200-301 · topic practice

ACL practice questions

Practise 200-301 ACL questions covering standard vs extended ACLs, top-down processing, implicit deny, inbound vs outbound placement, and troubleshooting traffic that is unexpectedly blocked or permitted.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security

What the exam tests

What to know about ACL

ACL questions usually test top-down rule processing, source and destination matching, protocol or port logic, and where the ACL should be applied.

Standard versus extended ACL behaviour.

Top-down processing and the implicit deny rule.

Source, destination, protocol and port matching.

Inbound versus outbound ACL placement.

Why learners struggle

Why ACL questions are commonly missed

ACL questions are missed when learners apply the wrong direction, overlook the implicit deny, or confuse standard ACL source-only matching with extended ACL protocol and destination matching. A single out-of-order rule or wrong interface direction makes an otherwise correct ACL fail.

  • ·Top-down first-match processing — rule order matters; the first match ends evaluation
  • ·Implicit deny — all traffic not explicitly permitted is denied at the end of every ACL
  • ·Standard ACLs match source address only — destination, protocol, and port are not considered
  • ·Extended ACLs match source, destination, protocol, and port — giving finer control
  • ·Inbound vs outbound — applying the ACL in the wrong direction blocks the wrong traffic
  • ·Standard ACLs placed near the destination to avoid blocking other traffic unnecessarily

Watch out for

Common ACL exam traps

  • ACLs are processed from top to bottom; the first match wins.
  • There is an implicit deny at the end of most ACLs.
  • Standard ACLs match source only, while extended ACLs can match protocol, source, destination and ports.
  • Applying an ACL in the wrong direction can make a correct ACL look broken.

Practice set

ACL questions

20 questions · select your answer, then reveal the explanation

Question 1hardmultiple choice
Read the full ACL explanation →

A switch shows a clock that is several minutes off from other devices even though an NTP server has been configured. Which issue is the most likely cause?

Exhibit

show ntp associations
 address         ref clock     st when poll reach delay offset disp
*~10.10.50.5     .INIT.        16   -   64    0  0.000  0.000 16000
Configured server: 10.10.50.5
Question 2hardmultiple choice
Read the full NAT/PAT explanation →

Exhibit: Users report no internet access after PAT was configured. The inside and outside interfaces are marked correctly. Which missing configuration is the most likely cause?

Exhibit

Configured:
interface G0/0
 ip nat inside
interface G0/1
 ip nat outside
No translations appear in 'show ip nat translations'.
Question 3mediummultiple choice
Review the full routing breakdown →

A network administrator wants to secure remote CLI access to a Cisco router, moving beyond simple username/password authentication. Which approach best achieves this goal?

You are connected to R1 in a small office network. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 LAN can access the Internet via the public IP 203.0.113.1 (the IP assigned to interface G0/0). Also configure a static NAT for the internal web server at 192.168.1.10 to the public IP 203.0.113.6. The current configuration has errors: the inside/outside interface assignments are swapped, the ACL for PAT does not match the inside subnet, and the PAT rule points to the wrong ACL. Fix all issues so that both PAT and static NAT work correctly.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.10 80 203.0.113.6 80
!
ip nat inside source list 2 interface GigabitEthernet0/0 overload
!
interface GigabitEthernet0/0
 ip address 203.0.113.1 255.255.255.248
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
Question 5hardmultiple choice
Open the full VLAN trunking answer →

A network engineer configures an EtherChannel between two Cisco switches SW1 and SW2 using LACP. After configuration, hosts connected to SW1 report intermittent connectivity to hosts on SW2. The engineer checks the EtherChannel status and sees that the trunk is up but only allows VLAN 1, while the hosts communicate across VLANs 10 and 20. Which command should the engineer apply to both switches to resolve the issue?

Network Topology
+SW1# show etherchannel summaryH - Hot-standby (LACP only)u - unsuitable for bundlingd - default portNumber of aggregators: 1Group Port-channel Protocol Ports

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to an ISP router at 10.0.0.2/30. The internal network has a web server at 192.168.1.10 and a mail server at 192.168.1.20. You need to configure NAT so that internal hosts can access the internet (PAT overload) and external users can reach the web server via public IP 203.0.113.10 and the mail server via public IP 203.0.113.11. The inside interface is GigabitEthernet0/1 (192.168.1.1/24) and the outside interface is GigabitEthernet0/0.

Question 7mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the following steps into the correct order to configure PAT (overload) on a Cisco router using a single public IP address on the outside interface.

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

A branch router is configured for NAT overload. The inside interface Gi0/0 is correctly marked ip nat inside, and the outside interface Gi0/1 is ip nat outside. The NAT statement uses access-list 1 permit 10.1.1.0 0.0.0.255 with ip nat inside source list 1 interface Gi0/1 overload. Inside hosts are in the 192.168.1.0/24 subnet and still reach the ISP with their private addresses. What is the most likely reason?

