CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: an access control list (ACL) filters traffic based on specified criteria such as source IP, destination IP, protocol, and port numbers to control network access.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Source subnet: 10.20.30.0/24
Requirement: block Telnet, allow HTTP and HTTPS
Users in 10.20.30.0/24 should be allowed to browse the web but should not be able to open Telnet sessions to any remote device. Which access list entry best meets the requirement?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "best"
Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
deny tcp 10.20.30.0 0.0.0.255 any eq 23
To block Telnet while still allowing web traffic, the ACL should deny TCP destination port 23 from that source subnet and then permit the rest of the needed traffic. Telnet uses TCP port 23, not UDP and not source port 23.
Key principle: An access control list (ACL) filters traffic based on specified criteria such as source IP, destination IP, protocol, and port numbers to control network access.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
deny tcp 10.20.30.0 0.0.0.255 any eq 23
Why this is correct
This blocks Telnet from that subnet to any destination.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
An access control list (ACL) filters traffic based on specified criteria such as source IP, destination IP, protocol, and port numbers to control network access.
In a scenario where the question specifies that UDP traffic on port 23 should be blocked due to a specific application requirement or security policy, option B would be the correct answer. For example, if the question stated that UDP-based services on port 23 were being exploited and needed to be restricted, this option would apply.
✗
deny tcp any 10.20.30.0 0.0.0.255 eq 23
Why it's wrong here
That blocks inbound Telnet to the subnet, not outbound sessions from the users.
When this WOULD be correct
In a different scenario where the question specifies that any device trying to initiate a Telnet session to the 10.20.30.0/24 subnet should be denied, option C would be correct as it would effectively block all Telnet attempts from any source to that subnet.
In a different scenario where the question asks for an access list entry to allow web browsing while explicitly permitting HTTP traffic from the 10.20.30.0/24 subnet, option D would be correct. For example, if the question required allowing users to access web services while not mentioning any restrictions on Telnet, this option would fit.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓deny tcp 10.20.30.0 0.0.0.255 any eq 23Correct answer▾
Why this is correct
This blocks Telnet from that subnet to any destination.
✗deny udp 10.20.30.0 0.0.0.255 any eq 23Wrong answer — click to see why▾
Why this is wrong here
Telnet uses TCP as its transport protocol, not UDP. Denying UDP port 23 would have no effect on Telnet traffic, as Telnet does not use UDP.
★ When this WOULD be the correct answer
In a scenario where the question specifies that UDP traffic on port 23 should be blocked due to a specific application requirement or security policy, option B would be the correct answer. For example, if the question stated that UDP-based services on port 23 were being exploited and needed to be restricted, this option would apply.
Why candidates choose this
Students may confuse Telnet with other protocols that use UDP, or mistakenly think that port 23 can be used with either TCP or UDP.
✗deny tcp any 10.20.30.0 0.0.0.255 eq 23Wrong answer — click to see why▾
Why this is wrong here
This entry denies inbound Telnet sessions to the subnet (from any source to 10.20.30.0/24), but the requirement is to block outbound Telnet sessions initiated by users in that subnet.
★ When this WOULD be the correct answer
In a different scenario where the question specifies that any device trying to initiate a Telnet session to the 10.20.30.0/24 subnet should be denied, option C would be correct as it would effectively block all Telnet attempts from any source to that subnet.
Why candidates choose this
Students may misinterpret the direction of traffic, confusing 'from the subnet' with 'to the subnet', or think that blocking inbound Telnet also blocks outbound.
✗permit tcp 10.20.30.0 0.0.0.255 any eq 80Wrong answer — click to see why▾
Why this is wrong here
This entry permits HTTP traffic (TCP port 80) but does not deny Telnet. Without a deny statement for Telnet, Telnet sessions would still be allowed by default (if no other deny exists).
★ When this WOULD be the correct answer
In a different scenario where the question asks for an access list entry to allow web browsing while explicitly permitting HTTP traffic from the 10.20.30.0/24 subnet, option D would be correct. For example, if the question required allowing users to access web services while not mentioning any restrictions on Telnet, this option would fit.
