Courseiva
200-301
Full test
hardmultiple choiceObjective-mapped

Exhibit

Requirement:
- Block HTTP from 10.10.10.0/24 to 172.16.1.10
- Permit all other traffic

access-list 110 ?

Based on the exhibit, which ACL entry should be placed first to block HTTP from 10.10.10.0/24 to the web server while allowing all other traffic?

Question 1hardmultiple choice
Full question →

Based on the exhibit, which ACL entry should be placed first to block HTTP from 10.10.10.0/24 to the web server while allowing all other traffic?

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Best answer

deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80

This is correct because it blocks only HTTP traffic from the specified subnet to the specific server.

B

Distractor review

deny ip 10.10.10.0 0.0.0.255 host 172.16.1.10

This is wrong because it blocks all IP traffic to that host, not just HTTP.

C

Distractor review

permit tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80

This is wrong because it would allow the traffic that the requirement says to block.

D

Distractor review

deny udp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80

This is wrong because normal HTTP uses TCP, not UDP.

Common exam trap

Common exam trap: answer the scenario, not the keyword

A common exam trap is selecting a deny statement that blocks all IP traffic to the web server instead of just HTTP. This mistake causes unintended denial of all services, not just web traffic, which contradicts the requirement to allow all other traffic. Another trap is denying UDP traffic on port 80, which is ineffective because HTTP uses TCP. Candidates may also mistakenly permit HTTP traffic, which defeats the purpose of blocking it. The exam tests your ability to precisely match protocol and port to avoid overbroad or ineffective ACL entries.

Technical deep dive

How to think about this question

Access Control Lists (ACLs) are fundamental security tools in Cisco networking that filter traffic based on defined criteria such as source IP, destination IP, protocol, and port numbers. In the CCNA context, ACLs are used to control which packets are permitted or denied through a router or switch interface, enabling granular traffic management and security enforcement. Understanding how to craft ACL entries precisely is critical for effective network security and traffic flow control. When creating an ACL to block HTTP traffic from a specific subnet to a web server, the rule must be narrowly defined to deny only TCP traffic destined for port 80 on the target host. This specificity ensures that only HTTP traffic is blocked while all other traffic types and services remain unaffected. The ACL entry "deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80" correctly matches TCP packets from the 10.10.10.0/24 subnet to the web server's IP on port 80, effectively blocking HTTP without disrupting other protocols or ports. A common exam trap is to use overly broad deny statements, such as denying all IP traffic to the host, which inadvertently blocks all communication, not just HTTP. Another pitfall is confusing TCP and UDP protocols; since HTTP uses TCP, denying UDP traffic on port 80 has no effect. The practical behavior of ACLs in Cisco devices requires precise matching criteria to avoid unintended network disruptions, making it essential to understand protocol and port specificity when designing ACLs for security and traffic control.

KKey Concepts to Remember

  • An ACL entry that denies TCP traffic to port 80 from a specific subnet blocks only HTTP traffic while allowing other protocols and ports.
  • Cisco ACLs evaluate entries in sequential order and stop processing once a match is found, so the deny statement must be placed first to be effective.
  • Denying all IP traffic to a host blocks all communication, which is broader than needed when only HTTP traffic should be blocked.
  • HTTP traffic uses TCP protocol on port 80, so ACLs must specify TCP and port 80 to accurately block HTTP.
  • Permit statements in ACLs allow traffic that matches the criteria, so a permit for HTTP traffic contradicts the goal of blocking it.
  • Cisco ACLs use wildcard masks to specify source or destination IP ranges, enabling precise subnet matching in access rules.
  • The implicit deny at the end of an ACL blocks all traffic not explicitly permitted, so careful ordering of deny and permit statements is critical.
  • Understanding protocol and port specificity in ACLs prevents unintended network access issues and aligns with CCNA security fundamentals.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

CCNA subnetting practice questions

Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.

CCNA OSPF practice questions

Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.

CCNA VLAN practice questions

Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.

CCNA STP practice questions

Practise spanning tree, root bridge election, port roles and STP troubleshooting.

CCNA EtherChannel practice questions

Practise LACP, PAgP, port-channel behaviour and bundle requirements.

CCNA ACL practice questions

Practise standard and extended ACLs, permit/deny logic and traffic filtering.

CCNA NAT practice questions

Practise static NAT, dynamic NAT, PAT and inside/outside address translation.

CCNA DHCP practice questions

Practise DHCP scopes, relay, leases and troubleshooting.

CCNA show ip route practice questions

Practise routing-table output, longest-prefix match, AD and route selection.

CCNA show interfaces trunk practice questions

Practise trunk verification and VLAN forwarding across switches.

CCNA wireless security practice questions

Practise WLAN security, authentication and wireless architecture concepts.

CCNA IPv6 practice questions

Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?

Question 2

A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?

Question 3

What is the OSPF metric called?

Question 4

A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?

Question 5

A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?

Question 6

A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?

FAQ

Questions learners often ask

What does this 200-301 question test?

An ACL entry that denies TCP traffic to port 80 from a specific subnet blocks only HTTP traffic while allowing other protocols and ports.

What is the correct answer to this question?

The correct answer is: deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80 — The ACL needs a narrow deny statement that matches only TCP port 80 from the specified source subnet to the specific server. In practical terms, the requirement is not to block all IP traffic or all access to the host. It is to stop normal HTTP while allowing everything else. That means the entry must be precise. This is the kind of ACL question the CCNA exam likes because it forces you to distinguish protocol, destination, and service rather than relying on vague source-only logic.

What should I do if I get this 200-301 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.