Question 1,898 of 1,819
Network Services and SecurityhardMultiple ChoiceObjective-mapped

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: an extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Requirement:
- Block Telnet from 10.30.30.0/24 to 172.16.9.9
- Allow all other traffic

Configured ACL entry:
deny tcp 10.30.30.0 0.0.0.255 host 172.16.9.9

Based on the exhibit, why is the ACL blocking more traffic than intended?

Question 1hardmultiple choice
Study the full ACL explanation →

Exhibit

Requirement:
- Block Telnet from 10.30.30.0/24 to 172.16.9.9
- Allow all other traffic

Configured ACL entry:
deny tcp 10.30.30.0 0.0.0.255 host 172.16.9.9

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Because the ACL denies all TCP traffic to the server instead of only Telnet.

The ACL is blocking more traffic than intended because it uses a broad deny against all TCP traffic to the server instead of only the one service that should be denied. In practical terms, the requirement is narrow, but the configured entry is much wider. As a result, multiple TCP-based applications to that server are blocked, not just the intended one. This is a classic precision problem in ACL design. It tests whether you can compare what the business requirement says against what the ACL actually matches.

Key principle: An extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Because the ACL denies all TCP traffic to the server instead of only Telnet.

    Why this is correct

    This is correct because the entry lacks the Telnet destination port qualifier and therefore matches too broadly.

    Related concept

    An extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers.

  • Because Telnet uses UDP, not TCP.

    Why it's wrong here

    This is wrong because Telnet is a TCP-based protocol.

    When this WOULD be correct

    In a different question scenario where the focus is on a misconfigured ACL affecting UDP traffic, the option could be correct if the question stated that Telnet-like services were incorrectly configured to use UDP instead of TCP, thus blocking legitimate traffic.

  • Because the ACL should be a standard ACL, not an extended ACL.

    Why it's wrong here

    This is wrong because protocol and service filtering is precisely why extended ACL logic is needed.

    When this WOULD be correct

    In a different scenario, if the question asked why a network administrator mistakenly configured a standard ACL to block specific IP addresses without considering port numbers, this option could be correct. The question would need to focus on the limitations of standard ACLs in filtering traffic based on protocols.

  • Because the host keyword can never be used with TCP statements.

    Why it's wrong here

    This is wrong because host-specific matches are valid in extended ACLs.

    When this WOULD be correct

    In a different exam scenario where the question specifies that the ACL is incorrectly configured to block all TCP traffic and explicitly states that the host keyword cannot be used with TCP statements, this option would be correct. For example, if the question asked why a specific ACL configuration is invalid due to the misuse of keywords, then this option would apply.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

Because the ACL denies all TCP traffic to the server instead of only Telnet.Correct answer

Why this is correct

This is correct because the entry lacks the Telnet destination port qualifier and therefore matches too broadly.

Because Telnet uses UDP, not TCP.Wrong answer — click to see why

Why this is wrong here

This option is incorrect because Telnet operates over TCP, not UDP. Therefore, stating that Telnet uses UDP misrepresents the protocol's functionality and its interaction with ACLs.

★ When this WOULD be the correct answer

In a different question scenario where the focus is on a misconfigured ACL affecting UDP traffic, the option could be correct if the question stated that Telnet-like services were incorrectly configured to use UDP instead of TCP, thus blocking legitimate traffic.

Why candidates choose this

Candidates may choose this option due to a misunderstanding of protocol types, confusing TCP and UDP, especially if they have encountered similar questions about ACLs and protocol filtering in their studies.

Because the ACL should be a standard ACL, not an extended ACL.Wrong answer — click to see why

Why this is wrong here

This option is incorrect because extended ACLs are necessary to filter traffic based on protocols and ports, such as allowing or denying specific TCP traffic like Telnet. A standard ACL cannot provide the granularity needed for such control.

★ When this WOULD be the correct answer

In a different scenario, if the question asked why a network administrator mistakenly configured a standard ACL to block specific IP addresses without considering port numbers, this option could be correct. The question would need to focus on the limitations of standard ACLs in filtering traffic based on protocols.

Why candidates choose this

Candidates might choose this option due to a misunderstanding of ACL types, believing that standard ACLs are sufficient for all filtering needs, especially if they are familiar with basic ACL concepts but not the specifics of extended ACL functionality.

