CCNA ACL Questions

44 questions · ACL topic · All types, answers revealed

1
PBQhard

You are connected to R1 via the console. An extended ACL named BLOCK_SMTP has been applied inbound on interface GigabitEthernet0/1, but users on the 192.168.10.0/24 network cannot send email to the SMTP server at 203.0.113.10. Additionally, the ACL is blocking all other traffic that should be permitted. Examine the running configuration and fix the ACL so that SMTP traffic (TCP port 25) from the 192.168.10.0/24 network to the SMTP server is permitted, and all other IP traffic is allowed.

Hints

  • The ACL is applied inbound on G0/1, so the source is the internal network.
  • The current ACL denies all SMTP traffic; you need to permit SMTP from the specific source network to the SMTP server before the deny.
  • Remember to remove the old ACL and create a new one with the correct order of entries.
A.permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25 deny tcp any any eq 25 permit ip any any
B.permit tcp any any eq 25 deny tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25 permit ip any any
C.deny tcp any any eq 25 permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25 permit ip any any
D.permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25 permit ip any any deny tcp any any eq 25
AnswerA
solution
! R1
configure terminal
no ip access-list extended BLOCK_SMTP
ip access-list extended BLOCK_SMTP
permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25
deny tcp any any eq 25
permit ip any any
end

Why this answer

The correct answer is A. It permits SMTP from 192.168.10.0/24 to the SMTP server, then denies all other SMTP traffic, and finally permits all other IP traffic. Option B is wrong because it places a general permit for any SMTP before the specific deny, meaning all SMTP is permitted regardless of source/destination.

Option C is wrong because it denies all SMTP first, so the subsequent specific permit for the user network is never reached. Option D is wrong because the order permits the specific SMTP, then permits all IP traffic (including other SMTP), then denies SMTP—the permit ip any any before the deny makes the deny unreachable for all traffic, allowing all SMTP.

Exam trap

Remember that ACLs are processed sequentially; the first match wins. A common mistake is to place a general permit or deny before a specific statement, causing the specific statement to never be evaluated. Always order ACL entries from most specific to most general.

Why the other options are wrong

B

The order of ACL entries is crucial; the first match is applied. Here, the permit any any matches all SMTP before the deny can block the specific traffic.

C

The deny any any matches all SMTP, so the subsequent permit for the specific source/destination is never reached.

D

The permit ip any any matches all traffic, so the subsequent deny for SMTP is never applied.

2
PBQhard

You are connected to R1. The network has two routers (R1, R2) and a switch (SW1) in between. R1's G0/0 connects to SW1 (192.168.1.1/24), SW1 connects to R2's G0/0 (192.168.1.2/24). R2 has a loopback (Lo0: 203.0.113.1/32) used as a management address. Configure an extended ACL on R1 so that only SSH (TCP/22) traffic from the 10.0.0.0/24 network is permitted to reach R2's loopback; all other traffic to that loopback must be denied. Then apply the ACL in the correct direction on the correct interface.

Hints

  • The source network is 10.0.0.0/24; use the correct wildcard mask.
  • The destination is a single host IP; use the 'host' keyword.
  • The ACL must be applied to the interface where traffic from 10.0.0.0/24 enters R1.
A.access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22 access-list 100 deny ip any host 203.0.113.1 interface GigabitEthernet0/1 ip access-group 100 in
B.access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22 access-list 100 deny ip any host 203.0.113.1 interface GigabitEthernet0/0 ip access-group 100 out
C.access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22 interface GigabitEthernet0/1 ip access-group 100 in
D.access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22 access-list 100 deny ip any any interface GigabitEthernet0/1 ip access-group 100 in
AnswerA
solution
! R1
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any host 203.0.113.1
 permit ip any any
interface gigabitEthernet 0/1
ip access-group 100 in

Why this answer

The current configuration has no ACL restricting traffic to R2's loopback. The candidate must create an extended ACL that permits TCP from 10.0.0.0/24 to host 203.0.113.1 eq 22, then deny all other IP traffic to that host. The ACL must be applied inbound on R1's G0/1 (facing the 10.0.0.0/24 network) to filter traffic before it enters R1.

Applying outbound on G0/0 would also work, but inbound on G0/1 is more efficient and typical. The implicit deny at the end of the ACL blocks all other traffic to the loopback.

Exam trap

Be careful with ACL placement: inbound on the source-facing interface is more efficient and standard. Also, remember that extended ACLs should be placed as close to the source as possible. Do not rely solely on the implicit deny; explicit denies are often required in exam answers.

Avoid using overly broad deny statements that affect more traffic than intended.

Why the other options are wrong

B

The ACL is applied outbound on G0/0 instead of inbound on G0/1. Although it may achieve the goal, it is not the most efficient placement and may not be the expected answer in a PBQ.

C

Missing the explicit deny statement. The implicit deny at the end of the ACL will block other traffic, but the question expects an explicit deny for clarity and completeness.

D

The deny statement is too broad; it denies all IP traffic, not just traffic to the loopback. The correct deny should be specific to the loopback host.

3
MCQmedium

Users in 10.20.30.0/24 should be allowed to browse the web but should not be able to open Telnet sessions to any remote device. Which access list entry best meets the requirement?

A.deny tcp 10.20.30.0 0.0.0.255 any eq 23
B.deny udp 10.20.30.0 0.0.0.255 any eq 23
C.deny tcp any 10.20.30.0 0.0.0.255 eq 23
D.permit tcp 10.20.30.0 0.0.0.255 any eq 80
AnswerA

This blocks Telnet from that subnet to any destination.

Why this answer

To block Telnet while still allowing web traffic, the ACL should deny TCP destination port 23 from that source subnet and then permit the rest of the needed traffic. Telnet uses TCP port 23, not UDP and not source port 23.

Exam trap

A frequent exam trap is selecting an ACL entry that denies UDP traffic on port 23 or denies traffic with the source port set to 23. Telnet exclusively uses TCP as its transport protocol and communicates over destination port 23, so denying UDP or source port 23 traffic will not block Telnet sessions. Another common mistake is denying inbound Telnet traffic to the subnet rather than outbound traffic from the subnet, which does not prevent users inside the subnet from initiating Telnet connections.

Misunderstanding these protocol and port details leads to ineffective ACLs that fail to meet the requirement.

Why the other options are wrong

B

This option denies UDP traffic on port 23, but Telnet uses TCP, not UDP. Therefore, this ACL entry will not block Telnet sessions and is incorrect.

C

This option denies TCP traffic destined to the 10.20.30.0/24 subnet on port 23, which blocks inbound Telnet sessions to the subnet but does not prevent users inside the subnet from initiating outbound Telnet sessions.

D

This option permits TCP traffic from the subnet to any destination on port 80 (HTTP), allowing web browsing but does not block Telnet traffic, so it does not meet the requirement.

4
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that permits only HTTP traffic from the 192.168.1.0/24 network to the server 10.0.0.10, applied inbound on interface GigabitEthernet0/1.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

After entering config mode, create the ACL to allow HTTP from the specified network to the server. Apply it inbound on the correct interface. Then exit and verify.

Exam trap

A common trap is applying the ACL to an interface before creating it, or verifying before applying. Remember: create first, then apply, then verify. Also, ensure the ACL is applied in the correct direction (inbound) on the correct interface.

5
MCQhard

Why is an extended ACL usually placed close to the source of the traffic being filtered?

A.Because standard ACLs cannot be applied near the destination
B.To stop unwanted traffic earlier and conserve bandwidth
C.To make NAT translation easier on inside interfaces
D.Because extended ACLs only work inbound on access interfaces
AnswerB

Correct. Filtering near the source is the classic design guidance for extended ACLs.

Why this answer

Extended ACLs can filter by source, destination, and protocol. Placing them near the source drops unwanted traffic before it crosses more of the network.

Exam trap

Remember that ACLs are processed by network devices, not end devices, and their placement affects traffic flow, not the ACL's complexity or dynamic capabilities.

Why the other options are wrong

A

Standard ACLs can be applied near the destination or source, but the placement guidance for extended ACLs is based on their ability to filter on source and destination IP addresses and ports, not on limitations of standard ACLs. The reason for placing extended ACLs near the source is to filter traffic early, not because standard ACLs cannot be applied near the destination.

C

NAT translation is typically performed on routers or firewalls at network boundaries, and ACL placement for filtering is independent of NAT configuration. Placing an extended ACL near the source does not directly affect NAT translation; NAT uses its own rules and is not a factor in ACL placement decisions.

D

Extended ACLs can be applied inbound or outbound on any interface, not just inbound on access interfaces. The statement is factually incorrect; extended ACLs are versatile and can be placed in various locations depending on the filtering requirements.

6
PBQhard

You are connected to R1. The network consists of three routers: R1, R2, and R3. R1's G0/0 connects to R2 (10.0.0.0/30), and R1's G0/1 connects to R3 (10.0.1.0/30). A server at 203.0.113.100 on R2's LAN must be reachable from R3's LAN (203.0.113.0/24) via ICMP, but all other traffic from R3 to R2 must be blocked. The current ACL on R1 is too permissive, allowing all traffic. Configure and apply a standard ACL to permit only ICMP echo requests from R3 to the server, with the implicit deny blocking everything else.

