Question 436 of 1,819
Network Services and SecuritymediumMultiple SelectObjective-mapped

Quick Answer

The correct answer is that standard ACLs filter traffic based on source IP address only, and they should be placed as close to the destination as possible. This behavior is defined because standard ACLs lack the granularity to examine destination IPs, protocols, or port numbers; they simply permit or deny all traffic from a given source. On the CCNA 200-301 v2 exam, this concept tests your understanding of ACL placement logic—placing a standard ACL near the source would risk blocking all traffic from that host, including legitimate traffic to other networks. A common trap is confusing standard ACLs with extended ACLs, which filter on multiple criteria and should be placed near the source. For the exam, remember the golden rule: extended ACLs go close to the source, standard ACLs go close to the destination. A helpful mnemonic is “Standard Stays near the Destination, Extended is near the Exit.”

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Which TWO statements correctly describe the behavior of standard ACLs and their placement on interfaces?

Question 1mediummulti select
Study the full ACL explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Standard ACLs filter traffic based on source IP address only.

Standard ACLs filter traffic based solely on the source IP address, using numbers 1–99 or 1300–1999 in classic Cisco IOS. They do not consider destination IP, protocol, or port numbers. Because they lack granularity, placing them close to the destination (option D) prevents them from inadvertently blocking traffic that should be permitted, as they cannot distinguish between traffic destined for different services on the same destination host.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Standard ACLs filter traffic based on source IP address only.

    Why this is correct

    Standard ACLs use only the source IP address (or a wildcard mask) to match packets; they do not consider destination, protocol, or port.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Standard ACLs should be placed as close to the source as possible.

    Why it's wrong here

    Standard ACLs cannot filter by destination, so placing them close to the source may block traffic that should be allowed to other destinations. They should be placed close to the destination.

  • Standard ACLs can filter traffic based on destination IP address.

    Why it's wrong here

    Standard ACLs do not examine the destination IP address; they only check the source.

  • Standard ACLs should be placed as close to the destination as possible.

    Why this is correct

    Because standard ACLs only check source addresses, placing them near the destination prevents blocking traffic that is permitted to other networks along the path.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Standard ACLs can filter traffic based on TCP or UDP port numbers.

    Why it's wrong here

    Filtering by port numbers requires an extended ACL that can examine Layer 4 headers.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

Standard ACLs filter traffic based on source IP address only.Correct answer

Why this is correct

Standard ACLs use only the source IP address (or a wildcard mask) to match packets; they do not consider destination, protocol, or port.

Standard ACLs should be placed as close to the source as possible.Wrong answer — click to see why

Why this is wrong here

Standard ACLs filter only on source IP, so placing them close to the source can block traffic destined to other networks that should be allowed. The correct placement is close to the destination to minimize unintended filtering.

Why candidates choose this

Students often confuse the placement rule for standard ACLs with that of extended ACLs. Extended ACLs should be placed close to the source, but standard ACLs have the opposite recommendation.

Standard ACLs can filter traffic based on destination IP address.Wrong answer — click to see why

Why this is wrong here

Standard ACLs do not examine destination IP addresses; they only match on source IP addresses. Filtering by destination requires an extended ACL.

Why candidates choose this

Some students may think that since ACLs filter traffic, they can use any IP field, but standard ACLs are limited to source IP only.

Standard ACLs can filter traffic based on TCP or UDP port numbers.Wrong answer — click to see why

Why this is wrong here

Standard ACLs operate at Layer 3 and cannot examine Layer 4 information such as TCP or UDP port numbers. Port-based filtering requires an extended ACL.

Why candidates choose this

Students may assume that all ACLs can filter on ports, but only extended ACLs have that capability. Standard ACLs are simpler and less granular.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the misconception that standard ACLs should be placed close to the source (like extended ACLs), when in fact standard ACLs lack the granularity to do so safely and must be placed near the destination.

Detailed technical explanation

How to think about this question

Standard ACLs use a wildcard mask to match a range of source addresses and are processed top-down until a match is found, with an implicit deny any at the end. In a real-world scenario, placing a standard ACL on an inbound interface close to the source (e.g., on a router connected to a user subnet) would block all traffic from that subnet, even if the traffic is destined for a legitimate server on a different subnet, because the ACL cannot differentiate by destination. This is why Cisco recommends placing standard ACLs as close to the destination as possible to minimize unintended impact.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Standard ACLs filter traffic based on source IP address only. — Standard ACLs filter traffic based solely on the source IP address, using numbers 1–99 or 1300–1999 in classic Cisco IOS. They do not consider destination IP, protocol, or port numbers. Because they lack granularity, placing them close to the destination (option D) prevents them from inadvertently blocking traffic that should be permitted, as they cannot distinguish between traffic destined for different services on the same destination host.

What should I do if I get this 200-301 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on 200-301

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Which TWO statements correctly describe the behavior of standard ACLs when applied to an interface?

medium
  • A.Standard ACLs filter traffic based on source and destination IP addresses.
  • B.Standard ACLs should be placed as close to the destination as possible.
  • C.Standard ACLs can filter traffic based on protocol type (TCP, UDP, ICMP).
  • D.Standard ACLs use an implicit deny any statement at the end.
  • E.Standard ACLs are applied to interfaces in the inbound direction only.

Why B: Standard ACLs filter traffic based solely on the source IP address, not the destination. Because they do not consider destination addresses, placing them as close to the destination as possible prevents them from inadvertently blocking traffic that should reach other parts of the network. This placement ensures that only the intended traffic is filtered at the final hop before the destination.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.