Courseiva
200-301
Full test
mediummultiple choiceObjective-mapped

Which ACL statement permits only SSH from host 10.10.10.50 to server 192.168.1.10?

Question 1mediummultiple choice
Full question →

Which ACL statement permits only SSH from host 10.10.10.50 to server 192.168.1.10?

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Best answer

permit tcp host 10.10.10.50 host 192.168.1.10 eq 22

This matches the correct protocol, source, destination, and destination port.

B

Distractor review

permit udp host 10.10.10.50 host 192.168.1.10 eq 22

SSH uses TCP, not UDP.

C

Distractor review

permit tcp any host 192.168.1.10 eq 22

This is too broad because it allows any source.

D

Distractor review

permit ip host 10.10.10.50 host 192.168.1.10

This permits all IP traffic, not only SSH.

Common exam trap

Common exam trap: answer the scenario, not the keyword

A common exam trap is selecting an ACL statement that permits UDP traffic on port 22 or permits all IP traffic from the source host. Since SSH exclusively uses TCP on port 22, permitting UDP or all IP protocols can either block SSH access or allow unintended traffic. Another trap is using 'any' as the source, which opens access to all hosts instead of restricting it to the specific host 10.10.10.50. These mistakes lead to either overly permissive or overly restrictive ACLs, failing the security objective and the exam requirement.

Technical deep dive

How to think about this question

Access Control Lists (ACLs) are fundamental security tools in Cisco networking that control traffic flow by permitting or denying packets based on defined criteria such as source IP, destination IP, protocol, and port numbers. In the context of securing SSH access, ACLs filter TCP traffic specifically on port 22, which is the standard port for SSH connections. This precise filtering ensures only authorized hosts can initiate secure remote management sessions to a server. The correct ACL statement "permit tcp host 10.10.10.50 host 192.168.1.10 eq 22" explicitly permits TCP traffic from a single source IP address (10.10.10.50) to a single destination IP address (192.168.1.10) on destination port 22. This specificity is crucial because SSH uses TCP as its transport protocol and listens on port 22 by default. The ACL syntax uses "host" to specify exact IP addresses, and "eq 22" to match the destination port, ensuring no other traffic types or ports are allowed. A common exam trap is confusing the protocol or port number, such as permitting UDP instead of TCP or allowing all IP traffic instead of restricting to SSH. Practically, this ACL enforces strict access control, preventing unauthorized hosts or protocols from reaching the server via SSH. Understanding how ACLs match traffic based on protocol and port is essential for both exam success and real-world network security implementation.

KKey Concepts to Remember

  • An ACL in Cisco devices filters traffic by matching source IP, destination IP, protocol, and port to permit or deny packets.
  • SSH uses TCP as its transport protocol and listens on destination port 22, which ACLs must specify to permit SSH traffic.
  • The keyword 'host' in an ACL specifies a single IP address, ensuring the rule applies only to that exact source or destination.
  • Using 'eq 22' in an ACL matches the destination port number 22, which is the standard port for SSH connections.
  • An ACL permitting 'ip' traffic allows all IP protocols and ports, which is too broad when restricting only SSH access.
  • Permitting UDP traffic on port 22 is incorrect for SSH because SSH does not use UDP, leading to ineffective ACL rules.
  • Cisco ACLs process statements sequentially and stop at the first match, so precise rules prevent unintended access.
  • ACLs are essential for securing network devices by restricting management access to authorized hosts and protocols only.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

CCNA subnetting practice questions

Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.

CCNA OSPF practice questions

Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.

CCNA VLAN practice questions

Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.

CCNA STP practice questions

Practise spanning tree, root bridge election, port roles and STP troubleshooting.

CCNA EtherChannel practice questions

Practise LACP, PAgP, port-channel behaviour and bundle requirements.

CCNA ACL practice questions

Practise standard and extended ACLs, permit/deny logic and traffic filtering.

CCNA NAT practice questions

Practise static NAT, dynamic NAT, PAT and inside/outside address translation.

CCNA DHCP practice questions

Practise DHCP scopes, relay, leases and troubleshooting.

CCNA show ip route practice questions

Practise routing-table output, longest-prefix match, AD and route selection.

CCNA show interfaces trunk practice questions

Practise trunk verification and VLAN forwarding across switches.

CCNA wireless security practice questions

Practise WLAN security, authentication and wireless architecture concepts.

CCNA IPv6 practice questions

Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?

Question 2

A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?

Question 3

What is the OSPF metric called?

Question 4

A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?

Question 5

A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?

Question 6

A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?

FAQ

Questions learners often ask

What does this 200-301 question test?

An ACL in Cisco devices filters traffic by matching source IP, destination IP, protocol, and port to permit or deny packets.

What is the correct answer to this question?

The correct answer is: permit tcp host 10.10.10.50 host 192.168.1.10 eq 22 — SSH uses TCP destination port 22. The source is the single host 10.10.10.50 and the destination is the single host 192.168.1.10.

What should I do if I get this 200-301 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.