Network Topology
G0/110.0.1.2/30G0/010.0.0.1/3010.0.1.0/30G0/010.0.0.1/30G0/010.0.0.2/3010.0.0.0/30G0/010.0.0.2/30R3R1 (G0/1 10.0.1.1/30)R2Server

Hints

  • Standard ACLs cannot filter by protocol; use an extended ACL number (100-199 or 2000-2699).
  • Apply the ACL inbound on the interface closest to the source (R3) to filter traffic early.
  • The current ACL is applied inbound on G0/0, which faces R2; it should be removed and replaced with a new ACL on G0/1.
A.Remove ACL 10 from G0/0, delete ACL 10, then configure extended ACL 100 with 'permit icmp 203.0.113.0 0.0.0.255 host 203.0.113.100 echo' and apply it inbound on G0/1.
B.Remove ACL 10 from G0/0, delete ACL 10, then configure standard ACL 10 with 'permit 203.0.113.0 0.0.0.255' and apply it inbound on G0/1.
C.Remove ACL 10 from G0/0, delete ACL 10, then configure extended ACL 100 with 'permit icmp host 203.0.113.100 203.0.113.0 0.0.0.255 echo' and apply it inbound on G0/0.
D.Keep the existing ACL 10 applied inbound on G0/0, but add an extended ACL 100 with 'permit icmp 203.0.113.0 0.0.0.255 host 203.0.113.100 echo' applied inbound on G0/1.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no ip access-group 10 in
exit
no access-list 10
access-list 100 permit icmp 203.0.113.0 0.0.0.255 host 203.0.113.100 echo
interface GigabitEthernet0/1
ip access-group 100 in

Why this answer

The current ACL 10 permits all traffic inbound on G0/0, which is too permissive. The requirement is to allow only ICMP echo requests from R3's LAN (source 203.0.113.0/24) to the server at 203.0.113.100. A standard ACL uses source IP only.

First, remove the existing ACL from the interface with 'no ip access-group 10 in' on G0/0. Then delete ACL 10 with 'no access-list 10'. Create a new standard ACL that permits ICMP echo requests; since standard ACLs cannot filter by protocol, we must use an extended ACL.

So we configure an extended ACL (e.g., 100) with 'permit icmp 203.0.113.0 0.0.0.255 host 203.0.113.100 echo' and apply it inbound on G0/1 (the interface facing R3) to filter traffic before it enters R1. The implicit deny will block all other traffic from R3 to R2.

Exam trap

The key trap is that standard ACLs cannot filter by protocol; you must use an extended ACL for ICMP. Also, remember that ACLs are applied per interface and direction; removing the old permissive ACL is essential. Applying the ACL on the wrong interface or with reversed source/destination are common mistakes.

Why the other options are wrong

B

The specific factual error is that standard ACLs cannot filter by protocol (ICMP). They only match source IP addresses.

C

The specific factual error is that the ACL statement has the source and destination swapped, and it is applied on the wrong interface (G0/0 instead of G0/1).

D

The specific factual error is that the existing ACL 10 is too permissive and is applied on the wrong interface (G0/0 inbound) to filter traffic from R3 to R2. It must be removed to enforce the new restrictions.

7
PBQmedium

You are connected to R1 via the console. R1 connects two networks: GigabitEthernet0/0 (192.168.1.1/24) and GigabitEthernet0/1 (192.168.2.1/24). Create an extended ACL named BLOCK_HTTP that denies HTTP traffic (tcp port 80) from the 192.168.1.0/24 network to the 192.168.2.0/24 network, but permits all other IP traffic. Apply this ACL inbound on GigabitEthernet0/0.

Network Topology
G0/0192.168.1.1/24G0/1192.168.2.1/24HostsLAN AR1LAN BWeb servers

Hints

  • Use the 'ip access-list extended' command to create a named ACL.
  • The deny statement must specify source, destination, and protocol.
  • Apply the ACL to the interface where traffic enters.
A.ip access-list extended BLOCK_HTTP deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80 permit ip any any interface GigabitEthernet0/0 ip access-group BLOCK_HTTP in
B.ip access-list extended BLOCK_HTTP deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80 permit ip any any interface GigabitEthernet0/1 ip access-group BLOCK_HTTP in
C.ip access-list extended BLOCK_HTTP deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80 permit ip any any interface GigabitEthernet0/0 ip access-group BLOCK_HTTP out
D.ip access-list extended BLOCK_HTTP deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80 permit ip any any interface GigabitEthernet0/0 ip access-group BLOCK_HTTP in interface GigabitEthernet0/1 ip access-group BLOCK_HTTP in
AnswerA
solution
! R1
ip access-list extended BLOCK_HTTP
deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80
permit ip any any
interface GigabitEthernet0/0
ip access-group BLOCK_HTTP in

Why this answer

The named extended ACL BLOCK_HTTP denies TCP port 80 from 192.168.1.0/24 to 192.168.2.0/24, then permits all other traffic. Applying it inbound on G0/0 filters traffic from LAN A before routing.

Exam trap

Pay close attention to the interface and direction specified in the question. Inbound ACLs filter traffic entering the interface, while outbound ACLs filter traffic leaving. Also, ensure the ACL is applied only on the required interface.

Why the other options are wrong

B

The ACL is applied on the wrong interface; it should be applied inbound on G0/0, not G0/1.

C

The ACL is applied in the wrong direction; it should be inbound, not outbound.

D

The ACL is applied on an extra interface (G0/1) that is not required, which may block legitimate traffic.

8
MCQhard

A named standard ACL is configured to permit only the 192.168.30.0/24 subnet, but users from 192.168.31.0/24 are still passing traffic. What is the most likely reason?

A.Standard ACLs cannot match source addresses
B.The ACL is probably applied in the wrong place or direction for the traffic flow
C.Named ACLs ignore wildcard masks
D.The deny any line must appear before the permit
AnswerB

ACL placement matters a lot with standard ACLs.

Why this answer

Standard ACLs filter traffic based solely on the source IP address. If users from 192.168.31.0/24 are still passing traffic despite the ACL permitting only 192.168.30.0/24, the most likely reason is that the ACL is applied in the wrong place or direction. For example, if the ACL is applied inbound on an interface where traffic from 192.168.31.0/24 does not enter, or outbound on an interface where the traffic does not exit, the filter will not affect the intended flow.

The implicit deny statement denies all unmatched traffic, so if the ACL were correctly placed, traffic from 192.168.31.0/24 would be denied.

Exam trap

Remember that ACLs must be applied in the correct direction to affect traffic flow as intended.

Why the other options are wrong

A

Standard ACLs are specifically designed to match source IP addresses, so this statement is factually incorrect. They can match source addresses using wildcard masks.

C

Named ACLs use wildcard masks just like numbered ACLs; the naming does not affect the functionality of wildcard masks. The statement is technically incorrect.

D

The 'deny any' line at the end of an ACL is implicit, so placing it before the permit would block all traffic, including the intended 192.168.30.0/24 subnet. The order of entries matters, but the issue here is not about the order of deny any.

9
PBQhard

You are connected to R1. The network currently permits all HTTP traffic from hosts on the 192.168.1.0/24 LAN to reach the web server at 203.0.113.10, but SSH traffic (TCP port 22) from the same LAN is being blocked. Additionally, you must ensure that no other traffic from the LAN reaches the server. Configure an extended ACL on R1 to allow only HTTP and SSH from the LAN to the server, and apply it inbound on the correct interface. Verify your solution.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.1/30hostsLAN:R1WANServer

Hints

  • The current ACL is blocking SSH but allowing everything else; you need to reverse the logic.
  • Apply the new ACL inbound on the interface facing the LAN (GigabitEthernet0/0).
  • Remember that an implicit deny all exists at the end of every ACL; do not add a permit ip any any.
A.Remove the existing ACL from the interface, delete the ACL, create a new extended ACL that permits tcp from 192.168.1.0/24 to host 203.0.113.10 for ports 80 and 22, and apply it inbound on GigabitEthernet0/0.
B.Modify the existing ACL BLOCK_SSH by adding a permit statement for HTTP and changing the deny SSH to permit SSH, then reapply it inbound on GigabitEthernet0/0.
C.Create a new extended ACL that permits tcp from 192.168.1.0/24 to host 203.0.113.10 for ports 80 and 22, and apply it inbound on GigabitEthernet0/1 (the WAN interface).
D.Create a new extended ACL that permits tcp from 192.168.1.0/24 to host 203.0.113.10 for ports 80 and 22, and apply it outbound on GigabitEthernet0/0.
AnswerA
solution
! R1
interface GigabitEthernet0/0
no ip access-group BLOCK_SSH in
exit
no ip access-list extended BLOCK_SSH
ip access-list extended LAN_TO_SERVER
permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80
permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 22
exit
interface GigabitEthernet0/0
ip access-group LAN_TO_SERVER in
end

Why this answer

The existing ACL BLOCK_SSH is applied inbound on GigabitEthernet0/0 and explicitly denies SSH from the LAN to the server, but permits all other IP traffic (including HTTP). The requirement is to allow only HTTP and SSH, blocking everything else. The solution is to remove the current ACL from the interface, delete the ACL, create a new extended ACL that permits tcp from the LAN to the server for ports 80 (HTTP) and 22 (SSH), and implicitly deny all other traffic, then reapply it inbound on GigabitEthernet0/0.

Exam trap

The trap is that candidates may try to modify the existing ACL without realizing it contains a permit ip any any statement that would still allow all traffic. Also, they may apply the ACL on the wrong interface or in the wrong direction. Always check the existing ACL entries and apply ACLs inbound on the interface closest to the source.

Why the other options are wrong

B

The specific factual error is that the existing ACL contains a permit ip any any statement that would override any specific denies, allowing all traffic.

C

The specific factual error is that ACLs should be applied inbound on the interface where the traffic enters the router, not on the outbound interface towards the destination.

D

The specific factual error is that outbound ACLs filter traffic exiting the interface, but the traffic from LAN to server enters the router via GigabitEthernet0/0 and exits via another interface (e.g., WAN). An outbound ACL on GigabitEthernet0/0 would not affect traffic going to the server.

