Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
Exhibit
Requirement: - Block HTTPS from 10.20.20.0/24 to 172.16.5.10 - Allow all other traffic Configured entry: deny ip 10.20.20.0 0.0.0.255 host 172.16.5.10
Based on the exhibit, why is the ACL not meeting the requirement to block only HTTPS traffic to the server?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Because the ACL entry is too broad and blocks all IP traffic to the host.
This is correct because `deny ip` blocks far more than only HTTPS.
B
Distractor review
Because HTTPS uses UDP, not TCP.
This is wrong because normal HTTPS uses TCP.
C
Distractor review
Because standard ACLs are required for HTTPS filtering.
This is wrong because filtering by protocol and port requires extended ACL behavior.
D
Distractor review
Because the destination must always be a wildcarded subnet, not a host.
This is wrong because host-specific matches are valid and common.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is selecting an ACL entry that uses 'deny ip' to block HTTPS traffic. This is tempting because it seems to block all IP traffic to the server, but it is overly broad and does not meet the requirement to block only HTTPS. Candidates may overlook the need to specify TCP and port 443, mistakenly thinking any deny IP statement suffices. This mistake causes all IP traffic, including non-HTTPS protocols, to be blocked, which is not the intended behavior and leads to failing the question.
Technical deep dive
How to think about this question
Access Control Lists (ACLs) are fundamental tools in Cisco networking used to filter traffic based on defined criteria such as protocol, source and destination IP addresses, and port numbers. Extended ACLs provide granular control by allowing filtering on Layer 3 and Layer 4 parameters, including TCP/UDP ports, which is essential for protocol-specific filtering like HTTPS. HTTPS traffic specifically uses TCP port 443, so an ACL intended to block only HTTPS must explicitly deny TCP traffic on port 443 while permitting other traffic. When designing an ACL to block only HTTPS traffic to a server, the rule must precisely match TCP protocol and destination port 443. Using a broad statement like "deny ip" blocks all IP traffic regardless of protocol or port, which is overly restrictive and does not meet the requirement. The decision process involves selecting an extended ACL with a deny statement for TCP destination port 443 followed by a permit statement for other traffic, ensuring only HTTPS is blocked and all other services remain accessible. A common exam trap is confusing broad IP denies with protocol-specific denies. Using "deny ip" in an ACL blocks all IP traffic, not just HTTPS, which can cause unintended network outages or service disruptions. Practically, this means legitimate traffic such as HTTP, DNS, or ICMP is also blocked. Understanding the difference between standard and extended ACLs and the importance of specifying protocol and port numbers is critical to avoid this mistake and to implement precise security policies in Cisco environments.
KKey Concepts to Remember
- Extended ACLs allow filtering based on Layer 3 IP addresses and Layer 4 protocol ports, enabling precise control over specific traffic types like HTTPS.
- A deny statement with protocol TCP and destination port 443 specifically blocks HTTPS traffic without affecting other IP traffic.
- Using a deny ip statement in an ACL blocks all IP traffic between specified endpoints, which is broader than just blocking HTTPS.
- Standard ACLs filter only by source IP address and cannot filter traffic based on protocol or port numbers, making them unsuitable for HTTPS filtering.
- Host-specific ACL entries using the 'host' keyword are valid and commonly used to target individual devices precisely.
- ACLs are processed top-down, and the first matching rule determines the action, so precise ordering and specificity are essential.
- Failing to specify the correct protocol and port in an ACL can lead to unintended traffic blocking, causing network connectivity issues.
- Cisco devices implicitly deny all traffic not explicitly permitted by ACL entries, so permit statements are necessary to allow desired traffic.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
Extended ACLs allow filtering based on Layer 3 IP addresses and Layer 4 protocol ports, enabling precise control over specific traffic types like HTTPS.
What is the correct answer to this question?
The correct answer is: Because the ACL entry is too broad and blocks all IP traffic to the host. — The ACL is not meeting the requirement because it blocks all IP traffic to the server instead of only HTTPS. In practical terms, the requirement is narrow: deny TCP port 443 and allow everything else. A broad `deny ip` statement goes far beyond that by dropping all IP protocols between the specified endpoints. This is an exam-style ACL precision question. The challenge is not just knowing ACL syntax, but knowing how narrow the match must be.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.