Exhibit

access-list 1 permit 10.10.20.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/0 overload

interface GigabitEthernet0/0
 ip address 198.51.100.2 255.255.255.252
 ip nat outside

interface GigabitEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside

Users are in 10.10.10.0/24.
Question 9mediummulti select
Open the full VLAN trunking answer →

Which of the following statements about VLAN configuration and trunking on a Cisco switch are correct? (Choose all that apply.)

Question 10hardmultiple choice
Review the full subnetting walkthrough →

Which prefix length corresponds to the subnet mask 255.255.255.192?

Question 11mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. Users on the inside network can browse the web, but return traffic is failing for some sessions. A partial configuration shows:

interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat outside

!

interface GigabitEthernet0/1
 ip address 203.0.113.10 255.255.255.0
 ip nat inside

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload
access-list 1 permit 192.168.10.0 0.0.0.255

Based on this configuration, which change is required to make PAT work correctly?

Exhibit

interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 203.0.113.10 255.255.255.252
 ip nat inside
!
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload
Question 12hardmultiple choice
Open the full VLAN trunking answer →

A network administrator notices that hosts in VLAN 10 cannot ping the default gateway (192.168.10.1). The switch's SVI for VLAN 10 is configured and the output of the show ip interface brief command shows its status as up/up. An embedded packet capture is configured. The exhibit shows ARP requests from a host to 192.168.10.1 but no ARP reply. Based on the exhibit, what is the most likely cause of the connectivity issue?

Exhibit

R1# show monitor capture CAP1 buffer brief
   #   size   timestamp        source             destination        protocol   src port   dst port   flags
   1   64     00:01:23.456     192.168.10.10      192.168.10.1       ICMP       0x0800     0x0800     0x4000
   2   64     00:01:23.457     192.168.10.1       192.168.10.10      ICMP       0x0800     0x0800     0x4000
   3   64     00:01:24.456     192.168.10.10      192.168.10.1       ICMP       0x0800     0x0800     0x4000
   4   64     00:01:24.457     192.168.10.1       192.168.10.10      ICMP       0x0800     0x0800     0x4000
   5   64     00:01:25.456     192.168.10.10      192.168.10.1       ICMP       0x0800     0x0800     0x4000
   6   64     00:01:25.457     192.168.10.1       192.168.10.10      ICMP       0x0800     0x0800     0x4000

R1# show running-config | section interface Vlan10
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 no shutdown
!
Question 13mediummulti select
Read the full ACL explanation →

Which two statements accurately describe CAPWAP in a controller-based WLAN context?

Question 14hardmultiple choice
Read the full ACL explanation →

An administrator wants to permit SSH management access but block Telnet access to a device. Which statement best reflects that design goal?

Question 15hardmultiple choice
Review the full subnetting walkthrough →

A security policy requires that only one management subnet be able to initiate SSH to a router. Which approach most directly supports that requirement?

Question 16hardmultiple choice
Study the full ACL explanation →

An administrator wants to prevent users from browsing to one specific web server while still allowing them to reach other web destinations. Which ACL design principle is most important here?

Question 17hardmultiple choice
Read the full NAT/PAT explanation →

A network administrator is troubleshooting an issue where hosts in the 192.168.20.0/24 subnet cannot reach the Internet, while hosts in 192.168.10.0/24 can. The router is configured for PAT overload using a dynamic pool on the outside interface. The administrator collects the configuration shown in the exhibit. What is the most likely cause of the connectivity problem for the 192.168.20.0/24 subnet?

Exhibit

R1#show running-config | section access-list|ip nat|interface GigabitEthernet0/1|interface GigabitEthernet0/2|interface GigabitEthernet0/0
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 20 permit 192.168.20.0 0.0.0.0
ip nat pool NAT-POOL 200.1.1.1 200.1.1.2 netmask 255.255.255.252
ip nat inside source list 10 pool NAT-POOL overload
ip nat inside source list 20 pool NAT-POOL overload
interface GigabitEthernet0/0
 ip address 200.1.1.1 255.255.255.252
 ip nat outside
interface GigabitEthernet0/1
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
interface GigabitEthernet0/2
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
Question 18mediummulti select
Study the full ACL explanation →

A network team wants an ACL that permits HTTPS from 10.1.50.0/24 to a web server at 203.0.113.10 and denies all Telnet traffic from that subnet to any destination. Which two ACEs are required?

Question 19hardmultiple choice
Study the full ACL explanation →

A standard ACL and an extended ACL are both available for a design. Which requirement most strongly indicates that an extended ACL is needed?

Question 20mediummultiple choice
Study the full ACL explanation →

An ACL entry reads:

access-list 25 permit 192.168.8.0 0.0.0.15

Which address range does this statement match?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused ACL sessions

Start a ACL only practice session

Every question in these sessions is drawn from the ACL domain — nothing else.

Related practice questions

Related 200-301 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 200-301 exam test about ACL?
ACL questions usually test top-down rule processing, source and destination matching, protocol or port logic, and where the ACL should be applied.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just ACL questions in a focused session?
Yes — the session launcher on this page draws every question from the ACL domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 200-301 topics?
Use the topic links above to move to related areas, or go back to the 200-301 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 200-301 exam covers. They are not copied from any real exam or dump site.