10
MCQmedium

A router is configured with an access list intended to block Telnet from 192.168.10.0/24 to 10.1.1.10, but Telnet still works. What is the most likely reason?

A.The ACL must use wildcard mask 255.255.255.0 instead of 0.0.0.255
B.The ACL is applied in the wrong place or direction
C.Standard ACLs should always be used for Telnet filtering
D.The router must run PAT before ACLs can filter Telnet
AnswerB

The configuration logic points to an attachment problem rather than a syntax problem.

Why this answer

Option B is correct because the most common reason an ACL fails to block traffic is incorrect application—either it is applied to the wrong interface or in the wrong direction. For Telnet traffic from 192.168.10.0/24 to 10.1.1.10, the ACL must be applied inbound on the interface closest to the source or outbound on the interface closest to the destination. Option A is incorrect because the wildcard mask 0.0.0.255 is correct for matching the 192.168.10.0/24 network; 255.255.255.0 is a subnet mask, not a wildcard mask.

Option C is false—standard ACLs can only filter by source IP and cannot match the destination port (Telnet), so an extended ACL is actually required. Option D is unrelated; PAT (Port Address Translation) has no bearing on whether an ACL can filter Telnet traffic.

Exam trap

Cisco often tests the concept that an ACL's effectiveness depends on its placement and direction, not just its content, and the trap here is that candidates focus on the wildcard mask or ACL type while overlooking the fundamental requirement of correct application.

Why the other options are wrong

A

The wildcard mask 255.255.255.0 would match only the exact host 192.168.10.0, not the entire /24 subnet. Cisco ACLs use wildcard masks where 0 means match and 1 means ignore; for a /24, the correct mask is 0.0.0.255.

C

Standard ACLs can only filter based on source IP address and cannot match specific protocols like Telnet (TCP port 23) or destination addresses. Extended ACLs are required to filter Telnet traffic from a specific source to a specific destination.

D

PAT (Port Address Translation) is unrelated to ACL filtering. ACLs operate independently of NAT/PAT; they filter traffic based on Layer 3 and Layer 4 information regardless of whether translation is configured.

11
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that blocks Telnet traffic from the 192.168.1.0/24 network to the 10.0.0.0/24 network, applied inbound on the interface facing the source.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, global config, then create ACL with deny and permit statements (order matters: deny first), then enter the source-facing interface and apply inbound; applying before creating ACL would fail.

Exam trap

Watch out for the order of ACL statements: deny must come before permit. Also, remember that ACLs must be created before they can be applied to an interface. Do not forget the implicit deny at the end of every ACL.

12
Multi-Selectmedium

Which TWO statements correctly describe the behavior of standard ACLs and their placement on interfaces?

Select 2 answers
A.Standard ACLs filter traffic based on source IP address only.
B.Standard ACLs should be placed as close to the source as possible.
C.Standard ACLs can filter traffic based on destination IP address.
D.Standard ACLs should be placed as close to the destination as possible.
E.Standard ACLs can filter traffic based on TCP or UDP port numbers.
AnswersA, D

Standard ACLs use only the source IP address (or a wildcard mask) to match packets; they do not consider destination, protocol, or port.

Why this answer

Standard ACLs filter traffic based solely on the source IP address, using numbers 1–99 or 1300–1999 in classic Cisco IOS. They do not consider destination IP, protocol, or port numbers. Because they lack granularity, placing them close to the destination (option D) prevents them from inadvertently blocking traffic that should be permitted, as they cannot distinguish between traffic destined for different services on the same destination host.

Exam trap

Cisco often tests the misconception that standard ACLs should be placed close to the source (like extended ACLs), when in fact standard ACLs lack the granularity to do so safely and must be placed near the destination.

Why the other options are wrong

B

Standard ACLs filter only on source IP, so placing them close to the source can block traffic destined to other networks that should be allowed. The correct placement is close to the destination to minimize unintended filtering.

C

Standard ACLs do not examine destination IP addresses; they only match on source IP addresses. Filtering by destination requires an extended ACL.

E

Standard ACLs operate at Layer 3 and cannot examine Layer 4 information such as TCP or UDP port numbers. Port-based filtering requires an extended ACL.

13
Multi-Selectmedium

Which TWO statements are true regarding the configuration and placement of standard and extended ACLs on a router?

Select 2 answers
A.Standard ACLs are typically placed closest to the source of the traffic.
B.Extended ACLs are typically placed closest to the source of the traffic.
C.A wildcard mask of 0.0.0.0 in an ACL matches all bits of the IP address.
D.A wildcard mask of 255.255.255.255 in an ACL matches all bits of the IP address.
E.Extended ACLs should be placed on the interface closest to the destination to filter traffic before it reaches the final segment.
AnswersB, C

Extended ACLs can filter on source and destination IP addresses, ports, and protocols, so placing them near the source allows early filtering and conserves bandwidth.

Why this answer

Option B is correct because extended ACLs evaluate multiple criteria (source/destination IP, port, protocol), so placing them closest to the source prevents unwanted traffic from consuming bandwidth across the network. Option C is correct because a wildcard mask of 0.0.0.0 means all 32 bits must match, matching a single host. Option A is incorrect—standard ACLs are placed closest to the destination, not the source.

Option D is incorrect—a wildcard mask of 255.255.255.255 matches any address (ignores all bits), not all bits. Option E is incorrect—extended ACLs placed near the destination would not conserve bandwidth; they should be near the source.

Exam trap

Cisco often tests the misconception that standard ACLs should be placed close to the source, when in fact extended ACLs are placed close to the source and standard ACLs close to the destination.

Why the other options are wrong

A

Standard ACLs filter only on source IP address, so placing them close to the source can block traffic that should be allowed to other destinations, causing unnecessary denial of service.

D

A wildcard mask of 255.255.255.255 means 'ignore all bits,' so it matches any IP address, equivalent to the 'any' keyword. It does not match all bits.

E

Extended ACLs are more effective when placed near the source to filter unwanted traffic early, not near the destination. Placing them near the destination allows unwanted traffic to traverse the network unnecessarily.

14
MCQhard

An ACL is intended to block Telnet from 10.1.1.0/24 to router VTY access while still allowing SSH from the same subnet. Which statement best explains why an extended ACL is appropriate here?

A.Because the ACL must distinguish traffic by protocol or destination port, not just by source address.
B.Because standard ACLs can match destination TCP ports just as well.
C.Because extended ACLs are required for every router login policy regardless of criteria.
D.Because SSH and Telnet always use the same port number.
AnswerA

This is correct because Telnet-versus-SSH filtering requires extended matching capability.

Why this answer

An extended ACL is appropriate because the requirement is based not only on source address but also on the specific protocol and application port involved. In practical terms, the policy must distinguish Telnet from SSH even though both originate from the same source subnet. A standard ACL would be too limited because it mainly matches only on source address.

This is the kind of requirement that shows why extended ACLs exist. They allow more granular traffic control by matching protocol and destination details, not just who sent the packet.

Exam trap

Do not confuse the ability to filter by protocol and port with filtering by IP address alone; extended ACLs are required for the former.

Why the other options are wrong

B

Standard ACLs can only filter based on source IP address, not destination ports or protocols. They lack the granularity to distinguish between Telnet and SSH traffic.

C

Extended ACLs are not required for every router login policy; they are only needed when filtering must consider protocol or port information. Simple source-based filtering can use standard ACLs.

D

SSH uses TCP port 22, while Telnet uses TCP port 23. They are distinct ports, so an ACL can differentiate them based on destination port.

15
PBQhard

You are connected to R1. The network has a web server at 203.0.113.10 and a DNS server at 203.0.113.20. Hosts in the 192.168.1.0/24 subnet should be able to access HTTP to the web server and DNS queries to the DNS server, but all other traffic from that subnet to the servers must be blocked. Configure an extended ACL on R1 to achieve this, and apply it inbound on the correct interface. The current configuration is shown below.

Hints

  • The ACL must filter traffic as it enters R1 from the 192.168.1.0/24 hosts.
  • Use an extended named or numbered ACL; the order of permit statements matters.
  • Remember that the implicit deny will block all other traffic, but adding an explicit deny ip any any can help with troubleshooting.
A.access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53 access-list 100 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 interface GigabitEthernet0/0 ip access-group 100 in
B.access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53 access-list 100 deny ip any any interface GigabitEthernet0/1 ip access-group 100 in
C.access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53 access-list 100 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 interface GigabitEthernet0/0 ip access-group 100 out
D.access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53 access-list 100 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 interface GigabitEthernet0/1 ip access-group 100 in
AnswerA
solution
! R1
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80
access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
interface GigabitEthernet0/0
ip access-group 100 in

Why this answer

The required ACL must permit HTTP (tcp dst eq 80) and DNS (udp dst eq 53) from 192.168.1.0/24 to the servers, then deny all other IP traffic from that subnet. The ACL is applied inbound on GigabitEthernet0/0 to filter traffic as it enters R1 from the 192.168.1.0/24 subnet. The commands sequence creates the ACL with the correct permit statements, an explicit deny ip any any (optional but shown for clarity), and applies it to the interface.

Exam trap

The key trap is that candidates often apply ACLs on the wrong interface or in the wrong direction. Remember: inbound ACLs filter traffic entering the interface, outbound ACLs filter traffic leaving the interface. Place the ACL as close to the source as possible.

Also, the implicit deny any at the end of an ACL means you do not need an explicit deny ip any any unless you want to log or override a previous permit.

