CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: an ACL (Access Control List) in Cisco devices processes entries in sequential order, stopping at the first match to permit or deny traffic.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
access-list 110 ?
Users in 10.10.10.0/24 must be prevented from reaching the web server at 172.16.1.10 over HTTP, but all other traffic should be allowed. Which ACL entry should appear first in the ACL?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "first"
Why it matters: Order matters here. You are being tested on which action comes before the others — not which action is generally useful.
The requirement is specific: block HTTP traffic from one source subnet to one server, but allow everything else. In plain terms, you do not want to shut off all communication to the server or all communication from the users. You only want to stop normal web traffic that uses TCP port 80. That means the ACL should start with a deny statement that matches TCP from 10.10.10.0/24 to host 172.16.1.10 on destination port 80.
Using `deny ip` would block every IP-based protocol to that host, which is broader than the requirement. Using UDP port 80 does not match normal HTTP. And a permit statement would do the opposite of what is needed.
Key principle: An ACL (Access Control List) in Cisco devices processes entries in sequential order, stopping at the first match to permit or deny traffic.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
This is wrong because it permits the exact traffic that should be blocked.
When this WOULD be correct
In a different scenario where the requirement is to allow HTTP traffic from 10.10.10.0/24 to 172.16.1.10 while denying all other traffic, option A would be correct. For example, if the question stated that users should be allowed to access the web server but not other services, this entry would fit.
✗
deny ip 10.10.10.0 0.0.0.255 host 172.16.1.10
Why it's wrong here
This is wrong because `deny ip` is too broad and would block all IP traffic from the source subnet to that server.
When this WOULD be correct
In a scenario where the objective is to block all traffic from the 10.10.10.0/24 subnet to the web server at 172.16.1.10, regardless of the protocol, this option would be correct. For example, if the question asked to prevent any communication to the server, not just HTTP, this would be the right choice.
This is wrong because standard web traffic uses TCP, not UDP, for HTTP.
When this WOULD be correct
In a scenario where the question specifies that users should be prevented from accessing a service that uses UDP on port 80 (hypothetically, if a web service were using UDP), then option D would be the correct answer. For example, if the question stated that UDP traffic from 10.10.10.0/24 to 172.16.1.10 on port 80 should be denied, this option would apply.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
This is correct because HTTP uses TCP port 80, and the requirement is narrowly focused on blocking that traffic from one subnet to one host.
✗permit tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80Wrong answer — click to see why▾
Why this is wrong here
Option A is wrong because it permits TCP traffic on port 80 from the specified subnet to the web server, which contradicts the requirement to prevent HTTP access to that server.
★ When this WOULD be the correct answer
In a different scenario where the requirement is to allow HTTP traffic from 10.10.10.0/24 to 172.16.1.10 while denying all other traffic, option A would be correct. For example, if the question stated that users should be allowed to access the web server but not other services, this entry would fit.
Why candidates choose this
Candidates may find option A tempting because it directly addresses the HTTP traffic on port 80, which is a common requirement in access control lists, leading to confusion about the context of the question.
✗deny ip 10.10.10.0 0.0.0.255 host 172.16.1.10Wrong answer — click to see why▾
Why this is wrong here
This option is wrong because it denies all IP traffic from the 10.10.10.0/24 subnet to the web server, which is too broad and would block all types of traffic, not just HTTP. The requirement is to specifically block only HTTP traffic.
★ When this WOULD be the correct answer
In a scenario where the objective is to block all traffic from the 10.10.10.0/24 subnet to the web server at 172.16.1.10, regardless of the protocol, this option would be correct. For example, if the question asked to prevent any communication to the server, not just HTTP, this would be the right choice.
Why candidates choose this
Candidates may choose this option because it seems to address the requirement of blocking traffic, and they might misinterpret the question as needing to block all access to the server rather than just HTTP.
✗deny udp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80Wrong answer — click to see why▾
Why this is wrong here
Option D is incorrect because it attempts to deny UDP traffic to the web server, while the question specifically requires blocking HTTP traffic, which uses TCP. Thus, this ACL entry does not meet the requirement of preventing access over HTTP.
★ When this WOULD be the correct answer
In a scenario where the question specifies that users should be prevented from accessing a service that uses UDP on port 80 (hypothetically, if a web service were using UDP), then option D would be the correct answer. For example, if the question stated that UDP traffic from 10.10.10.0/24 to 172.16.1.10 on port 80 should be denied, this option would apply.
