Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
Exhibit
Requirement: Allow 10.1.10.0/24 to reach 198.51.100.20 on TCP ports 80 and 443 only. Block all other traffic from 10.1.10.0/24.
Exhibit: An administrator wants to permit HTTP and HTTPS from 10.1.10.0/24 to a web server at 198.51.100.20 and deny everything else from that subnet. Which ACL type is required?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Distractor review
Named standard ACL
Distractor.
B
Best answer
Extended ACL
Correct choice.
C
Distractor review
Prefix list
Distractor.
D
Distractor review
MAC access-list
Distractor.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is selecting a standard ACL when the question requires filtering by both source and destination IP addresses plus specific protocols or ports. Standard ACLs only filter by source IP, so they cannot distinguish HTTP or HTTPS traffic to a particular destination. Another trap is confusing prefix lists or MAC access-lists as suitable options; prefix lists filter routes, not traffic by port, and MAC access-lists filter Layer 2 addresses, not Layer 3 or 4 information. Misunderstanding these differences leads to incorrect ACL type selection and exam failure.
Technical deep dive
How to think about this question
Access Control Lists (ACLs) are fundamental tools in Cisco networking used to filter traffic based on defined criteria. Standard ACLs filter traffic solely by the source IP address, making them suitable for broad filtering but insufficient for granular control. Extended ACLs, however, allow filtering by source and destination IP addresses, protocol types (such as TCP or UDP), and specific port numbers, enabling precise control over which traffic is permitted or denied. In this scenario, the administrator needs to permit HTTP (TCP port 80) and HTTPS (TCP port 443) traffic from the subnet 10.1.10.0/24 to a specific web server at 198.51.100.20, while denying all other traffic from that subnet. This requirement demands filtering based on both source and destination IP addresses and specific TCP ports, which only an extended ACL can provide. The ACL must explicitly permit TCP traffic to ports 80 and 443 on the destination IP and then deny all other traffic from the source subnet. A common exam trap is confusing standard ACLs with extended ACLs, assuming standard ACLs can filter by destination or port. Additionally, prefix lists and MAC access-lists serve different purposes and cannot filter by TCP ports or specific IP destinations. Practically, applying an extended ACL closest to the traffic source optimizes network security and performance by blocking unwanted traffic early. Understanding these distinctions is critical for correct ACL implementation and passing the CCNA exam.
KKey Concepts to Remember
- An extended ACL permits filtering based on source and destination IP addresses, as well as protocol types and port numbers, enabling precise traffic control.
- A standard ACL filters traffic only by source IP address, lacking the ability to specify destination addresses or protocols like TCP ports 80 and 443.
- Cisco routers process ACLs sequentially, stopping at the first matching rule, so rule order is critical to correctly permit or deny traffic.
- Extended ACLs are typically applied closest to the source of the traffic to reduce unnecessary traffic on the network and improve security.
- ACLs implicitly deny all traffic that does not match any permit statement, so an explicit deny is often unnecessary but can improve clarity.
- Named ACLs provide easier management and editing but do not change the fundamental filtering capabilities compared to numbered ACLs.
- Prefix lists filter based on IP address prefixes and are primarily used in routing policy control, not for protocol or port-based filtering.
- MAC access-lists filter traffic based on Layer 2 MAC addresses and are not suitable for IP protocol or port filtering required in this scenario.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
An extended ACL permits filtering based on source and destination IP addresses, as well as protocol types and port numbers, enabling precise traffic control.
What is the correct answer to this question?
The correct answer is: Extended ACL — A standard ACL can match only the source address. To permit specific protocols and ports such as TCP 80 and 443 to a specific destination, the administrator must use an extended ACL.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.