Why the other options are wrong

B

The deny ip any any statement overrides the permit statements because ACLs are processed sequentially; any packet matching the deny is dropped. Also, applying the ACL inbound on the server-facing interface would filter traffic coming from the servers, not from the 192.168.1.0/24 subnet.

C

The ACL should be applied inbound on the interface receiving traffic from the 192.168.1.0/24 subnet (GigabitEthernet0/0) to filter before routing. Applying it outbound on the same interface would only filter traffic leaving that interface, which is not the traffic path from the subnet to the servers.

D

The ACL must be applied on the interface closest to the source of the traffic to be filtered. Since the traffic originates from the 192.168.1.0/24 subnet, the ACL should be applied inbound on GigabitEthernet0/0, not on the server-facing interface.

16
MCQhard

Refer to the exhibit. A network administrator is troubleshooting connectivity issues. Hosts on the 192.168.10.0/24 network cannot reach servers on the 192.168.20.0/24 network, but they can successfully reach other networks, including the Internet. The administrator runs the show ip access-lists command on the router (output shown). What is the most likely cause?

A.The ACL is applied in the wrong direction on the interface.
B.The ACL is missing a permit statement for the 192.168.20.0/24 destination.
C.The order of the ACL entries causes the deny statement to match first.
D.The implicit deny at the end is blocking the traffic to 192.168.20.0/24.
AnswerC

Extended IP access list 110 processes entries sequentially. Entry 10 denies traffic from 192.168.10.0/24 to 192.168.20.0/24, and entry 20 permits the same source to any destination. Because the deny is listed first, it is matched before the permit, causing the traffic to be dropped.

Why this answer

The exhibit shows Extended IP access list 110 with a deny statement for traffic from 192.168.10.0/24 to 192.168.20.0/24 (entry 10) placed before a permit ip any statement (entry 20). Because ACLs are processed in sequential order, the first matching entry is used. Traffic from 192.168.10.0/24 to 192.168.20.0/24 matches the deny statement and is dropped, even though a subsequent permit entry would allow it.

The counters (145 matches for deny, 95 matches for permit) confirm that the deny is being hit first.

Exam trap

Candidates often choose option B, thinking the ACL lacks a permit statement for the 192.168.20.0/24 destination, but the permit ip any statement (entry 20) would allow that traffic if the deny were not placed before it. They overlook the critical fact that order of ACL entries determines processing.

Why the other options are wrong

A

Candidates may assume any ACL misbehavior is due to wrong interface direction, ignoring that the specific symptom (only 192.168.20.0 is unreachable) points to the deny rule itself.

B

Candidates often focus on what an ACL ‘lacks’ rather than the sequence, missing that the existing permit any covers the destination but is shadowed by the earlier deny.

D

Candidates might recall that all ACLs have an implicit deny, but they fail to realize that a packet matching an earlier deny is already discarded, and the implicit deny only applies to unmatched traffic.

17
PBQhard

You are connected to R1, a branch router. Configure an extended ACL named BRANCH_IN that permits only HTTP (TCP port 80) traffic from the internal network 192.168.1.0/24 to the web server at 203.0.113.10, and permits ICMP echo-reply from any source to any destination. Apply the ACL inbound on the interface facing the internal network. Then verify that only the specified traffic is allowed.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.2/30HostsInternal LANR1ISPWeb Server

Hints

  • The ACL is defined but not yet applied to an interface.
  • Consider which direction traffic from the internal network flows relative to the interface.
  • Use 'ip access-group' under the correct interface configuration mode.
A.ip access-list extended BRANCH_IN permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 permit icmp any any echo-reply ! interface GigabitEthernet0/0 ip access-group BRANCH_IN in
B.ip access-list extended BRANCH_IN permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 permit icmp any any echo-reply ! interface GigabitEthernet0/0 ip access-group BRANCH_IN out
C.ip access-list extended BRANCH_IN permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 permit icmp any any ! interface GigabitEthernet0/0 ip access-group BRANCH_IN in
D.ip access-list extended BRANCH_IN permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 permit icmp any any echo-reply ! interface GigabitEthernet0/0 ip access-group BRANCH_IN in ! interface GigabitEthernet0/1 ip access-group BRANCH_IN in
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip access-group BRANCH_IN in

Why this answer

Option A is correct because it creates an extended ACL that permits TCP port 80 from the internal 192.168.1.0/24 to the web server 203.0.113.10 and permits only ICMP echo-reply, then applies it inbound on the internal interface G0/0, matching the requirement. Option B is wrong because the ACL is applied outbound on G0/0, but traffic from internal hosts to the web server exits via the WAN interface (G0/1), not G0/0. Option C is wrong because it permits all ICMP (any any) instead of only echo-reply, allowing unnecessary ICMP traffic.

Option D is wrong because it applies the ACL inbound on both G0/0 and G0/1; applying it on G0/1 would incorrectly filter inbound traffic from the ISP, potentially blocking the web server's responses.

Exam trap

Pay close attention to the direction of traffic flow. The ACL must be applied inbound on the interface that receives traffic from the internal network. Also, be precise with ICMP types: 'echo-reply' is the response to a ping, not the initial echo request.

Why the other options are wrong

B

The ACL is applied in the wrong direction. Applying it outbound would filter traffic leaving the interface, not entering it.

C

The ACL permits all ICMP traffic instead of only echo-reply. This violates the requirement to permit only ICMP echo-reply.

D

Applying the ACL to an additional interface (G0/1) is unnecessary and may cause unintended filtering. The requirement specifies only one interface.

18
PBQhard

You are connected to R1. The network uses OSPF between R1 and R2. Configure an extended ACL on R1 so that hosts in VLAN 10 (192.168.10.0/24) can reach the web server at 203.0.113.100 only via HTTP/HTTPS, and hosts in VLAN 20 (192.168.20.0/24) can reach it via any TCP service except HTTP/HTTPS. All other traffic to the server must be denied. Apply the ACL outbound on the interface facing the server. Currently, the ACL is missing the permit for VLAN 20 traffic, causing connectivity loss.

Network Topology
G0/0192.0.2.1/30G0/0192.0.2.2/30linkG0/1203.0.113.1/24203.0.113.100/24linkR2R1Web Server

Hints

  • The current ACL blocks HTTP/HTTPS from all sources, but VLAN 20 should be allowed to use those ports.
  • Use the 'range' keyword to permit a contiguous set of ports for VLAN 20, excluding ports 80 and 443.
  • Remember to deny all other traffic to the server after the permits.
A.Remove the two deny statements and add: permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 1 79, permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 81 442, permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 444 65535, then deny ip any any
B.Add a permit statement for VLAN 20 before the deny statements: permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 1 65535
C.Remove the two deny statements and add: permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq www, permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq 443
D.Add a deny statement for VLAN 20 HTTP/HTTPS before the existing permit statements: deny tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq www, deny tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq 443, then add a permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 1 65535
AnswerA
solution
! R1
configure terminal
no ip access-list extended BLOCK_HTTP
ip access-list extended BLOCK_HTTP
permit tcp 192.168.10.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 80
permit tcp 192.168.10.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 443
permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 range 1 79
permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 range 81 442
permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 range 444 65535
deny ip any 203.0.113.100 0.0.0.0
end
clear access-list counters BLOCK_HTTP

Why this answer

The ACL BLOCK_HTTP is applied inbound on G0/0, which is the interface toward the server. The first two deny statements incorrectly block HTTP/HTTPS from any source, including VLAN 20 which should be allowed. The correct approach is to permit HTTP/HTTPS only for VLAN 10, and permit all other TCP services (except HTTP/HTTPS) for VLAN 20, then deny all other traffic.

The solution removes the overly broad deny statements and adds specific permits for VLAN 20 to reach the server on any TCP port except 80 and 443, followed by an explicit deny ip any any to enforce the implicit deny.

Exam trap

The trap is that the existing deny statements for HTTP/HTTPS are too broad; they block VLAN 20's required access. Candidates might think they need to add permits before the denies, but they must also ensure the permits for VLAN 20 exclude HTTP/HTTPS. Another trap is forgetting to add an explicit deny at the end, though the implicit deny exists, the question explicitly states 'All other traffic to the server must be denied' so an explicit deny is good practice.

Why the other options are wrong

B

The specific factual error is that the permit statement does not exclude ports 80 and 443. It allows all TCP ports, which is too permissive.

C

The specific factual error is that the permit statements allow the very ports that should be denied for VLAN 20. This misinterprets the requirement.

D

The specific factual error is that the permit statement is too broad and overrides the deny statements. The correct approach is to permit only non-HTTP/HTTPS ports, not all ports.

19
Drag & Dropmedium

Which of the following sequences correctly orders the steps to plan, configure, and apply an extended ACL that permits HTTP traffic from the 192.168.1.0/24 subnet to the server at 10.0.0.1, and deny all other IP traffic, applied inbound on interface GigabitEthernet0/1?

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then create ACL with permit statement, then deny all, then enter interface, then apply ACL inbound.

Exam trap

Be careful with the order of ACL entries: always place more specific permits before general denies. Also, remember that ACLs must be created before they can be applied, and the direction (inbound/outbound) must match the requirement.

20
MCQhard

A network engineer notices that hosts in the 192.168.2.0/24 network connected to router R1's GigabitEthernet0/1 interface cannot reach the Internet. R1 has a standard ACL 10 configured as 'access-list 10 permit 192.168.1.0 0.0.0.255' and applied inbound on interface GigabitEthernet0/0, which connects to the 192.168.1.0/24 LAN. What is the most likely cause?