Why candidates choose this
Students might think that permitting web traffic implicitly blocks other traffic, but ACLs require explicit deny statements to block unwanted traffic.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is selecting an ACL entry that denies UDP traffic on port 23 or denies traffic with the source port set to 23. Telnet exclusively uses TCP as its transport protocol and communicates over destination port 23, so denying UDP or source port 23 traffic will not block Telnet sessions. Another common mistake is denying inbound Telnet traffic to the subnet rather than outbound traffic from the subnet, which does not prevent users inside the subnet from initiating Telnet connections. Misunderstanding these protocol and port details leads to ineffective ACLs that fail to meet the requirement.
Detailed technical explanation
How to think about this question
Access control lists (ACLs) are fundamental security tools in Cisco networking that control traffic flow by filtering packets based on criteria such as source and destination IP addresses, protocols, and port numbers. In the context of the CCNA exam, understanding how to write ACL entries to permit or deny specific traffic types is essential. Telnet, a legacy remote access protocol, uses TCP as its transport layer protocol and communicates over destination port 23. Therefore, to block Telnet sessions from a specific subnet, an ACL must deny TCP traffic destined for port 23 originating from that subnet.
The correct ACL entry in this scenario is "deny tcp 10.20.30.0 0.0.0.255 any eq 23". This statement blocks any TCP traffic from the 10.20.30.0/24 subnet to any destination where the destination port equals 23, effectively preventing outbound Telnet sessions. The wildcard mask 0.0.0.255 matches all hosts in the subnet. It is important to place this deny statement before any permit statements to ensure Telnet traffic is blocked before other traffic is allowed. For example, permitting TCP traffic to port 80 (HTTP) allows web browsing while still blocking Telnet.
A common exam trap is confusing the protocol or port number used by Telnet. Telnet uses TCP, not UDP, and specifically port 23 as the destination port, not the source port. Another trap is misunderstanding the direction of traffic filtering; denying inbound Telnet to the subnet does not stop users inside the subnet from initiating outbound Telnet sessions. Practically, ACLs must be carefully ordered and correctly specified to enforce security policies effectively, ensuring unwanted protocols like Telnet are blocked without disrupting legitimate traffic such as HTTP web browsing.
KKey Concepts to Remember
An access control list (ACL) filters traffic based on specified criteria such as source IP, destination IP, protocol, and port numbers to control network access.
Telnet uses TCP as its transport protocol and specifically communicates over destination port 23, which ACLs can target to block Telnet sessions.
Denying TCP traffic from a source subnet to any destination on port 23 effectively blocks outbound Telnet sessions from that subnet.
Permitting HTTP traffic typically involves allowing TCP traffic to destination port 80, which is distinct from Telnet’s port 23.
ACLs process entries in sequential order, so placing a deny statement for Telnet before permit statements ensures Telnet traffic is blocked first.
Using incorrect protocols or ports in ACL entries, such as denying UDP port 23, will fail to block Telnet because Telnet uses TCP port 23.
Inbound and outbound ACLs differ; blocking inbound Telnet to a subnet does not prevent users in that subnet from initiating outbound Telnet sessions.
Cisco IOS ACLs use wildcard masks to specify IP ranges, where 0.0.0.255 matches all hosts in a /24 subnet like 10.20.30.0/24.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
An access control list (ACL) filters traffic based on specified criteria such as source IP, destination IP, protocol, and port numbers to control network access.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Review an access control list (ACL) filters traffic based on specified criteria such as source IP, destination IP, protocol, and port numbers to control network access., then practise related 200-301 questions on the same topic to reinforce the concept.
Network Services and Security — This question tests Network Services and Security — An access control list (ACL) filters traffic based on specified criteria such as source IP, destination IP, protocol, and port numbers to control network access..
What is the correct answer to this question?
The correct answer is: deny tcp 10.20.30.0 0.0.0.255 any eq 23 — To block Telnet while still allowing web traffic, the ACL should deny TCP destination port 23 from that source subnet and then permit the rest of the needed traffic. Telnet uses TCP port 23, not UDP and not source port 23.
What should I do if I get this 200-301 question wrong?
Review an access control list (ACL) filters traffic based on specified criteria such as source IP, destination IP, protocol, and port numbers to control network access., then practise related 200-301 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
What is the key concept behind this question?
An access control list (ACL) filters traffic based on specified criteria such as source IP, destination IP, protocol, and port numbers to control network access.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.