Courseiva
200-301
Full test
hardmultiple choiceObjective-mapped

An ACL permits only tcp 10.10.10.0/24 host 192.0.2.10 eq 443 and has no other permit entries. What happens to an ICMP echo request from 10.10.10.5 to 192.0.2.10?

Question 1hardmultiple choice
Full question →

An ACL permits only tcp 10.10.10.0/24 host 192.0.2.10 eq 443 and has no other permit entries. What happens to an ICMP echo request from 10.10.10.5 to 192.0.2.10?

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Distractor review

It is permitted because the destination matches

The destination match alone is not enough when protocol and port do not match.

B

Best answer

It is denied by the implicit deny

Correct. Traffic not explicitly permitted is denied.

C

Distractor review

It is translated into TCP and then permitted

ACLs do not translate ICMP into TCP.

D

Distractor review

It is permitted only if the source port is 443

ICMP does not use TCP source port 443.

Common exam trap

Common exam trap: answer the scenario, not the keyword

A common exam trap is assuming that because the destination IP address matches the ACL permit statement, the ICMP echo request will be allowed. Candidates often overlook that ACLs require all specified criteria—protocol, source and destination IPs, and ports—to match exactly. Since the ACL permits only TCP traffic on port 443, ICMP packets do not meet the criteria and are denied by the implicit deny. Misunderstanding this leads to incorrect answers that ignore the importance of protocol and port matching in ACLs.

Technical deep dive

How to think about this question

Access Control Lists (ACLs) are fundamental security tools in Cisco networking that filter traffic based on defined criteria such as protocol type, source and destination IP addresses, and port numbers. ACLs process packets sequentially, matching each packet against the list entries until a permit or deny condition is met. If no explicit match is found, an implicit deny rule at the end of every ACL blocks the traffic by default. This implicit deny ensures that only traffic explicitly permitted by the ACL is allowed through the interface. In the context of this question, the ACL explicitly permits only TCP traffic from the 10.10.10.0/24 subnet to the host 192.0.2.10 on destination port 443 (HTTPS). Since ICMP echo requests do not use TCP or port 443, they do not match the permit condition. Consequently, the implicit deny at the end of the ACL blocks the ICMP packet. Cisco routers do not translate ICMP packets into TCP, so the ICMP echo request is not converted or permitted under the existing ACL rules. A common exam trap is assuming that matching the destination IP address alone is sufficient for permitting traffic. Candidates may incorrectly believe that because the destination host matches, the ICMP echo request should be allowed. However, ACLs evaluate all specified criteria, including protocol and port numbers, and only permit traffic that fully matches an explicit permit statement. Practically, this behavior enforces strict traffic filtering, ensuring that only authorized protocols and ports are accessible, which is critical for network security and compliance.

KKey Concepts to Remember

  • ACLs process packets sequentially and apply the first matching permit or deny rule to the traffic.
  • Every ACL ends with an implicit deny that blocks all traffic not explicitly permitted by earlier entries.
  • ACL permit statements must match all specified criteria, including protocol type, source and destination IPs, and port numbers.
  • ICMP traffic does not use TCP ports and cannot match ACL entries that specify TCP port numbers.
  • Cisco routers do not translate ICMP packets into TCP to bypass ACL restrictions.
  • An ACL permitting only TCP traffic on port 443 will deny all other protocols, including ICMP.
  • Implicit deny behavior enforces strict security by blocking any traffic not explicitly allowed.
  • Matching only the destination IP address in an ACL is insufficient to permit traffic if other criteria differ.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

CCNA subnetting practice questions

Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.

CCNA OSPF practice questions

Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.

CCNA VLAN practice questions

Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.

CCNA STP practice questions

Practise spanning tree, root bridge election, port roles and STP troubleshooting.

CCNA EtherChannel practice questions

Practise LACP, PAgP, port-channel behaviour and bundle requirements.

CCNA ACL practice questions

Practise standard and extended ACLs, permit/deny logic and traffic filtering.

CCNA NAT practice questions

Practise static NAT, dynamic NAT, PAT and inside/outside address translation.

CCNA DHCP practice questions

Practise DHCP scopes, relay, leases and troubleshooting.

CCNA show ip route practice questions

Practise routing-table output, longest-prefix match, AD and route selection.

CCNA show interfaces trunk practice questions

Practise trunk verification and VLAN forwarding across switches.

CCNA wireless security practice questions

Practise WLAN security, authentication and wireless architecture concepts.

CCNA IPv6 practice questions

Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?

Question 2

A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?

Question 3

What is the OSPF metric called?

Question 4

A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?

Question 5

A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?

Question 6

A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?

FAQ

Questions learners often ask

What does this 200-301 question test?

ACLs process packets sequentially and apply the first matching permit or deny rule to the traffic.

What is the correct answer to this question?

The correct answer is: It is denied by the implicit deny — ACLs end with an implicit deny. Since the only explicit permit is for HTTPS traffic, the ICMP packet is denied.

What should I do if I get this 200-301 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.