A.The implicit deny at the end of ACL 10 is blocking all outbound traffic from the 192.168.2.0/24 network.
B.The ACL is filtering return traffic from the Internet that enters G0/0, because it is applied inbound on that interface instead of outbound.
C.The router is not performing inter-VLAN routing between the 192.168.1.0 and 192.168.2.0 networks.
D.The ACL is missing a permit statement for the 192.168.2.0/24 network to allow traffic from that subnet.
AnswerB

Inbound ACLs on G0/0 inspect packets arriving from the Internet. The ACL permits only source 192.168.1.0/24, so return packets from Internet hosts with random source IPs are denied by the implicit deny, breaking connectivity for 192.168.2.0/24 hosts.

Why this answer

The ACL 10 is applied inbound on the G0/0 interface that faces the 192.168.1.0/24 LAN and the Internet. Inbound ACLs on that interface examine packets entering the router on G0/0, such as return traffic from the Internet. Since the ACL permits only source IPs from 192.168.1.0/24, all return traffic from the Internet destined for 192.168.2.0/24 hosts is denied by the implicit deny.

This blocks replies, preventing connectivity. The ACL direction is incorrect for filtering egress traffic; an outbound ACL would be needed to filter packets leaving G0/0, and even then the source would still be denied unless explicitly permitted.

Exam trap

Many candidates assume that adding a permit statement for the 192.168.2.0/24 source subnet would fix the issue, overlooking that the ACL direction determines which traffic is inspected. The ACL is applied inbound on the LAN-facing interface, which filters packets entering the router from that interface, not packets exiting it.

Why the other options are wrong

A

Misunderstanding of ACL direction leads candidates to think that the implicit deny blocks any traffic leaving the interface.

C

Confusing ACL filtering with routing functionality; ACLs do not prevent the router from routing between connected subnets unless they explicitly deny the traffic on the appropriate interface and direction.

D

Candidates often try to add a permit for the source subnet of the initiating traffic, neglecting the direction of the ACL. Because the ACL is inbound on the egress interface, outbound traffic is not filtered.

21
MCQmedium

Exhibit: Consider the following ACL applied inbound on interface G0/0: access-list 100 deny ip host 10.10.10.10 any access-list 100 deny tcp any host 10.10.10.10 eq 23 access-list 100 permit ip any any The intent is to block only Telnet (TCP port 23) to server 10.10.10.10 while permitting everything else. However, users cannot reach any service on that server. Why?

A.The ACL must be applied outbound, not inbound
B.The deny ip statement blocks all traffic to the host before the Telnet-specific line is evaluated
C.Extended ACLs cannot match TCP port 23
D.Telnet uses UDP, so the ACE should reference udp
AnswerB

The first matching ACE wins.

Why this answer

ACLs are processed top-down, and the first match is applied. The first line denies all IP traffic to the host (any protocol, any port). This matches all packets destined for 10.10.10.10 before the Telnet-specific line is ever reached, effectively blocking every service, not just Telnet.

Exam trap

A common mistake is assuming the ACL evaluates all lines before deciding to block or permit; in reality, it stops at the first match, so a broad deny earlier in the list overrides more specific denies later.

Why the other options are wrong

A

Applying the ACL outbound would not change the order of lines; the same logic applies—the first match still blocks all traffic.

C

Extended ACLs can match TCP port 23 using the keyword 'eq telnet' or 'eq 23'; this is not a limitation.

D

Telnet uses TCP, not UDP; referencing udp would never match Telnet traffic.

22
MCQmedium

An ACL entry reads: access-list 25 permit 192.168.8.0 0.0.0.15 Which address range does this statement match?

A.192.168.8.0 through 192.168.8.15
B.192.168.8.0 through 192.168.8.31
C.192.168.8.0 through 192.168.8.7
D.Only host 192.168.8.15
AnswerA

That is the correct range for a wildcard of 0.0.0.15.

Why this answer

A wildcard of 0.0.0.15 means the last 4 bits can vary, which corresponds to a block size of 16 addresses. Starting at 192.168.8.0, the range is 192.168.8.0 through 192.168.8.15.

Exam trap

Be careful not to confuse the block size determined by the wildcard mask with a full subnet or miscalculate the starting address.

Why the other options are wrong

C

This range uses a wildcard mask of 0.0.0.7, not 0.0.0.15.

23
MCQhard

A branch router is configured for NAT overload. The inside interface Gi0/0 is correctly marked ip nat inside, and the outside interface Gi0/1 is ip nat outside. The NAT statement uses access-list 1 permit 10.1.1.0 0.0.0.255 with ip nat inside source list 1 interface Gi0/1 overload. Inside hosts are in the 192.168.1.0/24 subnet and still reach the ISP with their private addresses. What is the most likely reason?

A.The ACL used for NAT does not match the inside client subnet.
B.GigabitEthernet0/0 should be configured as ip nat inside.
C.PAT cannot use an interface address as the translated source.
D.The router must run OSPF before NAT overload can function.
AnswerA

The overload statement references ACL 1, but ACL 1 permits 10.10.20.0/24 instead of 10.10.10.0/24.

Why this answer

The ACL matches the wrong inside subnet. NAT overload will only translate traffic that matches the source list or route map tied to the NAT statement. The interfaces are marked inside and outside correctly, so the bad match criteria is the most likely failure point.

Exam trap

A frequent exam trap is assuming that NAT overload requires routing protocols such as OSPF to function or that the outside interface cannot be used as the source address for translation. Some candidates also mistakenly believe that misconfigured interface NAT designations cause the problem when the real issue is the ACL mismatch. The trap lies in overlooking the ACL's role in defining which inside addresses are translated.

If the ACL does not include the correct inside subnet, NAT will not translate those packets, causing inside hosts to leak private IPs to the ISP. This subtle misconfiguration is often missed under exam pressure.

Why the other options are wrong

B

This option is incorrect because the ISP-facing interface is correctly configured as ip nat outside. The problem is not with the interface NAT designation but with the ACL mismatch. Changing the inside interface designation would not fix the translation issue.

C

This option is incorrect because NAT overload commonly uses the IP address of the outside interface as the translated source address. This is standard Cisco NAT behavior and not a cause of failure in this scenario.

D

This option is incorrect because NAT does not depend on routing protocols like OSPF to function. NAT translation is independent of routing protocols, so running OSPF is not required for NAT overload to work.

24
MCQhard

Refer to the exhibit. An administrator is trying to access a web server in the DMZ at 192.168.1.10 using HTTPS, but the connection times out. The web server is confirmed to be running and listening on both port 80 and port 443. The administrator examines the access list configuration on the perimeter router. Based on the output of the show access-lists command, what is the most likely cause of the failure?

A.The access list does not include a permit statement for TCP port 443.
B.The access list is applied in the wrong direction on the interface.
C.The web server is not actually listening on TCP port 443, despite the configuration.
D.The 'deny ip any any log' statement at the end of the access list is blocking the HTTPS traffic, so it must be removed.
AnswerA

The only permit entry for the 192.168.1.0/24 network is for 'eq www' (TCP port 80). No entry exists for port 443, so HTTPS traffic is denied by the explicit or implicit deny.

Why this answer

Line 10 of ACL 100 explicitly permits only TCP traffic with destination port 80 ('eq www'). HTTPS relies on TCP port 443, which is not matched by any permit entry. Consequently, HTTPS traffic from any source to any host in 192.168.1.0/24 hits the explicit deny at line 20 (or the implicit deny) and is dropped.

The high match count on the deny statement (1356) confirms that traffic other than HTTP is being blocked, including HTTPS.

Exam trap

Many candidates incorrectly select option D because they see the explicit deny at the end of the ACL and think removing it will solve the problem. However, even without that explicit deny, the implicit deny-all at the end of any ACL would still drop the HTTPS traffic. The real fix is to add a permit statement for TCP port 443 before the deny.

Why the other options are wrong

B

Candidates may assume the ACL is not applied correctly, but without interface details this conclusion cannot be drawn from the given output.

C

Candidates might blame the server configuration rather than the network ACL, but the question stem provides the server state to rule this out.

D

This is a common misconception: the explicit deny is not the root cause; the missing permit is the real issue. Removing the deny without adding a permit for HTTPS would still result in the traffic being blocked by the implicit deny.

25
MCQhard

Exhibit: A standard ACL meant to block host 10.10.10.50 from reaching any remote network was applied inbound on the branch router's LAN interface, but users report that all local traffic from that host is now blocked. What is the better placement?

A.Leave it inbound on the LAN because standard ACLs belong near the source
B.Move it outbound on the WAN-facing interface closer to the destination
C.Convert it to a VTY access-class
D.Apply it inbound on all switch access ports
AnswerB

Correct choice.

Why this answer

A standard ACL matches only the source address. If it is placed near the source, it can block that host from reaching destinations you did not intend to affect. Standard ACLs are best placed close to the destination.

Exam trap

A frequent exam trap is believing that standard ACLs should always be applied inbound near the source to block unwanted traffic early. Since standard ACLs filter only by source IP, placing them inbound on a LAN interface can block all traffic from that host, including local communications within the LAN. This leads to unintended network outages and user complaints.

The trap is confusing the ACL placement rule for extended ACLs, which are placed near the source, with the rule for standard ACLs, which should be placed near the destination to avoid over-blocking.

Why the other options are wrong

A

Leaving the standard ACL inbound on the LAN interface is incorrect because standard ACLs filter only by source IP, which causes all traffic from that host, including local LAN traffic, to be blocked. This disrupts local communications and is not best practice.

C

Converting the ACL to a VTY access-class is irrelevant to the question because VTY access-classes control remote management access to the router, not general traffic filtering from a host to remote networks.