Why candidates choose this
Candidates may choose this option due to a misunderstanding of the protocols involved, mistakenly believing that blocking UDP traffic could also impact HTTP traffic, or because they see 'deny' and assume it aligns with the goal of restricting access.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is selecting a deny ip statement to block HTTP traffic, which seems simpler but actually blocks all IP traffic from the source subnet to the destination host. This overbroad denial disrupts legitimate communications such as DNS, SSH, or other TCP/UDP services, violating the requirement to allow all other traffic. Another trap is denying UDP port 80, which is incorrect because HTTP uses TCP, not UDP. Candidates may also mistakenly place a permit statement first, which would allow the HTTP traffic instead of blocking it. Recognizing the correct protocol and port and placing the deny statement first is critical to avoid these pitfalls.
Detailed technical explanation
How to think about this question
Access Control Lists (ACLs) are fundamental security tools in Cisco networking that filter traffic based on defined criteria such as source and destination IP addresses, protocols, and ports. ACLs are processed sequentially, and the first matching rule determines whether the packet is permitted or denied. This sequential processing means that the order of ACL entries is critical to achieving the desired traffic filtering behavior.
In this scenario, the goal is to block HTTP traffic from the 10.10.10.0/24 subnet to a specific web server at 172.16.1.10, while allowing all other traffic. HTTP traffic uses TCP port 80, so the ACL must deny TCP packets destined for port 80 on that host. The correct ACL entry is a deny statement specifying TCP, the source subnet, the destination host, and destination port 80. This precise match ensures only HTTP traffic is blocked, and all other traffic, including other TCP ports and protocols, is allowed.
A common exam trap is using a deny ip statement, which blocks all IP traffic from the source subnet to the destination host, not just HTTP. This is overly broad and can disrupt legitimate services like SSH or DNS. Another trap is denying UDP port 80, which is irrelevant since HTTP uses TCP. Understanding the specific protocol and port involved is essential. Practically, this ACL approach allows granular control over traffic, minimizing unintended service disruptions while enforcing security policies.
KKey Concepts to Remember
An ACL (Access Control List) in Cisco devices processes entries in sequential order, stopping at the first match to permit or deny traffic.
A deny statement in an ACL blocks matching traffic explicitly, while any traffic not matched by earlier entries is implicitly denied or permitted based on ACL type.
TCP port 80 is the standard destination port for HTTP traffic, so blocking TCP traffic to port 80 effectively blocks web traffic.
Using a deny statement that specifies TCP and port 80 prevents only HTTP traffic, allowing all other protocols and ports to pass through.
A deny ip statement blocks all IP traffic between specified source and destination addresses, which is broader than needed and can disrupt legitimate traffic.
ACLs applied inbound on an interface evaluate packets before routing decisions, making the order and specificity of ACL entries critical for correct filtering.
Cisco ACLs use wildcard masks to specify IP address ranges, where 0.0.0.255 matches any host in the 10.10.10.0/24 subnet.
The implicit deny at the end of every ACL means that any traffic not explicitly permitted or denied by prior entries is blocked by default.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
An ACL (Access Control List) in Cisco devices processes entries in sequential order, stopping at the first match to permit or deny traffic.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Review an ACL (Access Control List) in Cisco devices processes entries in sequential order, stopping at the first match to permit or deny traffic., then practise related 200-301 questions on the same topic to reinforce the concept.
Network Services and Security — This question tests Network Services and Security — An ACL (Access Control List) in Cisco devices processes entries in sequential order, stopping at the first match to permit or deny traffic..
What is the correct answer to this question?
The correct answer is: deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80 — The requirement is specific: block HTTP traffic from one source subnet to one server, but allow everything else. In plain terms, you do not want to shut off all communication to the server or all communication from the users. You only want to stop normal web traffic that uses TCP port 80. That means the ACL should start with a deny statement that matches TCP from 10.10.10.0/24 to host 172.16.1.10 on destination port 80.
Using `deny ip` would block every IP-based protocol to that host, which is broader than the requirement. Using UDP port 80 does not match normal HTTP. And a permit statement would do the opposite of what is needed.
What should I do if I get this 200-301 question wrong?
Review an ACL (Access Control List) in Cisco devices processes entries in sequential order, stopping at the first match to permit or deny traffic., then practise related 200-301 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "first". Order matters here. You are being tested on which action comes before the others — not which action is generally useful.
What is the key concept behind this question?
An ACL (Access Control List) in Cisco devices processes entries in sequential order, stopping at the first match to permit or deny traffic.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.