffic, so an HTTP packet (port 80) from the specified source would be denied by the implicit deny rule at the end of the ACL.
★ When this WOULD be the correct answer
In a different scenario where the ACL allowed all traffic from the source subnet (e.g., 'access-list 101 permit ip 10.10.10.0 0.0.0.255 any'), then an HTTP packet from 10.10.10.25 would be permitted, making this option correct.
Why candidates choose this
Candidates may choose this option because they might misinterpret the ACL's source address as sufficient for permitting all types of traffic, overlooking the specific port restrictions.
✗It is translated by NAT before the ACL is checked.Wrong answer — click to see why▾
Why this is wrong here
This option is wrong because NAT does not occur before ACL evaluation; the ACL is applied directly to the packet as it arrives at the interface. Therefore, the HTTP packet is evaluated against the ACL without any translation taking place.
★ When this WOULD be the correct answer
In a different scenario where the question specifies that NAT is configured on the router and the ACL is applied after NAT processing, an HTTP packet could be translated to a different address before being evaluated by the ACL. In this case, the packet might be permitted or denied based on the translated address.
Why candidates choose this
Candidates may find this option tempting because they might confuse the order of operations in packet processing, thinking that NAT would modify the packet before ACL evaluation, which is a common misconception in networking.
✗It is converted to HTTPS automatically.Wrong answer — click to see why▾
Why this is wrong here
This option is wrong because the ACL does not automatically convert HTTP traffic to HTTPS; it only permits or denies traffic based on the defined rules. The packet from 10.10.10.25 is not permitted by the ACL since it is not targeting port 443.
★ When this WOULD be the correct answer
In a different scenario, if the question stated that the network device has a feature that automatically upgrades HTTP traffic to HTTPS based on specific configurations, then this option could be correct. For example, if the device was configured to enforce secure connections for all HTTP traffic, the packet could be converted to HTTPS before being processed.
Why candidates choose this
Candidates may choose this option due to a common understanding that many modern networks implement security features that automatically upgrade HTTP to HTTPS, leading to confusion about the capabilities of ACLs in this context.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
Be careful not to confuse TCP with ICMP or overlook the specific port numbers in ACL entries.
Detailed technical explanation
How to think about this question
Access Control Lists (ACLs) are fundamental security tools in Cisco networking that filter traffic based on defined criteria such as source and destination IP addresses, protocols, and port numbers. ACLs are processed sequentially, and once a packet matches an entry, the corresponding permit or deny action is applied immediately. If no entries match, an implicit deny at the end of the ACL drops the packet by default. This behavior ensures that only explicitly permitted traffic passes through, enhancing network security and traffic control. In this scenario, ACL 101 permits TCP traffic sourced from the 10.10.10.0/24 subnet only if it is destined for any address on port 443 (HTTPS). It also permits all ICMP traffic regardless of source or destination. Since HTTP traffic uses TCP port 80, a packet from 10.10.10.25 to 198.51.100.10 on port 80 does not match any permit statement. Consequently, the ACL's implicit deny rule blocks this HTTP packet. This demonstrates the importance of specifying correct protocols and ports in ACLs to avoid unintended traffic drops. A common exam trap is assuming that permitting a subnet in an ACL automatically allows all traffic from that subnet. However, ACLs are explicit and require exact matches on protocol and port numbers. Another trap is misunderstanding the implicit deny rule, which silently drops unmatched packets without logging by default. Practically, this means network administrators must carefully design ACLs to include all necessary permit statements and understand that any traffic not explicitly permitted will be denied, ensuring predictable and secure network behavior.
KKey Concepts to Remember
- ACLs process packets sequentially and apply the first matching permit or deny rule encountered in the list.
- An implicit deny at the end of every ACL blocks any traffic that does not match a permit entry.
- ACL entries must explicitly specify protocol types and port numbers to permit corresponding traffic.
- Permitting a source subnet in an ACL does not automatically permit all protocols or ports from that subnet.
- TCP port 80 is used for HTTP traffic, while TCP port 443 is used for HTTPS traffic in ACL filtering.
- ICMP traffic is permitted by a separate ACL entry and does not affect TCP traffic filtering.
- Cisco routers do not modify application layer protocols such as converting HTTP to HTTPS automatically.
- Understanding implicit deny behavior is critical to designing effective ACLs that do not unintentionally block traffic.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
ACLs process packets sequentially and apply the first matching permit or deny rule encountered in the list.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
What to study next
Got this wrong? Here's your next step.
Review aCLs process packets sequentially and apply the first matching permit or deny rule encountered in the list., then practise related 200-301 questions on the same topic to reinforce the concept.
- →
Network Services and Security — study guide chapter
Learn the concepts, then practise the questions
- →
Network Services and Security practice questions
Targeted practice on this topic area only
- →
All 200-301 questions
1,819 questions across all exam domains
- →
CCNA 200-301 v2 study guide
Full concept coverage aligned to exam objectives
- →
200-301 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Infrastructure and Connectivity practice questions
Practise 200-301 questions linked to Network Infrastructure and Connectivity.
Switching and Network Access practice questions
Practise 200-301 questions linked to Switching and Network Access.
IP Routing practice questions
Practise 200-301 questions linked to IP Routing.
Network Services and Security practice questions
Practise 200-301 questions linked to Network Services and Security.
AI and Network Operations practice questions
Practise 200-301 questions linked to AI and Network Operations.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practice this exam
Start a free 200-301 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 200-301 question test?
Network Services and Security — This question tests Network Services and Security — ACLs process packets sequentially and apply the first matching permit or deny rule encountered in the list..
What is the correct answer to this question?
The correct answer is: It is denied by the implicit deny. — HTTP uses TCP port 80, not 443. Because the ACL does not include a permit for that traffic, it is dropped by the implicit deny at the end of the ACL. The ICMP entry is irrelevant because the packet is TCP.
What should I do if I get this 200-301 question wrong?
Review aCLs process packets sequentially and apply the first matching permit or deny rule encountered in the list., then practise related 200-301 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
ACLs process packets sequentially and apply the first matching permit or deny rule encountered in the list.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: May 17, 2026
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.