CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: an extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Requirement:
- Block Telnet from 10.30.30.0/24 to 172.16.9.9
- Allow all other traffic
Configured ACL entry:
deny tcp 10.30.30.0 0.0.0.255 host 172.16.9.9
Based on the exhibit, why is the ACL blocking more traffic than intended?
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Because the ACL denies all TCP traffic to the server instead of only Telnet.
The ACL is blocking more traffic than intended because it uses a broad deny against all TCP traffic to the server instead of only the one service that should be denied. In practical terms, the requirement is narrow, but the configured entry is much wider. As a result, multiple TCP-based applications to that server are blocked, not just the intended one.
This is a classic precision problem in ACL design. It tests whether you can compare what the business requirement says against what the ACL actually matches.
Key principle: An extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
Because the ACL denies all TCP traffic to the server instead of only Telnet.
Why this is correct
This is correct because the entry lacks the Telnet destination port qualifier and therefore matches too broadly.
Related concept
An extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers.
✗
Because Telnet uses UDP, not TCP.
Why it's wrong here
This is wrong because Telnet is a TCP-based protocol.
When this WOULD be correct
In a different question scenario where the focus is on a misconfigured ACL affecting UDP traffic, the option could be correct if the question stated that Telnet-like services were incorrectly configured to use UDP instead of TCP, thus blocking legitimate traffic.
✗
Because the ACL should be a standard ACL, not an extended ACL.
Why it's wrong here
This is wrong because protocol and service filtering is precisely why extended ACL logic is needed.
When this WOULD be correct
In a different scenario, if the question asked why a network administrator mistakenly configured a standard ACL to block specific IP addresses without considering port numbers, this option could be correct. The question would need to focus on the limitations of standard ACLs in filtering traffic based on protocols.
✗
Because the host keyword can never be used with TCP statements.
Why it's wrong here
This is wrong because host-specific matches are valid in extended ACLs.
When this WOULD be correct
In a different exam scenario where the question specifies that the ACL is incorrectly configured to block all TCP traffic and explicitly states that the host keyword cannot be used with TCP statements, this option would be correct. For example, if the question asked why a specific ACL configuration is invalid due to the misuse of keywords, then this option would apply.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓Because the ACL denies all TCP traffic to the server instead of only Telnet.Correct answer▾
Why this is correct
This is correct because the entry lacks the Telnet destination port qualifier and therefore matches too broadly.
✗Because Telnet uses UDP, not TCP.Wrong answer — click to see why▾
Why this is wrong here
This option is incorrect because Telnet operates over TCP, not UDP. Therefore, stating that Telnet uses UDP misrepresents the protocol's functionality and its interaction with ACLs.
★ When this WOULD be the correct answer
In a different question scenario where the focus is on a misconfigured ACL affecting UDP traffic, the option could be correct if the question stated that Telnet-like services were incorrectly configured to use UDP instead of TCP, thus blocking legitimate traffic.
Why candidates choose this
Candidates may choose this option due to a misunderstanding of protocol types, confusing TCP and UDP, especially if they have encountered similar questions about ACLs and protocol filtering in their studies.
✗Because the ACL should be a standard ACL, not an extended ACL.Wrong answer — click to see why▾
Why this is wrong here
This option is incorrect because extended ACLs are necessary to filter traffic based on protocols and ports, such as allowing or denying specific TCP traffic like Telnet. A standard ACL cannot provide the granularity needed for such control.
★ When this WOULD be the correct answer
In a different scenario, if the question asked why a network administrator mistakenly configured a standard ACL to block specific IP addresses without considering port numbers, this option could be correct. The question would need to focus on the limitations of standard ACLs in filtering traffic based on protocols.
Why candidates choose this
Candidates might choose this option due to a misunderstanding of ACL types, believing that standard ACLs are sufficient for all filtering needs, especially if they are familiar with basic ACL concepts but not the specifics of extended ACL functionality.
✗Because the host keyword can never be used with TCP statements.Wrong answer — click to see why▾
Why this is wrong here
This option is incorrect because the host keyword can be used with TCP statements in ACL configurations. The confusion may arise from misunderstanding how ACLs are structured and the specific application of the host keyword.
