The correct configuration is an extended ACL that permits TCP from 10.0.0.0/24 to host 203.0.113.1 eq 22, followed by a deny statement for all other IP traffic to that same host, applied inbound on R1’s GigabitEthernet0/1. This works because extended ACLs evaluate source and destination addresses along with protocol and port numbers, allowing you to restrict SSH access specifically to the loopback management address while blocking everything else via the explicit deny. On the CCNA 200-301 v2 exam, this scenario tests your ability to match traffic precisely and choose the correct interface direction—applying the ACL inbound on the interface closest to the source (10.0.0.0/24) is more efficient than outbound on the serial link, though both would technically work. A common trap is forgetting the explicit deny statement after the permit, relying solely on the implicit deny; however, the explicit deny makes the intent clear and prevents accidental misconfiguration. Remember the mnemonic “Permit SSH, deny the rest, apply inbound on the source’s nest.”
CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
R1# show running-config | section interface
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
ip address 10.0.0.1 255.255.255.0
no shutdown
!
R1# show ip route
Codes: L - local, C - connected, S - static
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0/24 is directly connected, GigabitEthernet0/1
192.168.1.0/24 is subnetted, 1 subnets
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
203.0.113.1/32 [1/0] via 192.168.1.2
You are connected to R1. The network has two routers (R1, R2) and a switch (SW1) in between. R1's G0/0 connects to SW1 (192.168.1.1/24), SW1 connects to R2's G0/0 (192.168.1.2/24). R2 has a loopback (Lo0: 203.0.113.1/32) used as a management address. Configure an extended ACL on R1 so that only SSH (TCP/22) traffic from the 10.0.0.0/24 network is permitted to reach R2's loopback; all other traffic to that loopback must be denied. Then apply the ACL in the correct direction on the correct interface.
R1# show running-config | section interface
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
ip address 10.0.0.1 255.255.255.0
no shutdown
!
R1# show ip route
Codes: L - local, C - connected, S - static
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0/24 is directly connected, GigabitEthernet0/1
192.168.1.0/24 is subnetted, 1 subnets
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
203.0.113.1/32 [1/0] via 192.168.1.2
A
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any host 203.0.113.1
interface GigabitEthernet0/1
ip access-group 100 in
This ACL permits SSH (TCP/22) from the 10.0.0.0/24 network to the loopback address 203.0.113.1, then denies all other IP traffic to that host. Applying it inbound on G0/1 (facing the 10.0.0.0/24 network) filters traffic before it enters R1, which is efficient and standard practice.
B
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any host 203.0.113.1
interface GigabitEthernet0/0
ip access-group 100 out
Why wrong: This is incorrect because applying the ACL outbound on G0/0 (facing SW1) would filter traffic leaving R1 toward R2. While it could work, it is less efficient because the traffic has already been routed through R1. Additionally, the implicit deny at the end of the ACL would block all other traffic to the loopback, but the outbound application is not the recommended direction.
C
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
interface GigabitEthernet0/1
ip access-group 100 in
Why wrong: This is incorrect because it lacks the explicit deny statement for all other IP traffic to the loopback. Without the deny, the implicit deny at the end of the ACL will block all other traffic, but the explicit deny is necessary to clearly show the requirement is met. More importantly, the ACL does not deny traffic from other sources to the loopback; the implicit deny only applies to the ACL itself, but the question requires explicit denial.
D
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any any
interface GigabitEthernet0/1
ip access-group 100 in
Why wrong: This is incorrect because the deny statement 'deny ip any any' blocks all IP traffic, including traffic to other destinations, not just the loopback. The requirement is to deny only traffic to the loopback, not all traffic. This would break connectivity for other traffic.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any host 203.0.113.1
interface GigabitEthernet0/1
ip access-group 100 in
The current configuration has no ACL restricting traffic to R2's loopback. The candidate must create an extended ACL that permits TCP from 10.0.0.0/24 to host 203.0.113.1 eq 22, then deny all other IP traffic to that host. The ACL must be applied inbound on R1's G0/1 (facing the 10.0.0.0/24 network) to filter traffic before it enters R1. Applying outbound on G0/0 would also work, but inbound on G0/1 is more efficient and typical. The implicit deny at the end of the ACL blocks all other traffic to the loopback.
Key principle: A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any host 203.0.113.1
interface GigabitEthernet0/1
ip access-group 100 in
Why this is correct
This ACL permits SSH (TCP/22) from the 10.0.0.0/24 network to the loopback address 203.0.113.1, then denies all other IP traffic to that host. Applying it inbound on G0/1 (facing the 10.0.0.0/24 network) filters traffic before it enters R1, which is efficient and standard practice.
Related concept
Access ports place end devices into a single VLAN.
✗
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any host 203.0.113.1
interface GigabitEthernet0/0
ip access-group 100 out
Why it's wrong here
This is incorrect because applying the ACL outbound on G0/0 (facing SW1) would filter traffic leaving R1 toward R2. While it could work, it is less efficient because the traffic has already been routed through R1. Additionally, the implicit deny at the end of the ACL would block all other traffic to the loopback, but the outbound application is not the recommended direction.