D

Applying the ACL inbound on all switch access ports is impractical and inefficient. It would block traffic at multiple points unnecessarily and does not address the specific need to filter traffic from the host to remote networks.

26
PBQhard

You are connected to R1. The network has two routers (R1 and R2) connected via a serial link (S0/0/0). R1's GigabitEthernet0/0 connects to the 192.168.1.0/24 LAN. An extended ACL must be configured on R1 to permit only HTTPS traffic (TCP port 443) from host 192.168.1.10 to server 203.0.113.5 (reachable via R2), and deny all other traffic from the LAN to the server. Currently, the ACL is applied inbound on G0/0 but valid HTTPS traffic is being blocked. Troubleshoot and fix the configuration.

Hints

  • The current ACL uses 'any' source, but the requirement is to restrict to a specific host.
  • The order of ACL entries matters; the first match is applied.
  • The implicit deny at the end blocks all traffic that does not match a permit statement.
A.The ACL is missing an explicit permit statement for HTTPS traffic from host 192.168.1.10 to server 203.0.113.5, and the current permit ip any any allows all traffic, including HTTP, which violates the requirement to deny HTTP.
B.The ACL is applied inbound on G0/0, but it should be applied outbound on G0/0 to filter traffic leaving the LAN.
C.The ACL should be applied to the serial interface S0/0/0 instead of G0/0 to filter traffic going to R2.
D.The ACL is missing a deny statement for all other traffic from the LAN to the server, and the permit ip any any allows everything, including unwanted traffic.
AnswerA
solution
! R1
configure terminal
no ip access-list extended BLOCK_SERVER
ip access-list extended BLOCK_SERVER
permit tcp host 192.168.1.10 host 203.0.113.5 eq 443
deny tcp host 192.168.1.10 host 203.0.113.5 eq 80
deny ip any host 203.0.113.5
permit ip any any
end

Why this answer

The ACL BLOCK_SERVER is intended to block HTTP (port 80) to the server but permit HTTPS (port 443). However, the ACL denies TCP traffic to port 80 from any source, but the permit ip any any statement permits all IP traffic, including HTTPS. The implicit deny at the end would block HTTPS only if the permit were removed.

The actual fault is that the ACL is applied inbound on G0/0, but the source address for traffic from the LAN is 192.168.1.10 (not any), and the destination port is 443 (not 80). The current ACL permits all traffic, including HTTPS, so the problem must be that the ACL is too permissive (allowing HTTP) or that the implicit deny is blocking HTTPS due to a misordering. In this case, the ACL is actually permitting everything (including HTTP) because of permit ip any any.

To fix, the ACL should explicitly permit HTTPS from host 192.168.1.10, deny HTTP from that host, and deny all other traffic to the server, with a permit ip any any only for other destinations. The correct sequence: permit tcp host 192.168.1.10 host 203.0.113.5 eq 443, deny tcp host 192.168.1.10 host 203.0.113.5 eq 80, permit ip any any.

Exam trap

Be careful not to assume that an ACL with a permit ip any any will automatically block specific traffic; it actually permits everything. The implicit deny only applies if there is no matching permit statement. Also, pay attention to the specific requirements: the ACL must deny HTTP but permit HTTPS from the host.

Why the other options are wrong

B

The direction of ACL application is correct; inbound on the interface where traffic enters the router is standard for filtering traffic from the LAN.

C

ACLs should be applied as close to the source as possible to deny traffic early. Applying on the serial interface would still work but is less efficient and not the best practice.

D

The permit ip any any allows all traffic, so HTTPS should be allowed. The problem says HTTPS is blocked, so the issue must be something else, like a missing explicit permit or a misordering.

27
PBQhard

You are connected to R1. Configure an extended ACL on R1 to permit HTTP traffic from the 192.168.1.0/24 network to the 10.0.0.0/30 network, and deny all other IP traffic. Apply the ACL inbound on the interface facing the 192.168.1.0/24 network. The current configuration has an ACL that is too permissive; you must explicitly remove the existing ACL before applying the new one. Correct the configuration.

Network Topology
G0/0192.168.1.1/24192.168.1.0/24G0/110.0.0.1/3010.0.0.0/30R1HostsR2

Hints

  • The existing ACL allows all IP traffic; you need to restrict it to HTTP only.
  • Use a wildcard mask of 0.0.0.255 for the source network and 0.0.0.3 for the destination /30 network.
  • Apply the ACL inbound on the interface that receives traffic from the 192.168.1.0/24 network.
A.ip access-list extended HTTP_ONLY permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80 interface gigabitEthernet0/0 no ip access-group PERMIT_ALL in ip access-group HTTP_ONLY in
B.ip access-list extended HTTP_ONLY permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80 deny ip any any interface gigabitEthernet0/0 no ip access-group PERMIT_ALL in ip access-group HTTP_ONLY in
C.ip access-list extended HTTP_ONLY permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80 interface gigabitEthernet0/0 ip access-group HTTP_ONLY in
D.ip access-list extended HTTP_ONLY permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80 permit ip any any interface gigabitEthernet0/0 no ip access-group PERMIT_ALL in ip access-group HTTP_ONLY in
AnswerA
solution
! R1
configure terminal
ip access-list extended HTTP_ONLY
permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80
exit
interface gigabitEthernet0/0
no ip access-group PERMIT_ALL in
ip access-group HTTP_ONLY in
end

Why this answer

The existing ACL PERMIT_ALL allows all IP traffic, which must be replaced by a new ACL that permits only TCP port 80 (HTTP) from 192.168.1.0/24 to 10.0.0.0/30 and denies everything else. Because the requirement specifies explicit removal of the old ACL, you must first issue 'no ip access-group PERMIT_ALL in' under the interface before applying the new ACL. The extended ACL has an implicit deny at the end, so no separate deny statement is needed.

Therefore, the correct sequence is: create the ACL HTTP_ONLY with the permit statement, enter the interface, remove the old ACL, and apply the new one inbound.

Exam trap

Many learners forget that an explicit 'no ip access-group' command is required if the task demands explicit removal. Simply applying a new ACL over an existing one replaces it, but that does not fulfill a requirement to explicitly remove the old ACL.

Why the other options are wrong

C

Option C applies the new ACL without explicitly removing the old one, which violates the explicit removal requirement.

28
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that permits web traffic from the 10.1.1.0/24 network to the server 192.168.2.10 while blocking all other traffic inbound on GigabitEthernet0/1.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

ACL configuration requires defining permit/deny statements first, then applying to the interface inbound, and finally verification.

Exam trap

A common trap is to think that you can apply an ACL to an interface before defining it, or that verification should be done before application. Always remember: define, apply, then verify.

29
MCQhard

A network technician applies an extended ACL outbound on the WAN interface Gi0/0 to block traffic from the 10.0.0.0/8 network to internet hosts. After applying the ACL, internal users report they cannot access any web pages because return traffic from internet hosts is being dropped. The technician verifies the ACL entries and finds only statements controlling outbound traffic. What is the most appropriate next action?

A.Add the established keyword to the ACL to permit return traffic for existing sessions.
B.Add a new access-list entry permitting all traffic from internet hosts to the 10.0.0.0/8 network.
C.Remove the outbound ACL and apply a new inbound ACL on the same interface.
D.Replace the ACL with a stateful firewall rule set.
AnswerA

The established keyword allows TCP return traffic that matches sessions originated from the internal network. It is the standard method to handle stateful return traffic with a stateless ACL.

Why this answer

Extended ACLs are stateless; they inspect each packet individually without tracking session state. When an outbound ACL permits outbound traffic from the inside network to the internet, the return traffic is not automatically allowed. The established keyword in a TCP access-list entry matches packets that have the ACK or RST bits set, indicating they belong to an established session.

Adding this keyword to a permit statement for return traffic allows the router to dynamically permit responses to internally initiated connections without opening the network to all inbound traffic. This addresses the transport layer (Layer 4) state required for bidirectional communication.

Exam trap

Many candidates choose to add a specific permit ACE for return traffic (e.g., permitting all traffic from any internet host to the 10.0.0.0/8 network). This option is a trap because it opens a blanket inbound rule that is administratively unscalable and insecure, whereas the established keyword granularly allows only return flows for sessions initiated from the trusted side.

Why the other options are wrong

B

Candidates assume that any missing traffic must be explicitly permitted, but this ignores the need for stateful inspection and leads to an overly permissive rule.

C

Candidates mistakenly think that moving the ACL to inbound direction will inherently permit return traffic because it inspects packets entering the interface, but the ACL still processes each packet individually without keeping state.

D

Candidates may think that only a stateful firewall can handle return traffic, overlooking the established keyword's capability to emulate stateful behavior for TCP traffic on an ACL.

30
Multi-Selectmedium

Which TWO statements correctly describe the behavior of standard ACLs when applied to an interface?

Select 2 answers
A.Standard ACLs filter traffic based on source and destination IP addresses.
B.Standard ACLs should be placed as close to the destination as possible.
C.Standard ACLs can filter traffic based on protocol type (TCP, UDP, ICMP).
D.Standard ACLs use an implicit deny any statement at the end.
E.Standard ACLs are applied to interfaces in the inbound direction only.
AnswersB, D

Because standard ACLs only filter by source IP, placing them near the destination minimizes the risk of blocking legitimate traffic that should only be filtered near the target.

Why this answer

Standard ACLs filter traffic based solely on the source IP address, not the destination. Because they do not consider destination addresses, placing them as close to the destination as possible prevents them from inadvertently blocking traffic that should reach other parts of the network. This placement ensures that only the intended traffic is filtered at the final hop before the destination.

Exam trap

Cisco often tests the misconception that standard ACLs can filter on destination addresses or protocols, leading candidates to choose option A or C, when in fact standard ACLs only match source IP addresses and always end with an implicit deny any.

