The answer is that the first ACL entry, deny ip host 10.10.10.10 any, blocks all traffic to the server before the Telnet-specific rule is ever reached. This happens because ACLs are processed top-down in sequential order, and the first matching rule is immediately applied. Since the first line denies all IP traffic from any source to the host 10.10.10.10, it catches every packet destined for that server—including web, email, or ping—before the second line can evaluate Telnet traffic specifically. On the CCNA 200-301 v2 exam, this question tests your understanding of ACL processing order and the critical importance of placing more specific entries before broader ones. A common trap is assuming a later permit or deny statement will override an earlier match, but ACL logic does not work that way. To avoid this mistake, remember the golden rule: specific before general, and always place host-specific denies ahead of any any statements. A useful memory tip is "First match wins, so order your pins."
CCNA IP Routing Practice Question
This 200-301 practice question tests your understanding of ip routing. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: an Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE).. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
ip access-list extended BLOCK-TELNET
deny ip any host 10.10.10.10
deny tcp any host 10.10.10.10 eq 23
permit ip any any
Exhibit: Consider the following ACL applied inbound on interface G0/0:
access-list 100 deny ip host 10.10.10.10 any
access-list
100 deny tcp any host 10.10.10.10 eq 23
access-list
100 permit ip any any
The intent is to block only Telnet (TCP port 23) to server 10.10.10.10 while permitting everything else. However, users cannot reach any service on that server. Why?
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The deny ip statement blocks all traffic to the host before the Telnet-specific line is evaluated
ACLs are processed top-down, and the first match is applied. The first line denies all IP traffic to the host (any protocol, any port). This matches all packets destined for 10.10.10.10 before the Telnet-specific line is ever reached, effectively blocking every service, not just Telnet.
Key principle: An Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE).
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The ACL must be applied outbound, not inbound
Why it's wrong here
That is not the core logic error shown here.
✓
The deny ip statement blocks all traffic to the host before the Telnet-specific line is evaluated
Why this is correct
The first matching ACE wins.
Related concept
An Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE).
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓The deny ip statement blocks all traffic to the host before the Telnet-specific line is evaluatedCorrect answer▾
Why this is correct
The first matching ACE wins.
✗The ACL must be applied outbound, not inboundWrong answer — click to see why▾
Why this is wrong here
Applying the ACL outbound would not change the order of lines; the same logic applies—the first match still blocks all traffic.
Why candidates choose this
Students often confuse inbound and outbound ACL application, thinking that blocking Telnet requires outbound filtering, but the real problem is the implicit deny and ACE order.
✗Extended ACLs cannot match TCP port 23Wrong answer — click to see why▾
Why this is wrong here
Extended ACLs can match TCP port 23 using the keyword 'eq telnet' or 'eq 23'; this is not a limitation.
Why candidates choose this
Students may confuse extended ACLs with standard ACLs, which cannot match port numbers, leading them to incorrectly believe extended ACLs also cannot match specific ports.
✗Telnet uses UDP, so the ACE should reference udpWrong answer — click to see why▾
Why this is wrong here
Telnet uses TCP, not UDP; referencing udp would never match Telnet traffic.
Why candidates choose this
Students often confuse Telnet with other protocols like SNMP or DNS that use UDP, or they may mistakenly think all remote access protocols use UDP.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
A common mistake is assuming the ACL evaluates all lines before deciding to block or permit; in reality, it stops at the first match, so a broad deny earlier in the list overrides more specific denies later.
Trap categories for this question
Command / output trap
That is not the core logic error shown here.
Detailed technical explanation
How to think about this question
Access Control Lists (ACLs) are fundamental tools in Cisco networking used to filter traffic based on defined criteria such as source/destination IP addresses, protocols, and ports. Extended ACLs allow granular control by matching specific Layer 4 protocols and port numbers, enabling administrators to permit or deny traffic like Telnet (TCP port 23) selectively. When an ACL is applied inbound on an interface, it evaluates packets as they arrive, filtering traffic before routing or switching decisions occur.
ACLs are processed sequentially from the top down, and the first matching ACE determines the fate of the packet. If a deny ACE matches, the packet is dropped immediately, and no further ACL entries are checked. This means that if a broad deny statement appears before a specific permit statement, the specific permit will never be reached, causing unintended traffic blocking. Therefore, the order of ACEs is crucial to ensure correct traffic filtering behavior.
In the given scenario, the ACL intended to block only Telnet traffic to 10.10.10.10 contains a deny ip statement that blocks all IP traffic to that host before the Telnet-specific deny line is evaluated. This causes all services to be blocked, not just Telnet. The exam trap lies in misunderstanding ACL processing order and the impact of broad deny statements placed before specific ones. Practically, network engineers must carefully order ACL entries to avoid inadvertently blocking legitimate traffic while achieving the desired filtering effect.
KKey Concepts to Remember
An Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE).
A deny ACE in an ACL immediately blocks matching traffic and prevents further ACL entries from being evaluated for that packet.
Extended ACLs can filter traffic based on Layer 3 IP addresses and Layer 4 protocols and ports, such as TCP port 23 for Telnet.
Applying an ACL inbound on an interface filters traffic as it enters the router or switch before routing decisions are made.
The order of ACEs in an ACL is critical; placing a broad deny statement before specific permit statements can block all traffic unintentionally.
Telnet uses TCP port 23, so ACLs must specify TCP protocol and port 23 to selectively block Telnet traffic.
Implicit deny at the end of every ACL blocks all traffic not explicitly permitted, so permit statements must be carefully ordered.
ACLs do not differentiate between services unless explicitly configured with protocol and port numbers in extended ACLs.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
An Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE).
Real-world example
How this comes up in practice
A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Review an Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE)., then practise related 200-301 questions on the same topic to reinforce the concept.
IP Routing — This question tests IP Routing — An Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE)..
What is the correct answer to this question?
The correct answer is: The deny ip statement blocks all traffic to the host before the Telnet-specific line is evaluated — ACLs are processed top-down, and the first match is applied. The first line denies all IP traffic to the host (any protocol, any port). This matches all packets destined for 10.10.10.10 before the Telnet-specific line is ever reached, effectively blocking every service, not just Telnet.
What should I do if I get this 200-301 question wrong?
Review an Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE)., then practise related 200-301 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
An Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE).
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.