Question 1,000 of 1,819
Network Services and SecurityhardMultiple ChoiceObjective-mapped

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: an extended ACL can filter traffic based on source IP, destination IP, protocol, and Layer 4 port numbers for precise traffic control.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Users in 10.10.10.0/24 must be prevented from reaching the web server at 172.16.1.10 over HTTP, but all other traffic should be allowed. Which ACL entry best matches the requirement?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1hardmultiple choice
Study the full ACL explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80

The correct ACL entry is an extended ACL deny statement that matches TCP from the source subnet to the destination host on port 80. In practical terms, the requirement is narrow: block HTTP only, from one source network to one server, while allowing everything else. That means using `deny tcp` with the right source, destination, and port is more accurate than using a broad `deny ip`. This is a classic ACL precision question. The exam is testing whether you can match the requirement exactly rather than overblocking.

Key principle: An extended ACL can filter traffic based on source IP, destination IP, protocol, and Layer 4 port numbers for precise traffic control.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80

    Why this is correct

    This is correct because it blocks only TCP port 80 traffic from the source subnet to the web server.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    An extended ACL can filter traffic based on source IP, destination IP, protocol, and Layer 4 port numbers for precise traffic control.

  • deny ip 10.10.10.0 0.0.0.255 host 172.16.1.10

    Why it's wrong here

    This is wrong because it blocks all IP traffic to the server, not just HTTP.

    When this WOULD be correct

    In a scenario where the requirement is to block all IP traffic from the 10.10.10.0/24 subnet to the web server at 172.16.1.10, regardless of the protocol, option B would be the correct choice. For instance, if the question specified to block all access to the server, including HTTPS and other protocols, this option would apply.

  • deny udp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80

    Why it's wrong here

    This is wrong because normal HTTP uses TCP, not UDP.

    When this WOULD be correct

    If the question specified that the web server communicates over UDP for a specific application, such as a video streaming service that uses UDP for transport, then this option would correctly deny UDP traffic from the specified subnet to the web server.

  • permit tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80

    Why it's wrong here

    This is wrong because it would explicitly allow the traffic that should be blocked.

    When this WOULD be correct

    This option would be correct in a scenario where the requirement is to allow HTTP traffic from the 10.10.10.0/24 subnet to the web server at 172.16.1.10, perhaps in a question that specifies that users need access to the web server for legitimate purposes.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80Correct answer

Why this is correct

This is correct because it blocks only TCP port 80 traffic from the source subnet to the web server.

deny ip 10.10.10.0 0.0.0.255 host 172.16.1.10Wrong answer — click to see why

Why this is wrong here

This entry denies all IP traffic (any protocol) from the source subnet to the web server, which blocks more than just HTTP and violates the requirement to allow all other traffic.

★ When this WOULD be the correct answer

In a scenario where the requirement is to block all IP traffic from the 10.10.10.0/24 subnet to the web server at 172.16.1.10, regardless of the protocol, option B would be the correct choice. For instance, if the question specified to block all access to the server, including HTTPS and other protocols, this option would apply.

Why candidates choose this

Students might think 'ip' covers all traffic including HTTP, but they overlook that it blocks everything, not just HTTP.

deny udp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80Wrong answer — click to see why

Why this is wrong here

HTTP uses TCP, not UDP. This entry would not block HTTP traffic because it specifies UDP, so the HTTP traffic would still be allowed.

★ When this WOULD be the correct answer

If the question specified that the web server communicates over UDP for a specific application, such as a video streaming service that uses UDP for transport, then this option would correctly deny UDP traffic from the specified subnet to the web server.

Why candidates choose this

Students may confuse TCP and UDP, or think that HTTP could use UDP in some cases, but standard HTTP always uses TCP.

permit tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80Wrong answer — click to see why

Why this is wrong here

This entry permits the traffic that should be blocked. It would allow HTTP traffic from the source subnet to the web server, which is the opposite of the requirement.

★ When this WOULD be the correct answer

This option would be correct in a scenario where the requirement is to allow HTTP traffic from the 10.10.10.0/24 subnet to the web server at 172.16.1.10, perhaps in a question that specifies that users need access to the web server for legitimate purposes.

