CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: an ACL entry that denies TCP traffic to port 80 from a specific subnet blocks only HTTP traffic while allowing other protocols and ports.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Requirement:
- Block HTTP from 10.10.10.0/24 to 172.16.1.10
- Permit all other traffic
access-list 110 ?
An administrator needs to configure an ACL to block HTTP traffic from subnet 10.10.10.0/24 to the web server at 172.16.1.10 while permitting all other traffic. Which ACL entry should be placed first?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "first"
Why it matters: Order matters here. You are being tested on which action comes before the others — not which action is generally useful.
The ACL needs a narrow deny statement that matches only TCP port 80 from the specified source subnet to the specific server. In practical terms, the requirement is not to block all IP traffic or all access to the host. It is to stop normal HTTP while allowing everything else. That means the entry must be precise.
This is the kind of ACL question the CCNA exam likes because it forces you to distinguish protocol, destination, and service rather than relying on vague source-only logic.
Key principle: An ACL entry that denies TCP traffic to port 80 from a specific subnet blocks only HTTP traffic while allowing other protocols and ports.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
This is correct because it blocks only HTTP traffic from the specified subnet to the specific server.
Clue confirmation
The clue word "first" in the question point toward this answer.
Related concept
An ACL entry that denies TCP traffic to port 80 from a specific subnet blocks only HTTP traffic while allowing other protocols and ports.
✗
deny ip 10.10.10.0 0.0.0.255 host 172.16.1.10
Why it's wrong here
This is wrong because it blocks all IP traffic to that host, not just HTTP.
When this WOULD be correct
If the exam question asked for a rule to block all traffic from 10.10.10.0/24 to the web server at 172.16.1.10, regardless of the protocol, then option B would be the correct answer as it effectively blocks all IP traffic.
This is wrong because it would allow the traffic that the requirement says to block.
When this WOULD be correct
In a different scenario where the question asks for an ACL entry to allow HTTP traffic from a specific subnet to a web server while blocking all other traffic, option C would be correct. For example, if the question stated to permit only HTTP traffic from 10.10.10.0/24 to 172.16.1.10, option C would fit.
This is wrong because normal HTTP uses TCP, not UDP.
When this WOULD be correct
In a different scenario where the question asks to block UDP traffic specifically from 10.10.10.0/24 to a service running on port 80 of the web server, option D would be the correct choice. For example, if the web server was configured to use a UDP-based protocol on port 80, this entry would be valid.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
This is correct because it blocks only HTTP traffic from the specified subnet to the specific server.
✗deny ip 10.10.10.0 0.0.0.255 host 172.16.1.10Wrong answer — click to see why▾
Why this is wrong here
Option B is incorrect because it denies all IP traffic from the specified source to the destination, which is broader than required and does not specifically target HTTP traffic on port 80.
★ When this WOULD be the correct answer
If the exam question asked for a rule to block all traffic from 10.10.10.0/24 to the web server at 172.16.1.10, regardless of the protocol, then option B would be the correct answer as it effectively blocks all IP traffic.
Why candidates choose this
Candidates may choose this option because it appears to address the requirement of blocking traffic, but they overlook that it does not specify the HTTP protocol, leading to a broader and unintended denial of service.
✗permit tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80Wrong answer — click to see why▾
Why this is wrong here
Option C is incorrect because it permits HTTP traffic from the specified source to the web server, which is contrary to the requirement to block this traffic. The question specifically asks for a rule that denies HTTP access.
★ When this WOULD be the correct answer
In a different scenario where the question asks for an ACL entry to allow HTTP traffic from a specific subnet to a web server while blocking all other traffic, option C would be correct. For example, if the question stated to permit only HTTP traffic from 10.10.10.0/24 to 172.16.1.10, option C would fit.
Why candidates choose this
Candidates may choose this option because it includes the correct source and destination addresses and specifies the correct protocol (TCP) and port (80), leading them to mistakenly believe it aligns with the intent of the question.
✗deny udp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80Wrong answer — click to see why▾
Why this is wrong here
Option D is incorrect because it specifies 'deny udp', which does not block HTTP traffic, as HTTP uses TCP, not UDP. Therefore, it fails to meet the requirement of blocking HTTP from the specified source to the web server.
