Courseiva
200-301
Full test
mediummultiple choiceObjective-mapped

Exhibit

access-list 110 ?

Users in 10.10.10.0/24 must be prevented from reaching the web server at 172.16.1.10 over HTTP, but all other traffic should be allowed. Which ACL entry should appear first in the ACL?

Question 1mediummultiple choice
Full question →

Users in 10.10.10.0/24 must be prevented from reaching the web server at 172.16.1.10 over HTTP, but all other traffic should be allowed. Which ACL entry should appear first in the ACL?

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Distractor review

permit tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80

This is wrong because it permits the exact traffic that should be blocked.

B

Distractor review

deny ip 10.10.10.0 0.0.0.255 host 172.16.1.10

This is wrong because `deny ip` is too broad and would block all IP traffic from the source subnet to that server.

C

Best answer

deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80

This is correct because HTTP uses TCP port 80, and the requirement is narrowly focused on blocking that traffic from one subnet to one host.

D

Distractor review

deny udp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80

This is wrong because standard web traffic uses TCP, not UDP, for HTTP.

Common exam trap

Common exam trap: answer the scenario, not the keyword

A frequent exam trap is selecting a deny ip statement to block HTTP traffic, which seems simpler but actually blocks all IP traffic from the source subnet to the destination host. This overbroad denial disrupts legitimate communications such as DNS, SSH, or other TCP/UDP services, violating the requirement to allow all other traffic. Another trap is denying UDP port 80, which is incorrect because HTTP uses TCP, not UDP. Candidates may also mistakenly place a permit statement first, which would allow the HTTP traffic instead of blocking it. Recognizing the correct protocol and port and placing the deny statement first is critical to avoid these pitfalls.

Technical deep dive

How to think about this question

Access Control Lists (ACLs) are fundamental security tools in Cisco networking that filter traffic based on defined criteria such as source and destination IP addresses, protocols, and ports. ACLs are processed sequentially, and the first matching rule determines whether the packet is permitted or denied. This sequential processing means that the order of ACL entries is critical to achieving the desired traffic filtering behavior. In this scenario, the goal is to block HTTP traffic from the 10.10.10.0/24 subnet to a specific web server at 172.16.1.10, while allowing all other traffic. HTTP traffic uses TCP port 80, so the ACL must deny TCP packets destined for port 80 on that host. The correct ACL entry is a deny statement specifying TCP, the source subnet, the destination host, and destination port 80. This precise match ensures only HTTP traffic is blocked, and all other traffic, including other TCP ports and protocols, is allowed. A common exam trap is using a deny ip statement, which blocks all IP traffic from the source subnet to the destination host, not just HTTP. This is overly broad and can disrupt legitimate services like SSH or DNS. Another trap is denying UDP port 80, which is irrelevant since HTTP uses TCP. Understanding the specific protocol and port involved is essential. Practically, this ACL approach allows granular control over traffic, minimizing unintended service disruptions while enforcing security policies.

KKey Concepts to Remember

  • An ACL (Access Control List) in Cisco devices processes entries in sequential order, stopping at the first match to permit or deny traffic.
  • A deny statement in an ACL blocks matching traffic explicitly, while any traffic not matched by earlier entries is implicitly denied or permitted based on ACL type.
  • TCP port 80 is the standard destination port for HTTP traffic, so blocking TCP traffic to port 80 effectively blocks web traffic.
  • Using a deny statement that specifies TCP and port 80 prevents only HTTP traffic, allowing all other protocols and ports to pass through.
  • A deny ip statement blocks all IP traffic between specified source and destination addresses, which is broader than needed and can disrupt legitimate traffic.
  • ACLs applied inbound on an interface evaluate packets before routing decisions, making the order and specificity of ACL entries critical for correct filtering.
  • Cisco ACLs use wildcard masks to specify IP address ranges, where 0.0.0.255 matches any host in the 10.10.10.0/24 subnet.
  • The implicit deny at the end of every ACL means that any traffic not explicitly permitted or denied by prior entries is blocked by default.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

CCNA subnetting practice questions

Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.

CCNA OSPF practice questions

Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.

CCNA VLAN practice questions

Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.

CCNA STP practice questions

Practise spanning tree, root bridge election, port roles and STP troubleshooting.

CCNA EtherChannel practice questions

Practise LACP, PAgP, port-channel behaviour and bundle requirements.

CCNA ACL practice questions

Practise standard and extended ACLs, permit/deny logic and traffic filtering.

CCNA NAT practice questions

Practise static NAT, dynamic NAT, PAT and inside/outside address translation.

CCNA DHCP practice questions

Practise DHCP scopes, relay, leases and troubleshooting.

CCNA show ip route practice questions

Practise routing-table output, longest-prefix match, AD and route selection.

CCNA show interfaces trunk practice questions

Practise trunk verification and VLAN forwarding across switches.

CCNA wireless security practice questions

Practise WLAN security, authentication and wireless architecture concepts.

CCNA IPv6 practice questions

Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?

Question 2

A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?

Question 3

What is the OSPF metric called?

Question 4

A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?

Question 5

A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?

Question 6

A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?

FAQ

Questions learners often ask

What does this 200-301 question test?

An ACL (Access Control List) in Cisco devices processes entries in sequential order, stopping at the first match to permit or deny traffic.

What is the correct answer to this question?

The correct answer is: deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80 — The requirement is specific: block HTTP traffic from one source subnet to one server, but allow everything else. In plain terms, you do not want to shut off all communication to the server or all communication from the users. You only want to stop normal web traffic that uses TCP port 80. That means the ACL should start with a deny statement that matches TCP from 10.10.10.0/24 to host 172.16.1.10 on destination port 80. Using `deny ip` would block every IP-based protocol to that host, which is broader than the requirement. Using UDP port 80 does not match normal HTTP. And a permit statement would do the opposite of what is needed.

What should I do if I get this 200-301 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.