Question 778 of 1,819
IP RoutingmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the first ACL entry, deny ip host 10.10.10.10 any, blocks all traffic to the server before the Telnet-specific rule is ever reached. This happens because ACLs are processed top-down in sequential order, and the first matching rule is immediately applied. Since the first line denies all IP traffic from any source to the host 10.10.10.10, it catches every packet destined for that server—including web, email, or ping—before the second line can evaluate Telnet traffic specifically. On the CCNA 200-301 v2 exam, this question tests your understanding of ACL processing order and the critical importance of placing more specific entries before broader ones. A common trap is assuming a later permit or deny statement will override an earlier match, but ACL logic does not work that way. To avoid this mistake, remember the golden rule: specific before general, and always place host-specific denies ahead of any any statements. A useful memory tip is "First match wins, so order your pins."

CCNA IP Routing Practice Question

This 200-301 practice question tests your understanding of ip routing. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: an Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE).. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

ip access-list extended BLOCK-TELNET
 deny ip any host 10.10.10.10
 deny tcp any host 10.10.10.10 eq 23
 permit ip any any

Exhibit: Consider the following ACL applied inbound on interface G0/0:

access-list 100 deny ip host 10.10.10.10 any
access-list 
100 deny tcp any host 10.10.10.10 eq 23
access-list 
100 permit ip any any

The intent is to block only Telnet (TCP port 23) to server 10.10.10.10 while permitting everything else. However, users cannot reach any service on that server. Why?

Question 1mediummultiple choice
Study the full ACL explanation →

Exhibit

ip access-list extended BLOCK-TELNET
 deny ip any host 10.10.10.10
 deny tcp any host 10.10.10.10 eq 23
 permit ip any any

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The deny ip statement blocks all traffic to the host before the Telnet-specific line is evaluated

ACLs are processed top-down, and the first match is applied. The first line denies all IP traffic to the host (any protocol, any port). This matches all packets destined for 10.10.10.10 before the Telnet-specific line is ever reached, effectively blocking every service, not just Telnet.

Key principle: An Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE).

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The ACL must be applied outbound, not inbound

    Why it's wrong here

    That is not the core logic error shown here.

  • The deny ip statement blocks all traffic to the host before the Telnet-specific line is evaluated

    Why this is correct

    The first matching ACE wins.

    Related concept

    An Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE).

  • Extended ACLs cannot match TCP port 23

    Why it's wrong here

    They can.

  • Telnet uses UDP, so the ACE should reference udp

    Why it's wrong here

    Telnet uses TCP.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

The deny ip statement blocks all traffic to the host before the Telnet-specific line is evaluatedCorrect answer

Why this is correct

The first matching ACE wins.

The ACL must be applied outbound, not inboundWrong answer — click to see why

Why this is wrong here

Applying the ACL outbound would not change the order of lines; the same logic applies—the first match still blocks all traffic.

Why candidates choose this

Students often confuse inbound and outbound ACL application, thinking that blocking Telnet requires outbound filtering, but the real problem is the implicit deny and ACE order.

Extended ACLs cannot match TCP port 23Wrong answer — click to see why

Why this is wrong here

Extended ACLs can match TCP port 23 using the keyword 'eq telnet' or 'eq 23'; this is not a limitation.

Why candidates choose this

Students may confuse extended ACLs with standard ACLs, which cannot match port numbers, leading them to incorrectly believe extended ACLs also cannot match specific ports.

Telnet uses UDP, so the ACE should reference udpWrong answer — click to see why

Why this is wrong here

Telnet uses TCP, not UDP; referencing udp would never match Telnet traffic.

Why candidates choose this

Students often confuse Telnet with other protocols like SNMP or DNS that use UDP, or they may mistakenly think all remote access protocols use UDP.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

A common mistake is assuming the ACL evaluates all lines before deciding to block or permit; in reality, it stops at the first match, so a broad deny earlier in the list overrides more specific denies later.

Trap categories for this question

  • Command / output trap

    That is not the core logic error shown here.

Detailed technical explanation

How to think about this question

Access Control Lists (ACLs) are fundamental tools in Cisco networking used to filter traffic based on defined criteria such as source/destination IP addresses, protocols, and ports. Extended ACLs allow granular control by matching specific Layer 4 protocols and port numbers, enabling administrators to permit or deny traffic like Telnet (TCP port 23) selectively. When an ACL is applied inbound on an interface, it evaluates packets as they arrive, filtering traffic before routing or switching decisions occur. ACLs are processed sequentially from the top down, and the first matching ACE determines the fate of the packet. If a deny ACE matches, the packet is dropped immediately, and no further ACL entries are checked. This means that if a broad deny statement appears before a specific permit statement, the specific permit will never be reached, causing unintended traffic blocking. Therefore, the order of ACEs is crucial to ensure correct traffic filtering behavior. In the given scenario, the ACL intended to block only Telnet traffic to 10.10.10.10 contains a deny ip statement that blocks all IP traffic to that host before the Telnet-specific deny line is evaluated. This causes all services to be blocked, not just Telnet. The exam trap lies in misunderstanding ACL processing order and the impact of broad deny statements placed before specific ones. Practically, network engineers must carefully order ACL entries to avoid inadvertently blocking legitimate traffic while achieving the desired filtering effect.

KKey Concepts to Remember

  • An Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE).
  • A deny ACE in an ACL immediately blocks matching traffic and prevents further ACL entries from being evaluated for that packet.
  • Extended ACLs can filter traffic based on Layer 3 IP addresses and Layer 4 protocols and ports, such as TCP port 23 for Telnet.
  • Applying an ACL inbound on an interface filters traffic as it enters the router or switch before routing decisions are made.
  • The order of ACEs in an ACL is critical; placing a broad deny statement before specific permit statements can block all traffic unintentionally.
  • Telnet uses TCP port 23, so ACLs must specify TCP protocol and port 23 to selectively block Telnet traffic.
  • Implicit deny at the end of every ACL blocks all traffic not explicitly permitted, so permit statements must be carefully ordered.
  • ACLs do not differentiate between services unless explicitly configured with protocol and port numbers in extended ACLs.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

An Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE).

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Review an Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE)., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

IP Routing — This question tests IP Routing — An Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE)..

What is the correct answer to this question?

The correct answer is: The deny ip statement blocks all traffic to the host before the Telnet-specific line is evaluated — ACLs are processed top-down, and the first match is applied. The first line denies all IP traffic to the host (any protocol, any port). This matches all packets destined for 10.10.10.10 before the Telnet-specific line is ever reached, effectively blocking every service, not just Telnet.

What should I do if I get this 200-301 question wrong?

Review an Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE)., then practise related 200-301 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

An Access Control List (ACL) processes packets sequentially from top to bottom and stops at the first matching Access Control Entry (ACE).

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.