Why the other options are wrong

A

This describes the capability of extended ACLs, not standard ACLs.

C

Protocol filtering is a feature of extended ACLs, not standard ACLs.

E

Both inbound and outbound application are possible, though placement depends on the filtering strategy.

31
MCQhard

A technician is troubleshooting an issue where internal hosts can successfully ping internet addresses but cannot establish HTTP sessions. The router is configured with PAT (overload) and uses an access list to define the inside local addresses. Recently, the internal network was renumbered from 192.168.0.0/24 to 10.0.0.0/24. What is the most likely cause?

A.The router's HTTP inspection rule is blocking outbound TCP port 80.
B.The NAT access list still permits 192.168.0.0/24 and does not match the new 10.0.0.0/24 addresses.
C.The outside interface access list is blocking TCP packets from the new 10.0.0.0/24 subnet.
D.The default route has been changed to point to the wrong next-hop address, causing only HTTP packets to be dropped.
AnswerB

Because the ACL that defines inside local addresses for PAT was never updated after renumbering, no dynamic translations are created for HTTP sourced from 10.0.0.0/24.

Why this answer

PAT translates private addresses to a single public IP by matching the source against a NAT access list. The ACL permits only 192.168.0.0/24, so packets from the new 10.0.0.0/24 addresses are not translated. ICMP may still succeed due to an existing static NAT entry for ICMP echo or a separate rule, but HTTP requires new dynamic translations that the ACL blocks.

The other options are plausible but do not align as directly with the recent renumbering and the configured NAT ACL.

Exam trap

Option C (outside interface access list blocking TCP port 80) is tempting because many candidates first suspect ACL-based filtering when one protocol fails and another succeeds. However, the explicit mention of the renumbering and the PAT ACL mismatch makes B the more direct cause.

Why the other options are wrong

A

Candidates may confuse security inspection with NAT translation, assuming that a protocol‑specific inspection is needed for HTTP.

C

Tempting because an ACL could selectively block TCP; however, the question provides context about the renumbering, which directly points to the NAT configuration.

D

Candidates may assume that different protocols might take different paths, but a single default route applies uniformly to all IP traffic.

32
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that permits only HTTP traffic from the 192.168.1.0/24 network to the server at 10.0.0.100, and then verify the configuration.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter config mode. Then create the ACL allowing HTTP from the source network to the destination host. Apply it inbound on the appropriate interface.

Save and verify the configuration.

Exam trap

Remember that ACLs are created in global configuration mode, not interface mode. Also, apply ACLs inbound on the interface closest to the source for efficiency. Pay attention to whether the requirement is to permit or deny traffic.

33
MCQeasy

An ACL on R1 contains only these entries: access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 443 access-list 101 permit icmp any any What happens to an HTTP packet sourced from 10.10.10.25 and destined for 198.51.100.10 if ACL 101 is applied in the traffic path?

A.It is permitted because the source subnet is allowed.
B.It is denied by the implicit deny.
C.It is translated by NAT before the ACL is checked.
D.It is converted to HTTPS automatically.
AnswerB

The packet does not match either permit entry, so the implicit deny drops it.

Why this answer

HTTP uses TCP port 80, not 443. Because the ACL does not include a permit for that traffic, it is dropped by the implicit deny at the end of the ACL. The ICMP entry is irrelevant because the packet is TCP.

Exam trap

Be careful not to confuse TCP with ICMP or overlook the specific port numbers in ACL entries.

Why the other options are wrong

A

This option is wrong because the ACL only permits TCP traffic on port 443 and ICMP traffic, so an HTTP packet (port 80) from the specified source would be denied by the implicit deny rule at the end of the ACL.

C

This option is wrong because NAT does not occur before ACL evaluation; the ACL is applied directly to the packet as it arrives at the interface. Therefore, the HTTP packet is evaluated against the ACL without any translation taking place.

D

This option is wrong because the ACL does not automatically convert HTTP traffic to HTTPS; it only permits or denies traffic based on the defined rules. The packet from 10.10.10.25 is not permitted by the ACL since it is not targeting port 443.

34
MCQhard

Refer to the exhibit. A network engineer is troubleshooting an ACL that is not filtering traffic as expected. The engineer runs the show access-lists 110 command and notices that all access control entries (ACEs) show zero matches, even though traffic that should match the permit or deny statements is traversing the network. The engineer then checks the interface configuration. What is the most likely cause?

A.The ACL is applied to the interface in the wrong direction (inbound instead of outbound).
B.The access-list 110 syntax has incorrect subnet masks causing no matches.
C.The ACL 110 is not applied to any interface.
D.The interface GigabitEthernet0/0 is administratively down, preventing ACL processing.
AnswerC

The 'Inbound access list is not set' and 'Outgoing access list is not set' lines in the exhibit directly prove that no ACL has been applied to GigabitEthernet0/0. Since ACL 110 exists but isn't attached to any interface, it never processes traffic and shows zero hit counts.

Why this answer

The exhibit shows 'Inbound access list is not set' and 'Outgoing access list is not set' under GigabitEthernet0/0. This confirms that no access list has been applied to this interface, so access list 110, though defined, is not filtering any traffic. Zero matches are observed because the ACL is never consulted.

Exam trap

Candidates often assume the ACL must be applied somewhere on the router, so they choose 'wrong direction' (inbound vs outbound), but the output clearly shows no ACL is assigned at all.

Why the other options are wrong

A

A common mistake is to try to explain zero matches by directional misapplication without first checking whether an ACL is actually present. The exhibit explicitly shows no ACL is bound.

B

Some candidates fixate on ACL configuration details instead of verifying interface assignment. The output confirms the interface has no ACL, not that an ACL is configured incorrectly.

D

Candidates sometimes misread interface status. This output clearly shows the interface is enabled and up, so a down state is not the issue.

35
Multi-Selectmedium

A standard numbered ACL is applied close to the destination, but it is blocking traffic from one host while still allowing all other users on the subnet. Which two facts about standard ACLs are relevant in this design?

Select 2 answers
A.They filter based on source address only
B.They are best placed near the source in most cases
C.They can match TCP and UDP port numbers
D.They automatically create a permit any at the end
AnswersA, B

Standard ACLs do not inspect destination addresses or ports.

Why this answer

Standard ACLs only match the source IP address. For that reason, they are usually placed near the source so they do not block more traffic than intended.

Exam trap

A common exam trap is assuming that standard ACLs can filter traffic based on destination IP addresses or port numbers. Candidates may incorrectly place standard ACLs near the destination to control traffic more granularly, but since standard ACLs only match source IPs, this placement can block unintended hosts. This misunderstanding leads to unexpected network outages or partial connectivity, especially when trying to block a single host but inadvertently affecting others in the subnet.

Recognizing the source-only filtering nature of standard ACLs is essential to avoid this pitfall.

Why the other options are wrong

C

Incorrect. Standard ACLs cannot match TCP or UDP port numbers; this capability belongs to extended ACLs, which provide more granular filtering.

D

Incorrect. ACLs do not automatically create a 'permit any' at the end; instead, they have an implicit deny all statement that blocks any traffic not explicitly permitted.

36
MCQmedium

Refer to the exhibit. Users on the inside network can browse the web, but return traffic is failing for some sessions. A partial configuration shows: interface GigabitEthernet0/0 ip address 192.168.10.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1 ip address 203.0.113.10 255.255.255.0 ip nat inside ! ip nat inside source list 1 interface GigabitEthernet0/1 overload access-list 1 permit 192.168.10.0 0.0.0.255 Based on this configuration, which change is required to make PAT work correctly?

A.Apply ip nat enable on both interfaces.
B.Replace overload with pool.
C.Swap the inside and outside NAT roles on the two interfaces.
D.Change access-list 1 to a standard ACL numbered 100.
AnswerC

This is correct because NAT depends on the router knowing which side is private and which side is public. The current configuration labels them the wrong way round. PAT with overload on the WAN interface is fine, but the interface roles must match the traffic direction.

Why this answer

The problem is that the router has the NAT directions backwards. In simple terms, the interface facing the private LAN should be marked as inside, and the interface facing the public or WAN side should be marked as outside. Here, GigabitEthernet0/0 uses the private address 192.168.10.1, but it is configured as outside. GigabitEthernet0/1 uses the public address 203.0.113.10, but it is configured as inside. That reverses the translation logic and breaks normal PAT behavior.

Technically, the command `ip nat inside source list 1 interface GigabitEthernet0/1 overload` is otherwise reasonable for dynamic PAT using the WAN interface address. The ACL also correctly identifies the inside local subnet. The essential fix is to mark G0/0 as `ip nat inside` and G0/1 as `ip nat outside`. Once the directions are corrected, PAT can create and track translations properly for outbound traffic and returning sessions.

Exam trap

A frequent exam trap is confusing the NAT inside and outside interface roles. Candidates may see the private IP on an interface and mistakenly assign it as 'ip nat outside' or vice versa. This reverses the translation direction, causing return traffic to fail despite correct ACLs and overload commands.

The trap exploits the assumption that the public IP must be inside or that the interface with the ACL is always inside. Understanding that NAT roles depend on network topology, not just IP addresses, is crucial to avoid this error.

Why the other options are wrong

A

Applying 'ip nat enable' on both interfaces is incorrect because Cisco IOS uses 'ip nat inside' and 'ip nat outside' to define NAT roles. The problem is not enabling NAT but assigning the correct directional roles to interfaces.

B

Replacing 'overload' with a pool is unnecessary since PAT uses 'overload' to allow multiple inside hosts to share one outside IP. The issue is not the translation method but the reversed inside/outside interface roles.