★ When this WOULD be the correct answer
In a different scenario where the question asks to block UDP traffic specifically from 10.10.10.0/24 to a service running on port 80 of the web server, option D would be the correct choice. For example, if the web server was configured to use a UDP-based protocol on port 80, this entry would be valid.
Why candidates choose this
Candidates might choose this option due to a misunderstanding of the protocols involved, confusing HTTP (TCP) with potential UDP traffic, or they may incorrectly assume that blocking any traffic to the web server is sufficient.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
Be careful to distinguish between blocking all traffic and blocking specific services. Ensure you understand the requirement to block only HTTP traffic, not all IP traffic.
Detailed technical explanation
How to think about this question
Access Control Lists (ACLs) are fundamental security tools in Cisco networking that filter traffic based on defined criteria such as source IP, destination IP, protocol, and port numbers. In the CCNA context, ACLs are used to control which packets are permitted or denied through a router or switch interface, enabling granular traffic management and security enforcement. Understanding how to craft ACL entries precisely is critical for effective network security and traffic flow control.
When creating an ACL to block HTTP traffic from a specific subnet to a web server, the rule must be narrowly defined to deny only TCP traffic destined for port 80 on the target host. This specificity ensures that only HTTP traffic is blocked while all other traffic types and services remain unaffected. The ACL entry "deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80" correctly matches TCP packets from the 10.10.10.0/24 subnet to the web server's IP on port 80, effectively blocking HTTP without disrupting other protocols or ports.
A common exam trap is to use overly broad deny statements, such as denying all IP traffic to the host, which inadvertently blocks all communication, not just HTTP. Another pitfall is confusing TCP and UDP protocols; since HTTP uses TCP, denying UDP traffic on port 80 has no effect. The practical behavior of ACLs in Cisco devices requires precise matching criteria to avoid unintended network disruptions, making it essential to understand protocol and port specificity when designing ACLs for security and traffic control.
KKey Concepts to Remember
An ACL entry that denies TCP traffic to port 80 from a specific subnet blocks only HTTP traffic while allowing other protocols and ports.
Cisco ACLs evaluate entries in sequential order and stop processing once a match is found, so the deny statement must be placed first to be effective.
Denying all IP traffic to a host blocks all communication, which is broader than needed when only HTTP traffic should be blocked.
HTTP traffic uses TCP protocol on port 80, so ACLs must specify TCP and port 80 to accurately block HTTP.
Permit statements in ACLs allow traffic that matches the criteria, so a permit for HTTP traffic contradicts the goal of blocking it.
Cisco ACLs use wildcard masks to specify source or destination IP ranges, enabling precise subnet matching in access rules.
The implicit deny at the end of an ACL blocks all traffic not explicitly permitted, so careful ordering of deny and permit statements is critical.
Understanding protocol and port specificity in ACLs prevents unintended network access issues and aligns with CCNA security fundamentals.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
An ACL entry that denies TCP traffic to port 80 from a specific subnet blocks only HTTP traffic while allowing other protocols and ports.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Review an ACL entry that denies TCP traffic to port 80 from a specific subnet blocks only HTTP traffic while allowing other protocols and ports., then practise related 200-301 questions on the same topic to reinforce the concept.
Network Services and Security — This question tests Network Services and Security — An ACL entry that denies TCP traffic to port 80 from a specific subnet blocks only HTTP traffic while allowing other protocols and ports..
What is the correct answer to this question?
The correct answer is: deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80 — The ACL needs a narrow deny statement that matches only TCP port 80 from the specified source subnet to the specific server. In practical terms, the requirement is not to block all IP traffic or all access to the host. It is to stop normal HTTP while allowing everything else. That means the entry must be precise.
This is the kind of ACL question the CCNA exam likes because it forces you to distinguish protocol, destination, and service rather than relying on vague source-only logic.
What should I do if I get this 200-301 question wrong?
Review an ACL entry that denies TCP traffic to port 80 from a specific subnet blocks only HTTP traffic while allowing other protocols and ports., then practise related 200-301 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "first". Order matters here. You are being tested on which action comes before the others — not which action is generally useful.
What is the key concept behind this question?
An ACL entry that denies TCP traffic to port 80 from a specific subnet blocks only HTTP traffic while allowing other protocols and ports.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.