Why candidates choose this

Students might mistakenly think 'permit' is needed to allow other traffic, but the requirement is to block HTTP; a deny entry is needed for that specific traffic.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

A common exam trap is selecting a deny statement that blocks all IP traffic (option B) instead of just HTTP traffic. This overblocking disrupts legitimate services beyond HTTP, violating the requirement to allow all other traffic. Another trap is denying UDP port 80 (option C), which is ineffective because HTTP uses TCP, not UDP. Additionally, mistakenly permitting TCP port 80 traffic (option D) contradicts the goal of blocking HTTP access. Understanding the difference between protocol types and the impact of broad versus specific ACL entries is essential to avoid these pitfalls.

Detailed technical explanation

How to think about this question

Access Control Lists (ACLs) are fundamental Cisco security tools used to filter traffic based on defined criteria such as source IP, destination IP, protocol, and port numbers. Extended ACLs provide granular control by allowing filtering on Layer 3 and Layer 4 parameters, including TCP/UDP ports, which is essential for controlling specific application traffic like HTTP. In this scenario, the goal is to block only HTTP traffic (TCP port 80) from a specific subnet to a particular web server, while permitting all other traffic. The correct ACL entry uses a deny statement targeting TCP traffic from the 10.10.10.0/24 subnet to the host 172.16.1.10 on port 80. This precision ensures that only HTTP traffic is blocked, without affecting other protocols or ports. The use of the wildcard mask 0.0.0.255 correctly matches the entire source subnet, and the 'eq 80' qualifier specifies the HTTP port. This approach follows best practices for ACL design by minimizing unintended traffic disruption. A common exam trap is confusing the protocol or overblocking traffic. For example, denying all IP traffic to the server would block legitimate services beyond HTTP, which is not the requirement. Similarly, denying UDP port 80 is ineffective because HTTP uses TCP. Understanding the protocol and port specificity in ACLs is critical for both exam success and real-world network security. Practically, this ACL entry allows network administrators to enforce precise security policies without impacting overall network functionality.

KKey Concepts to Remember

  • An extended ACL can filter traffic based on source IP, destination IP, protocol, and Layer 4 port numbers for precise traffic control.
  • The 'deny tcp' statement in an ACL blocks only TCP traffic matching the specified source, destination, and port criteria, allowing other traffic through.
  • Using a wildcard mask of 0.0.0.255 in an ACL matches all hosts within the 10.10.10.0/24 subnet as the source address.
  • Specifying 'eq 80' in an ACL targets HTTP traffic by matching TCP port 80, which is the standard port for web server communication.
  • A broad 'deny ip' ACL entry blocks all IP traffic between source and destination, which can unintentionally disrupt non-HTTP services.
  • ACLs process entries in sequential order, so placing a specific deny statement before a permit statement ensures only targeted traffic is blocked.
  • HTTP traffic uses TCP, not UDP, so denying UDP port 80 does not block HTTP and is ineffective for this requirement.
  • Correct ACL design requires matching the exact protocol and port to avoid overblocking or underblocking traffic, which is critical in Cisco security fundamentals.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

An extended ACL can filter traffic based on source IP, destination IP, protocol, and Layer 4 port numbers for precise traffic control.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Review an extended ACL can filter traffic based on source IP, destination IP, protocol, and Layer 4 port numbers for precise traffic control., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — An extended ACL can filter traffic based on source IP, destination IP, protocol, and Layer 4 port numbers for precise traffic control..

What is the correct answer to this question?

The correct answer is: deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80 — The correct ACL entry is an extended ACL deny statement that matches TCP from the source subnet to the destination host on port 80. In practical terms, the requirement is narrow: block HTTP only, from one source network to one server, while allowing everything else. That means using `deny tcp` with the right source, destination, and port is more accurate than using a broad `deny ip`. This is a classic ACL precision question. The exam is testing whether you can match the requirement exactly rather than overblocking.

What should I do if I get this 200-301 question wrong?

Review an extended ACL can filter traffic based on source IP, destination IP, protocol, and Layer 4 port numbers for precise traffic control., then practise related 200-301 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

An extended ACL can filter traffic based on source IP, destination IP, protocol, and Layer 4 port numbers for precise traffic control.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 200-301 practice questions

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.