D

Changing access-list 1 to a standard ACL numbered 100 does not address the core problem. ACL 1 is valid for identifying inside local addresses, and the failure is due to reversed NAT interface roles, not the ACL number.

37
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that blocks Telnet traffic from the 192.168.1.0/24 network to the 10.0.0.0/24 network, applied inbound on the router's G0/0 interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then create ACL with deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq telnet, then permit ip any any, then enter interface G0/0, then apply ACL inbound. This order ensures the ACL is created before being applied, and the specific source/destination networks match the requirement.

Exam trap

Be careful with the order of operations: ACLs must be created before they can be applied, and the order of entries within the ACL matters. Also, remember that 'ip access-group' is an interface command, not global.

38
MCQhard

A network engineer notices that after removing a standard ACL that was applied inbound on the internet-facing interface, the router is now receiving IP packets from the internet with source IP addresses in the 10.0.0.0/8 range, which were previously blocked. What is the most likely cause?

A.The original standard ACL only had a permit statement, so after removal the permit still takes effect because the ACL remains in the running configuration.
B.The ip access-group command on the interface remains but is missing the referenced ACL, causing the router to default to denying all ingress traffic except the previously permitted 10.0.0.0/8.
C.Removing the ACL from the interface eliminates the implicit deny at the end and restores the default permit all behavior, allowing all incoming traffic.
D.The ACL was reapplied in the outbound direction instead of inbound, so it now blocks traffic leaving the interface but not entering it.
AnswerC

Before removal, the applied ACL permitted only 10.0.0.0/8 and denied everything else (implicit deny all), which correctly blocked spoofed RFC 1918 traffic. Once the ACL is de-applied, the interface has no access list, so all traffic is permitted, including the previously blocked spoofed packets.

Why this answer

When an ACL is removed from an interface using 'no ip access-group', the interface reverts to its default behavior of permitting all traffic. The previous ACL's implicit deny all no longer applies, so spoofed RFC 1918 source addresses that were once blocked are now allowed to enter.

Exam trap

Many candidates assume that removing an ACL from an interface still leaves some residual filtering based on the ACL's permit statements, but in reality the interface returns to a wide-open permit-all state.

Why the other options are wrong

A

Candidates may think that the ACL itself, if still configured, continues to filter traffic even when not applied to an interface.

B

A common misunderstanding is that the access-group line can persist without a valid ACL and cause some default behavior; in fact the entire command is removed.

D

Some candidates may confuse direction changes with removal and assume the ACL is still filtering traffic in some way, but the symptom clearly indicates no filtering at all.

39
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and apply an extended ACL that permits only HTTP traffic from the 192.168.1.0/24 network to the server at 10.0.0.1, with the ACL applied inbound on the router's GigabitEthernet0/0 interface, and then verify the configuration.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter config mode. Create the ACL permitting HTTP from the source network to the destination host. Apply it inbound on the correct interface.

Then exit and verify.

Exam trap

Pay attention to the direction of ACL application (inbound vs outbound) and the specific verification command. Also, ensure you exit configuration mode before verifying, as some show commands are available in config mode but the standard workflow is to exit first.

40
MCQhard

A standard ACL and an extended ACL are both available for a design. Which requirement most strongly indicates that an extended ACL is needed?

A.The policy must distinguish traffic by destination, protocol, or port.
B.The policy needs to match only one source subnet.
C.The ACL must be placed near the destination.
D.The network uses IPv6 instead of IPv4.
AnswerA

This is correct because those requirements need extended ACL granularity.

Why this answer

An extended ACL is most strongly indicated when the policy must match not just on source address, but also on destination, protocol, or port information. In practical terms, if the requirement is something like “block HTTP but allow SSH” or “deny traffic to one server but not another,” a standard ACL is too limited because it mainly matches only the source. Option B (matching only one source subnet) can be done with a standard ACL, so it does not demand an extended ACL.

Option C (placement near destination) is a guideline for standard ACLs, not a reason to choose an extended ACL. Option D (IPv6) is irrelevant because the scenario explicitly states both ACL types are available and standard ACLs do not exist for IPv6—this question is about IPv4 ACLs.

Exam trap

Remember that standard ACLs can only filter based on source IP addresses. If the requirement involves protocols or ports, think extended ACL.

Why the other options are wrong

B

Matching only one source subnet can be accomplished with a standard ACL, so this does not strongly indicate a need for an extended ACL.

C

Placing an ACL near the destination is a characteristic of standard ACLs, not a criterion that selects an extended ACL.

D

The scenario assumes both standard and extended ACLs are available; standard ACLs do not exist for IPv6, so this requirement does not apply to the IPv4 ACL choice.

41
MCQhard

An administrator wants to prevent a specific subnet from using Telnet to reach network devices, while still allowing SSH from that same subnet. What is the strongest reason a standard ACL is not enough by itself?

A.Because the policy must distinguish Telnet from SSH, which requires protocol or port-level matching.
B.Because standard ACLs are valid only on wireless networks.
C.Because Telnet and SSH always use the same destination port.
D.Because SSH can never be filtered with ACLs.
AnswerA

This is correct because source-only matching cannot separate those two protocols.

Why this answer

A standard ACL is not enough by itself because the policy depends on distinguishing different protocols or destination ports, not just source address. In practical terms, the source subnet is the same for both Telnet and SSH. The ACL therefore needs to tell those two management protocols apart, which requires more granular matching than source-only logic.

This is one of the clearest examples of why extended ACL capability matters.

Exam trap

Do not confuse the capabilities of standard ACLs with those of extended ACLs. Remember, standard ACLs filter only by source IP.

Why the other options are wrong

B

Standard ACLs are not limited to wireless networks; they can be applied to any interface on a router, including wired connections. This option misrepresents the applicability of standard ACLs.

C

This option is incorrect because Telnet and SSH use different destination ports; Telnet typically uses port 23, while SSH uses port 22, allowing for distinct filtering in ACLs.

D

This option is incorrect because SSH can indeed be filtered using ACLs, as they can match traffic based on IP addresses and protocols. Standard ACLs can be applied to control SSH traffic just like any other traffic type.

42
MCQhard

A network administrator configures PAT on a router to allow internal hosts in the 10.10.10.0/24 subnet to access the Internet. Afterward, users report that they can ping public IP addresses but cannot access any websites. The administrator verifies that the access list for NAT matches the correct subnet, and the 'ip nat inside source list 1 interface GigabitEthernet0/1 overload' command is applied. What is the most likely cause of this issue?

A.The router's DNS proxy is misconfigured, preventing resolution of website names.
B.The PAT translation table is full, causing new TCP connection requests to be dropped.
C.The 'overload' keyword was omitted, causing the router to use dynamic NAT with a single-address pool.
D.A static NAT entry for a web server is using the same public IP address as the PAT overload.
AnswerB

PAT uses source port translation to map many internal addresses to a single public IP. ICMP (ping) does not consume a port mapping and can still be translated even when the table is exhausted. New TCP connections, required for web traffic, will fail when no free source port is available.

Why this answer

The ability to ping public IP addresses confirms that IP routing and PAT translation are working for ICMP traffic. However, the failure to access websites (HTTP/HTTPS) while ping succeeds indicates that the PAT translation table is likely exhausted, preventing the router from creating new translations for TCP connections. The 'overload' keyword is correctly configured, so the issue is not a missing keyword but rather resource exhaustion in the NAT table.

Exam trap

Cisco often tests the distinction between ICMP and TCP behavior under PAT exhaustion—candidates assume that if ping works, all IP connectivity is fine, but the trap is that PAT table exhaustion selectively drops new TCP sessions while allowing existing or low-volume ICMP traffic.

Why the other options are wrong

A

The scenario explicitly mentions successful pings to IP addresses, so name resolution is not the cause.

C

The command output explicitly shows 'overload', and the symptom (ping works, TCP fails) is inconsistent with a missing overload keyword.

D

A static NAT conflict would affect all traffic (including ICMP), not just web traffic.

43
MCQmedium

As a general rule, where should an extended ACL be placed?

A.As close to the source as practical
B.As close to the destination as possible in all cases
C.Only on the default gateway
D.Only on WAN interfaces
AnswerA

Correct. This is the common placement guideline.

Why this answer

Extended ACLs are commonly placed near the source to stop unwanted traffic earlier and conserve bandwidth and device resources.

Exam trap

Remember that extended ACLs should be placed near the source, not the destination or core, to effectively manage traffic.

Why the other options are wrong

B

Placing an extended ACL as close to the destination can lead to unnecessary traffic being processed by intermediate devices, which is inefficient. Extended ACLs are designed to filter traffic based on source and destination, so positioning them closer to the source enhances performance and security.

C

This option is incorrect because placing an extended ACL only on the default gateway limits its effectiveness in controlling traffic originating from various sources across the network. Extended ACLs should be strategically placed closer to the source to filter traffic before it reaches the destination.

D

Placing an extended ACL only on WAN interfaces can lead to inefficient traffic filtering, as it may not adequately control traffic originating from internal sources. Extended ACLs should ideally be positioned close to the source to effectively manage traffic before it reaches the destination.

44
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that denies Telnet from a specific host to a server subnet, then verify the configuration.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: create the ACL (A), apply it to the interface (B), verify it works (D), then save the configuration (C). This prevents saving a faulty ACL. Verifying after saving (C before D) risks persisting errors and is not the Cisco recommended workflow.

Exam trap

Do not confuse the order of creation and application: you must create the ACL before applying it. Also, always verify before saving to avoid locking in errors.

Ready to test yourself?

Try a timed practice session using only ACL questions.