access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 443 access-list 101 permit icmp any any
An ACL on R1 contains only these entries:
access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 443 access-list 101 permit icmp any any
What happens to an HTTP packet sourced from 10.10.10.25 and destined for 198.51.100.10 if ACL 101 is applied in the traffic path?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
It is permitted because the source subnet is allowed.
The ACL is not permitting the source subnet broadly; it is permitting only TCP 443 from that subnet.
It is denied by the implicit deny.
The packet does not match either permit entry, so the implicit deny drops it.
It is translated by NAT before the ACL is checked.
NAT behavior depends on placement and is not the point of this ACL question.
It is converted to HTTPS automatically.
Routers do not rewrite application protocols in that way.
Common exam trap
A common exam trap is assuming that permitting a source subnet in an ACL automatically allows all traffic from that subnet regardless of protocol or port. In this question, the ACL permits TCP traffic only on port 443 from the 10.10.10.0/24 subnet, so HTTP traffic on port 80 is not permitted and is dropped by the implicit deny. Another trap is ignoring the implicit deny rule at the end of ACLs, which silently blocks unmatched traffic. Candidates might incorrectly believe that the ICMP permit entry or the subnet permit implies broader access, but ACLs require explicit matches for each protocol and port combination.
Technical deep dive
Access Control Lists (ACLs) are fundamental security tools in Cisco networking that filter traffic based on defined criteria such as source and destination IP addresses, protocols, and port numbers. ACLs are processed sequentially, and once a packet matches an entry, the corresponding permit or deny action is applied immediately. If no entries match, an implicit deny at the end of the ACL drops the packet by default. This behavior ensures that only explicitly permitted traffic passes through, enhancing network security and traffic control. In this scenario, ACL 101 permits TCP traffic sourced from the 10.10.10.0/24 subnet only if it is destined for any address on port 443 (HTTPS). It also permits all ICMP traffic regardless of source or destination. Since HTTP traffic uses TCP port 80, a packet from 10.10.10.25 to 198.51.100.10 on port 80 does not match any permit statement. Consequently, the ACL's implicit deny rule blocks this HTTP packet. This demonstrates the importance of specifying correct protocols and ports in ACLs to avoid unintended traffic drops. A common exam trap is assuming that permitting a subnet in an ACL automatically allows all traffic from that subnet. However, ACLs are explicit and require exact matches on protocol and port numbers. Another trap is misunderstanding the implicit deny rule, which silently drops unmatched packets without logging by default. Practically, this means network administrators must carefully design ACLs to include all necessary permit statements and understand that any traffic not explicitly permitted will be denied, ensuring predictable and secure network behavior.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practise DHCP scopes, relay, leases and troubleshooting.
Practise routing-table output, longest-prefix match, AD and route selection.
Practise trunk verification and VLAN forwarding across switches.
Practise WLAN security, authentication and wireless architecture concepts.
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
ACLs process packets sequentially and apply the first matching permit or deny rule encountered in the list.
The correct answer is: It is denied by the implicit deny. — HTTP uses TCP port 80, not 443. Because the ACL does not include a permit for that traffic, it is dropped by the implicit deny at the end of the ACL. The ICMP entry is irrelevant because the packet is TCP.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.