★ When this WOULD be the correct answer
In a different exam scenario where the question specifies that the ACL is incorrectly configured to block all TCP traffic and explicitly states that the host keyword cannot be used with TCP statements, this option would be correct. For example, if the question asked why a specific ACL configuration is invalid due to the misuse of keywords, then this option would apply.
Why candidates choose this
Candidates might choose this option due to a misunderstanding of ACL syntax and the role of the host keyword, leading them to believe that it is universally incompatible with TCP configurations.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
The exam trap here is assuming that denying TCP traffic to a server without specifying the Telnet port will only block Telnet sessions. In reality, the ACL entry without the destination port qualifier matches all TCP traffic to that server, blocking multiple services unintentionally. This mistake often arises from confusing standard ACLs, which filter only by source IP, with extended ACLs that require explicit port numbers for service-specific filtering. Candidates may overlook the need for the 'eq 23' qualifier for Telnet, leading to broader traffic denial and failing the question.
Detailed technical explanation
How to think about this question
Access Control Lists (ACLs) are fundamental security tools in Cisco networking that control traffic flow by permitting or denying packets based on defined criteria. Extended ACLs provide granular control by allowing matches on protocol types (TCP, UDP, ICMP), source and destination IP addresses, and specific port numbers. This granularity enables network administrators to restrict access to particular services, such as Telnet, by specifying the TCP destination port 23. Without specifying the port, an ACL entry that denies TCP traffic to a destination IP address will block all TCP-based applications to that host, not just the intended service.
When designing ACLs, the decision process involves translating the business or security requirement into precise ACL statements. For example, if the requirement is to block only Telnet access to a server, the ACL must deny TCP traffic specifically to destination port 23 on that server's IP address. Omitting the port qualifier results in a broader deny that matches all TCP traffic, including HTTP, FTP, or other services, which is often unintended. Cisco IOS processes ACL entries sequentially and applies the first matching rule, so specificity and correct ordering are essential to ensure only the targeted traffic is blocked.
A common exam trap is failing to include the port number in an extended ACL deny statement, causing the ACL to block more traffic than intended. This mistake stems from misunderstanding how ACL matching works or confusing standard and extended ACL capabilities. Practically, this leads to network disruptions as multiple TCP services become inaccessible. Understanding the difference between standard and extended ACLs, and the importance of port qualifiers in extended ACLs, is critical for precise traffic filtering and passing Cisco CCNA exams confidently.
KKey Concepts to Remember
An extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers.
ACL entries without specific port qualifiers match all traffic of the specified protocol, causing broader traffic blocking than intended.
The 'host' keyword in ACLs specifies a single IP address and is valid in extended ACLs for precise traffic filtering.
Telnet uses TCP as its transport protocol, typically on destination port 23, which must be specified in ACLs to restrict only Telnet traffic.
Standard ACLs filter traffic only by source IP address and cannot filter by protocol or port, making them unsuitable for service-specific restrictions.
ACLs process entries in sequential order and stop at the first match, so precise ordering and specificity are critical to avoid unintended traffic blocking.
A broad deny statement in an ACL can inadvertently block multiple TCP-based services, impacting network functionality beyond the intended scope.
Effective ACL design requires matching the business requirement precisely to the ACL configuration to avoid overblocking or underblocking traffic.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
An extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers.
Real-world example
How this comes up in practice
A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Review an extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers., then practise related 200-301 questions on the same topic to reinforce the concept.
Network Services and Security — This question tests Network Services and Security — An extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers..
What is the correct answer to this question?
The correct answer is: Because the ACL denies all TCP traffic to the server instead of only Telnet. — The ACL is blocking more traffic than intended because it uses a broad deny against all TCP traffic to the server instead of only the one service that should be denied. In practical terms, the requirement is narrow, but the configured entry is much wider. As a result, multiple TCP-based applications to that server are blocked, not just the intended one.
This is a classic precision problem in ACL design. It tests whether you can compare what the business requirement says against what the ACL actually matches.
What should I do if I get this 200-301 question wrong?
Review an extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers., then practise related 200-301 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
An extended ACL in Cisco IOS allows filtering traffic based on protocol types, source and destination IP addresses, and specific TCP or UDP port numbers.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.