Because the host keyword can never be used with TCP statements.Wrong answer — click to see why

Why this is wrong here

This option is incorrect because the host keyword can be used with TCP statements in ACL configurations. The confusion may arise from misunderstanding how ACLs are structured and the specific application of the host keyword.

★ When this WOULD be the correct answer

In a different exam scenario where the question specifies that the ACL is incorrectly configured to block all TCP traffic and explicitly states that the host keyword cannot be used with TCP statements, this option would be correct. For example, if the question asked why a specific ACL configuration is invalid due to the misuse of keywords, then this option would apply.

Why candidates choose this

Candidates might choose this option due to a misunderstanding of ACL syntax and the role of the host keyword, leading them to believe that it is universally incompatible with TCP configurations.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

The exam trap here is assuming that denying TCP traffic to a server without specifying the Telnet port will only block Telnet sessions. In reality, the ACL entry without the destination port qualifier matches all TCP traffic to that server, blocking multiple services unintentionally. This mistake often arises from confusing standard ACLs, which filter only by source IP, with extended ACLs that require explicit port numbers for service-specific filtering. Candidates may overlook the need for the 'eq 23' qualifier for Telnet, leading to broader traffic denial and failing the question.

Detailed technical explanation

How to think about this question

Access Control Lists (ACLs) are fundamental security tools in Cisco networking that control traffic flow by permitting or denying packets based on defined criteria. Extended ACLs provide granular control by allowing matches on protocol types (TCP, UDP, ICMP), source and destination IP addresses, and specific port numbers. This granularity enables network administrators to restrict access to particular services, such as Telnet, by specifying the TCP destination port 23. Without specifying the port, an ACL entry that denies TCP traffic to a destination IP address will block all TCP-based applications to that host, not just the intended service. When designing ACLs, the decision process involves translating the business or security requirement into precise ACL statements. For example, if the requirement is to block only Telnet access to a server, the ACL must deny TCP traffic specifically to destination port 23 on that server's IP address. Omitting the port qualifier results in a broader deny that matches all TCP traffic, including HTTP, FTP, or other services, which is often unintended. Cisco IOS processes ACL entries sequentially and applies the first matching rule, so specificity and correct ordering are essential to ensure only the targeted traffic is blocked. A common exam trap is failing to include the port number in an extended ACL deny statement, causing the ACL to block more traffic than intended. This mistake stems from misunderstanding how ACL matching works or confusing standard and extended ACL capabilities. Practically, this leads to network disruptions as multiple TCP services become inaccessible. Understanding the difference between standard and extended ACLs, and the importance of port qualifiers in extended ACLs, is critical for precise traffic filtering and passing Cisco CCNA exams confidently.

KKey Concepts to Remember

  • An extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers.
  • ACL entries without specific port qualifiers match all traffic of the specified protocol, causing broader traffic blocking than intended.
  • The 'host' keyword in ACLs specifies a single IP address and is valid in extended ACLs for precise traffic filtering.
  • Telnet uses TCP as its transport protocol, typically on destination port 23, which must be specified in ACLs to restrict only Telnet traffic.
  • Standard ACLs filter traffic only by source IP address and cannot filter by protocol or port, making them unsuitable for service-specific restrictions.
  • ACLs process entries in sequential order and stop at the first match, so precise ordering and specificity are critical to avoid unintended traffic blocking.
  • A broad deny statement in an ACL can inadvertently block multiple TCP-based services, impacting network functionality beyond the intended scope.
  • Effective ACL design requires matching the business requirement precisely to the ACL configuration to avoid overblocking or underblocking traffic.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

An extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Review an extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — An extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers..

What is the correct answer to this question?

The correct answer is: Because the ACL denies all TCP traffic to the server instead of only Telnet. — The ACL is blocking more traffic than intended because it uses a broad deny against all TCP traffic to the server instead of only the one service that should be denied. In practical terms, the requirement is narrow, but the configured entry is much wider. As a result, multiple TCP-based applications to that server are blocked, not just the intended one. This is a classic precision problem in ACL design. It tests whether you can compare what the business requirement says against what the ACL actually matches.

What should I do if I get this 200-301 question wrong?

Review an extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers., then practise related 200-301 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

An extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.