✗
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
interface GigabitEthernet0/1
ip access-group 100 in
Why it's wrong here
This is incorrect because it lacks the explicit deny statement for all other IP traffic to the loopback. Without the deny, the implicit deny at the end of the ACL will block all other traffic, but the explicit deny is necessary to clearly show the requirement is met. More importantly, the ACL does not deny traffic from other sources to the loopback; the implicit deny only applies to the ACL itself, but the question requires explicit denial.
✗
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any any
interface GigabitEthernet0/1
ip access-group 100 in
Why it's wrong here
This is incorrect because the deny statement 'deny ip any any' blocks all IP traffic, including traffic to other destinations, not just the loopback. The requirement is to deny only traffic to the loopback, not all traffic. This would break connectivity for other traffic.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any host 203.0.113.1
interface GigabitEthernet0/1
ip access-group 100 inCorrect answer▾
Why this is correct
This ACL permits SSH (TCP/22) from the 10.0.0.0/24 network to the loopback address 203.0.113.1, then denies all other IP traffic to that host. Applying it inbound on G0/1 (facing the 10.0.0.0/24 network) filters traffic before it enters R1, which is efficient and standard practice.
✗access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any host 203.0.113.1
interface GigabitEthernet0/0
ip access-group 100 outWrong answer — click to see why▾
Why this is wrong here
The ACL is applied outbound on G0/0 instead of inbound on G0/1. Although it may achieve the goal, it is not the most efficient placement and may not be the expected answer in a PBQ.
Why candidates choose this
Candidates might think that applying the ACL outbound on the interface closest to the destination (R2) is correct, but standard practice is to filter inbound on the source-facing interface.
✗access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
interface GigabitEthernet0/1
ip access-group 100 inWrong answer — click to see why▾
Why this is wrong here
Missing the explicit deny statement. The implicit deny at the end of the ACL will block other traffic, but the question expects an explicit deny for clarity and completeness.
Why candidates choose this
Candidates may rely on the implicit deny and omit the explicit deny, thinking it is unnecessary. However, in exam scenarios, explicit denies are often required to demonstrate understanding.
✗access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any any
interface GigabitEthernet0/1
ip access-group 100 inWrong answer — click to see why▾
Why this is wrong here
The deny statement is too broad; it denies all IP traffic, not just traffic to the loopback. The correct deny should be specific to the loopback host.
Why candidates choose this
Candidates might think that a broad deny is acceptable because the permit statement allows SSH, but they overlook that other traffic (e.g., to other networks) would be blocked, causing unintended denial of service.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: an active trunk can still block the VLAN you need
A trunk being up does not prove every VLAN is crossing it. Check allowed VLAN lists, native VLAN mismatch, VLAN existence and access-port assignment.
Trap categories for this question
Command / output trap
This is incorrect because it lacks the explicit deny statement for all other IP traffic to the loopback. Without the deny, the implicit deny at the end of the ACL will block all other traffic, but the explicit deny is necessary to clearly show the requirement is met. More importantly, the ACL does not deny traffic from other sources to the loopback; the implicit deny only applies to the ACL itself, but the question requires explicit denial.
Detailed technical explanation
How to think about this question
VLAN questions usually combine access-port and trunking clues. The key is to identify whether the issue is local to one switchport, caused by the trunk, or caused by the VLAN not existing where it needs to exist.
KKey Concepts to Remember
Access ports place end devices into a single VLAN.
Trunk ports carry multiple VLANs between switches.
Allowed VLAN lists decide which VLANs can cross a trunk.
Native VLAN mismatch can create confusing symptoms.
TExam Day Tips
→Use show vlan brief to verify access VLANs.
→Use show interfaces trunk to verify trunk state and allowed VLANs.
→Do not treat every same-VLAN issue as a routing problem.
Key takeaway
A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.
Real-world example
How this comes up in practice
A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related 200-301 questions on switching, trunking, and access-port configuration.
Network Services and Security — This question tests Network Services and Security — Access ports place end devices into a single VLAN..
What is the correct answer to this question?
The correct answer is: access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any host 203.0.113.1
interface GigabitEthernet0/1
ip access-group 100 in — The current configuration has no ACL restricting traffic to R2's loopback. The candidate must create an extended ACL that permits TCP from 10.0.0.0/24 to host 203.0.113.1 eq 22, then deny all other IP traffic to that host. The ACL must be applied inbound on R1's G0/1 (facing the 10.0.0.0/24 network) to filter traffic before it enters R1. Applying outbound on G0/0 would also work, but inbound on G0/1 is more efficient and typical. The implicit deny at the end of the ACL blocks all other traffic to the loopback.
What should I do if I get this 200-301 question wrong?
Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related 200-301 questions on switching, trunking, and access-port configuration.
What is the key concept behind this question?
Access ports place end devices into a single VLAN.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.